From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/4336 Path: news.gmane.org!not-for-mail From: Raphael Cohn Newsgroups: gmane.linux.lib.musl.general Subject: Re: _PATH_LASTLOG Date: Tue, 3 Dec 2013 20:10:56 +0000 Message-ID: References: <20131203184248.GT1685@port70.net> <20131203195433.GM24286@brightrain.aerifal.cx> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=089e013d08c4f47efd04eca6e4d4 X-Trace: ger.gmane.org 1386101463 6448 80.91.229.3 (3 Dec 2013 20:11:03 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 3 Dec 2013 20:11:03 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-4340-gllmg-musl=m.gmane.org@lists.openwall.com Tue Dec 03 21:11:10 2013 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1VnwJK-0007im-I1 for gllmg-musl@plane.gmane.org; Tue, 03 Dec 2013 21:11:10 +0100 Original-Received: (qmail 9340 invoked by uid 550); 3 Dec 2013 20:11:09 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 9332 invoked from network); 3 Dec 2013 20:11:09 -0000 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=KuabOQ35nNOpkfZkXIhxcprNZ3mLKJXlF2momgfRgnE=; b=F1b/krf+j6H1xn/BN1Q+gaF9LBrM666R99vdcypn1qpoUiqtzs7bi1wbEEKUlozcGe ID0h/7IgBdtEEGNaxs/f1EmXM06/f7zGjlSmd0INv05dNhac8CEgTTAW49UxjViYEweJ d4G3++9LYysVoFxfVchwnBLq49zOUoDGHuDF4IDW6m1KDRgRsJqh4Xvqdrkl7/8kNWp5 sRz3QmdqZ+FtRMsDeQ/KM7Rti8kqZcK3i1z8vva7bykFTaWibhD/W4cPDjEOY9STMu/u pwlX4cw6GobowbZvD5ChSN34E1vJlM0QZRb7hivuAeVRY+Bev8sqNxKEFSyDhv3di4vC QO9A== X-Gm-Message-State: ALoCoQniC+kqj9NaV9WbzQToRrZ4+Flhdm8xUkhBTd6V7aED6n6F4+EMaRxYSsdscMNFiX1/Bgxn X-Received: by 10.60.16.97 with SMTP id f1mr1072932oed.77.1386101456791; Tue, 03 Dec 2013 12:10:56 -0800 (PST) X-Originating-IP: [2001:8b0:862:b944:a534:c887:3b4d:f028] In-Reply-To: <20131203195433.GM24286@brightrain.aerifal.cx> Xref: news.gmane.org gmane.linux.lib.musl.general:4336 Archived-At: --089e013d08c4f47efd04eca6e4d4 Content-Type: text/plain; charset=UTF-8 Thanks for that - just having a list is an useful place to start. I think the default file names are quite sensible - especially for a common run-anywhere use case. And some - where mandated by POSIX - probably should never change. What would be nice might be to be able to define the prefix for /etc to something else (so we can use atomic symlink changes to flip configs). I'd like to have more of a think about the other paths. We're only a short way into our project, so our ideas might change. What we're looking at is a Nixos-like linux, where we rebuild only packages because other packages have changed. We want to keep every package isolated, so we can apply PATH controls, fine-grained capability permissions, chattr -ai, etc. Part of doing this means we don't want paths 'hanging around' inside libraries that are used if present - as these allow an attacker (or more likely, a duff package) to accidentally stop itself working, ie if there's no /usr/lib on system, then nothing should be able to stick itself in /usr/lib and override the system setup. PS As an aside, I've always wanted /etc/hosts to also have a parallel /etc/hosts.d/. It'd make maintaining things without a DNS server extremely easy - think dynamically adding and removing VMs in most cloud providers, especially those where multicast DNS doesn't work... like Azure. (Yes, I had a client that insisted on using it with Linux). Likewise it'd be nice to be able to add and remove DNS servers with a /etc/resolv.conf.d. Makes automated config and change management and audit that bit easier. (Debian do this using run-parts for lots of things for those sorts of reasons). Raphael Cohn Chief Architect, stormmq Co-Chair, OASIS MQTT Standard Secretary, OASIS AMQP Standard raphael.cohn@stormmq.com +44 7590 675 756 UK Office: Hamblethorpe Farm, Crag Lane, Bradley BD20 9DB, North Yorkshire, United Kingdom Telephone: +44 845 3712 567 Registered office: 16 Anchor Street, Chelmsford, Essex, CM2 0JY, United Kingdom StormMQ Limited is Registered in England and Wales under Company Number 07175657 StormMQ.com On 3 December 2013 19:54, Rich Felker wrote: > On Tue, Dec 03, 2013 at 07:09:05PM +0000, Raphael Cohn wrote: > > Ta. > > > > Would it be possible to have the "/dev/null/xxx" paths' values as an > option > > to ./configure? > > > > Actually, it would be very useful to be able to ./configure all the other > > hard coded paths in musl, eg the default dynamlic linker search path. > When > > running with a setup like Nixos, or the like, these paths need to be > > different. Of course, one can patch, but that's not sustainable in the > long > > run. > > The dynamic linker searches for its path file relative to its own > location, which should cover this kind of usage. It's only in the case > where no path file exists that the hard-coded /lib, /usr/lib, etc. > would get searched. > > > Please? > > I think such a request should be accompanied by explanations of what > you're trying to achieve that's difficult or impossible with the > current scheme. > > Most of the hard-coded paths in musl are hard-coded because there's a > standard pathname either required by the standards or that was > universal in all historical systems, and because musl aims to be > useful for producing "run anywhere" static binaries. Gratuitously > changing paths defeats this goal. Of course musl attempts to minimize > the number of hard-coded pathnames anyway; here's a list from the > current documentation draft which you could review to determine which > are problematic to your intended usage cases: > > ---------------------------------------------------------------------- > * `/dev/null` - device node, required by POSIX > > * `/dev/tty` - device node, required by POSIX > > * `/tmp` - required by POSIX to exist as a directory, and used by > various temporary file creation functions. > > * `/bin/sh` - an executable file providing a POSIX-conforming shell > > * `/proc` - must be a mount point for Linux procfs or a symlink to > such. Several functions such as realpath, fexecve, and a number of > the "at" functions added in POSIX 2008 need access to /proc to > function correctly. > > While some programs may operate correctly even without some or all of > the above, musl's behavior in their absence is unspecified. > > ### Additional Pathnames Used > > * `/dev/log` - a UNIX domain socket to which the `syslog()` interface > sends log messages. If absent or inaccessible, log messages will be > discarded. > > * `/dev/shm` - a directory; should have permissions 01777. If absent, > POSIX shared memory and named semaphore interfaces will fail; > programs not using these features will be unaffected. > > * `/dev/ptmx` and `/dev/pts` - device node and devpts filesystem mount > point, respectively. If absent or inaccessible, `posix_openpt()` and > `openpty()` will fail. > > * `/etc/passwd` and `/etc/group` - text files containing the user and > group databases, mappings between names and numeric ids, and group > membership lists, in the standard traditional format. If absent, > user and/or group lookups will fail. > > * `/etc/shadow` - text file containing shadow password hashes for some > or all users. > > * `/etc/resolv.conf` - text file providing addresses of nameservers to > be used for DNS lookups. If absent, DNS requests will be sent to the > loopback address and will fail unless the host has its own > nameserver. > > * `/etc/hosts` - text file mapping hostnames to IP addresses. > > * `/etc/services` - text file mapping network service names to port > numbers. > > * `/usr/share/zoneinfo`, `/share/zoneinfo`, and `/etc/zoneinfo` - > directories searched for time zone files when the `TZ` environment > variable is set to a relative pathname. > > * `../etc/ld-musl-$(ARCH).path`, taken relative to the location of the > "program interpreter" specified in the program's headers - if > present, this will be processed as a text file containing the shared > library search path, with components delimited by newlines or > colons. If absent, a default path of > `"/lib:/usr/local/lib:/usr/lib"` will be used. Not used by > static-linked programs. > ---------------------------------------------------------------------- > > Let me know. This may end up being an ugly issue but it's something we > should look at, in any case... > > Rich > --089e013d08c4f47efd04eca6e4d4 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks for that - just having a list is an useful pla= ce to start. I think the default file names are quite sensible - especially= for a common run-anywhere use case. And some - where mandated by POSIX - p= robably should never change. What would be nice might be to be able to defi= ne the prefix for /etc to something else (so we can use atomic symlink chan= ges to flip configs).

I'd like to have more of a think about the other pa= ths. We're only a short way into our project, so our ideas might change= . What we're looking at is a Nixos-like linux, where we rebuild only pa= ckages because other packages have changed. We want to keep every package i= solated, so we can apply PATH controls, fine-grained capability permissions= , chattr -ai, etc. Part of doing this means we don't want paths 'ha= nging around' inside libraries that are used if present - as these allo= w an attacker (or more likely, a duff package) to accidentally stop itself = working, ie if there's no /usr/lib on system, then nothing should be ab= le to stick itself in /usr/lib and override the system setup.


PS As an aside, I've always wanted /etc/hosts to als= o have a parallel /etc/hosts.d/. It'd make maintaining things without a= DNS server extremely easy - think dynamically adding and removing VMs in m= ost cloud providers, especially those where multicast DNS doesn't work.= .. like Azure. (Yes, I had a client that insisted on using it with Linux). = Likewise it'd be nice to be able to add and remove DNS servers with a /= etc/resolv.conf.d. Makes automated config and change management and audit t= hat bit easier. (Debian do this using run-parts for lots of things for thos= e sorts of reasons).


Raphael C= ohn
Chief Architect, stormmq
Co-Chair, OASIS MQTT Standard
S= ecretary, OASIS AMQP Standard
raphael.cohn@stormmq.com
+44 7590 675 756

UK Office:
Hamblethorpe Farm, Crag = Lane, Bradley BD20 9DB, North Yorkshire, United Kingdom
Telephone: +44 8= 45 3712 567

Registered office:
16 Anchor Street, Chelmsford, Essex, CM2 0JY, U= nited Kingdom
StormMQ Limited is Registered in England and Wales under Company Number 071= 75657
StormMQ.com


On 3 December 2013 19:54, Rich Felker <= dalias@aerifal.cx> wrote:
On Tue, Dec 03, 2013 at 07:09:05PM +0000, Raphael Cohn wr= ote:
> Ta.
>
> Would it be possible to have the "/dev/null/xxx" paths' = values as an option
> to ./configure?
>
> Actually, it would be very useful to be able to ./configure all the ot= her
> hard coded paths in musl, eg the default dynamlic linker search path. = When
> running with a setup like Nixos, or the like, these paths need to be > different. Of course, one can patch, but that's not sustainable in= the long
> run.

The dynamic linker searches for its path file relative to its own
location, which should cover this kind of usage. It's only in the case<= br> where no path file exists that the hard-coded /lib, /usr/lib, etc.
would get searched.

> Please?

I think such a request should be accompanied by explanations of what
you're trying to achieve that's difficult or impossible with the current scheme.

Most of the hard-coded paths in musl are hard-coded because there's a standard pathname either required by the standards or that was
universal in all historical systems, and because musl aims to be
useful for producing "run anywhere" static binaries. Gratuitously=
changing paths defeats this goal. Of course musl attempts to minimize
the number of hard-coded pathnames anyway; here's a list from the
current documentation draft which you could review to determine which
are problematic to your intended usage cases:

----------------------------------------------------------------------
* `/dev/null` - device node, required by POSIX

* `/dev/tty` - device node, required by POSIX

* `/tmp` - required by POSIX to exist as a directory, and used by
=C2=A0 various temporary file creation functions.

* `/bin/sh` - an executable file providing a POSIX-conforming shell

* `/proc` - must be a mount point for Linux procfs or a symlink to
=C2=A0 such. Several functions such as realpath, fexecve, and a number of =C2=A0 the "at" functions added in POSIX 2008 need access to /pro= c to
=C2=A0 function correctly.

While some programs may operate correctly even without some or all of
the above, musl's behavior in their absence is unspecified.

### Additional Pathnames Used

* `/dev/log` - a UNIX domain socket to which the `syslog()` interface
=C2=A0 sends log messages. If absent or inaccessible, log messages will be<= br> =C2=A0 discarded.

* `/dev/shm` - a directory; should have permissions 01777. If absent,
=C2=A0 POSIX shared memory and named semaphore interfaces will fail;
=C2=A0 programs not using these features will be unaffected.

* `/dev/ptmx` and `/dev/pts` - device node and devpts filesystem mount
=C2=A0 point, respectively. If absent or inaccessible, `posix_openpt()` and=
=C2=A0 `openpty()` will fail.

* `/etc/passwd` and `/etc/group` - text files containing the user and
=C2=A0 group databases, mappings between names and numeric ids, and group =C2=A0 membership lists, in the standard traditional format. If absent,
=C2=A0 user and/or group lookups will fail.

* `/etc/shadow` - text file containing shadow password hashes for some
=C2=A0 or all users.

* `/etc/resolv.conf` - text file providing addresses of nameservers to
=C2=A0 be used for DNS lookups. If absent, DNS requests will be sent to the=
=C2=A0 loopback address and will fail unless the host has its own
=C2=A0 nameserver.

* `/etc/hosts` - text file mapping hostnames to IP addresses.

* `/etc/services` - text file mapping network service names to port
=C2=A0 numbers.

* `/usr/share/zoneinfo`, `/share/zoneinfo`, and `/etc/zoneinfo` -
=C2=A0 directories searched for time zone files when the `TZ` environment =C2=A0 variable is set to a relative pathname.

* `../etc/ld-musl-$(ARCH).path`, taken relative to the location of the
=C2=A0 "program interpreter" specified in the program's heade= rs - if
=C2=A0 present, this will be processed as a text file containing the shared=
=C2=A0 library search path, with components delimited by newlines or
=C2=A0 colons. If absent, a default path of
=C2=A0 `"/lib:/usr/local/lib:/usr/lib"` will be used. Not used by=
=C2=A0 static-linked programs.
----------------------------------------------------------------------

Let me know. This may end up being an ugly issue but it's something we<= br> should look at, in any case...

Rich

--089e013d08c4f47efd04eca6e4d4--