zsh-workers
 help / color / mirror / Atom feed
* [BUG] With --disable-dynamic-nss, not all functions calls are protected
@ 2021-09-08  1:12 Vincent Lefevre
  2021-09-15 14:31 ` Axel Beckert
  0 siblings, 1 reply; 15+ messages in thread
From: Vincent Lefevre @ 2021-09-08  1:12 UTC (permalink / raw)
  To: zsh-workers; +Cc: 993843

[Posted to zsh-workers, with a Cc to the Debian bug.]

While looking at Debian bug 993843

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993843
  (zsh-static segfaults immediately)

I can notice the following warnings:

gcc -static   -o zsh main.o  `cat stamp-modobjs`   -lgdbm -lpcre -lcap -lncursesw -ltinfo -ltinfo -lrt -lm  -lc
/usr/bin/ld: options.o: in function `dosetopt':
./obj-static/Src/../../Src/options.c:830: warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: Modules/parameter.o: in function `get_all_groups':
./obj-static/Src/Modules/../../../Src/Modules/parameter.c:2058: warning: Using 'getgrgid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: Modules/files.o: in function `bin_chown':
./obj-static/Src/Modules/../../../Src/Modules/files.c:763: warning: Using 'getgrnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: params.o: in function `usernamesetfn':
./obj-static/Src/../../Src/params.c:4420: warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: options.o: in function `dosetopt':
./obj-static/Src/../../Src/options.c:822: warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

This is exactly the issue we are seeing in Debian: zsh-static
segfaults after upgrading glibc, and this issue disappears
after rebuilding zsh-static with the new glibc. And I could
see in the strace output that the shared C library libc.so.6
is read, while zsh-static should entirely be static.

However, --disable-dynamic-nss is used to build zsh-static,
so that the above functions should not be called.

I can see that Src/zsh_system.h has

#if defined(HAVE_INITGROUPS) && !defined(DISABLE_DYNAMIC_NSS)
# define USE_INITGROUPS
#endif

#if defined(HAVE_GETGRGID) && !defined(DISABLE_DYNAMIC_NSS)
# define USE_GETGRGID
#endif

#if defined(HAVE_GETGRNAM) && !defined(DISABLE_DYNAMIC_NSS)
# define USE_GETGRNAM
#endif

#if defined(HAVE_GETPWENT) && !defined(DISABLE_DYNAMIC_NSS)
# define USE_GETPWENT
#endif

#if defined(HAVE_GETPWNAM) && !defined(DISABLE_DYNAMIC_NSS)
# define USE_GETPWNAM
#endif

#if defined(HAVE_GETPWUID) && !defined(DISABLE_DYNAMIC_NSS)
# define USE_GETPWUID
#endif

But concerning the first warning, Src/options.c contains

# ifdef HAVE_INITGROUPS

I suppose that the test should have been

# ifdef USE_INITGROUPS

like in Src/params.c, which has

# ifdef USE_INITGROUPS
        initgroups(x, pswd->pw_gid);
# endif

I suspect that there is the same issue with the other warnings.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-08  1:12 [BUG] With --disable-dynamic-nss, not all functions calls are protected Vincent Lefevre
@ 2021-09-15 14:31 ` Axel Beckert
  2021-09-15 19:13   ` Bart Schaefer
  0 siblings, 1 reply; 15+ messages in thread
From: Axel Beckert @ 2021-09-15 14:31 UTC (permalink / raw)
  To: zsh-workers, 993843


[-- Attachment #1.1: Type: text/plain, Size: 2143 bytes --]

Hi,

Vincent Lefevre wrote:
> I can notice the following warnings:
> 
> gcc -static   -o zsh main.o  `cat stamp-modobjs`   -lgdbm -lpcre -lcap -lncursesw -ltinfo -ltinfo -lrt -lm  -lc
> /usr/bin/ld: options.o: in function `dosetopt':
> ./obj-static/Src/../../Src/options.c:830: warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
[...]
> I can see that Src/zsh_system.h has
> 
> #if defined(HAVE_INITGROUPS) && !defined(DISABLE_DYNAMIC_NSS)
> # define USE_INITGROUPS
> #endif
> 
> #if defined(HAVE_GETGRGID) && !defined(DISABLE_DYNAMIC_NSS)
> # define USE_GETGRGID
> #endif
[…]
> 
> But concerning the first warning, Src/options.c contains
> 
> # ifdef HAVE_INITGROUPS
> 
> I suppose that the test should have been
> 
> # ifdef USE_INITGROUPS
> 
> like in Src/params.c, which has
> 
> # ifdef USE_INITGROUPS
>         initgroups(x, pswd->pw_gid);
> # endif
> 
> I suspect that there is the same issue with the other warnings.

Not exactly. I tried to go down this route with the attached patch,
and it indeed fixes all the "Using '[…] in statically linked
applications requires at runtime the shared libraries from the glibc
version used for linking" warnings.

But copying zsh-static on a system with a different libc6 version
still segfaults, so this patch might be necessary but not sufficient.

Last line is:

  zsh-static: dl-call-libc-early-init.c:37: _dl_call_libc_early_init: Assertion `sym != NULL' failed.

So the attached patch is at least INCOMPLETE and only thought as base
for further debugging, not (yet) for inclusion in git.

Full strace of a run of zsh-static compiled with the attached patch on
Debian Unstable (glibc 2.32) and run on Debian 11 Bullseye (glibc
2.31) attached, too.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

[-- Attachment #1.2: make-zsh-static-really-static-#993843.patch --]
[-- Type: text/x-diff, Size: 4662 bytes --]

Description: Try to fix dynamic linking with zsh-static and resulting segfaults on libc updates
Bug-Debian: https://bugs.debian.org/993843
Bug: https://zsh.org/workers/49392
Author: Axel Beckert <abe@debian.org>

--- a/Src/hashnameddir.c
+++ b/Src/hashnameddir.c
@@ -178,7 +178,7 @@
 	    /* Using NIS or NIS+ didn't add any user directories. This seems
 	     * fishy, so we fall back to using getpwent(). If we don't have
 	     * that, we only use the passwd file. */
-#ifdef HAVE_GETPWENT
+#ifdef USE_GETPWENT
 	    struct passwd *pw;
 
 	    setpwent();
@@ -190,7 +190,7 @@
 
 	    endpwent();
 	    usepwf = 0;
-#endif /* HAVE_GETPWENT */
+#endif /* USE_GETPWENT */
 	}
 	if (usepwf) {
 	    /* Don't forget the non-NIS matches from the flat passwd file */
@@ -229,7 +229,7 @@
 	    adduserdir(pw->pw_name, pw->pw_dir, ND_USERNAME, 1);
 
 	endpwent();
-#endif /* HAVE_GETPWENT */
+#endif /* USE_GETPWENT */
 #endif
 	allusersadded = 1;
     }
--- a/Src/options.c
+++ b/Src/options.c
@@ -807,7 +807,7 @@
 	    return -1;
 	}
 
-# ifdef HAVE_INITGROUPS
+# ifdef USE_INITGROUPS
 	/* Set the supplementary groups list.
 	 *
 	 * Note that on macOS, FreeBSD, and possibly some other platforms,
--- a/Src/params.c
+++ b/Src/params.c
@@ -4414,7 +4414,7 @@
 void
 usernamesetfn(UNUSED(Param pm), char *x)
 {
-#if defined(HAVE_SETUID) && defined(HAVE_GETPWNAM)
+#if defined(HAVE_SETUID) && defined(USE_GETPWNAM)
     struct passwd *pswd;
 
     if (x && (pswd = getpwnam(x)) && (pswd->pw_uid != cached_uid)) {
@@ -4431,7 +4431,7 @@
 	    cached_uid = pswd->pw_uid;
 	}
     }
-#endif /* HAVE_SETUID && HAVE_GETPWNAM */
+#endif /* HAVE_SETUID && USE_GETPWNAM */
     zsfree(x);
 }
 
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1115,7 +1115,7 @@
 char *
 get_username(void)
 {
-#ifdef HAVE_GETPWUID
+#ifdef USE_GETPWUID
     struct passwd *pswd;
     uid_t current_uid;
 
@@ -1128,9 +1128,9 @@
 	else
 	    cached_username = ztrdup("");
     }
-#else /* !HAVE_GETPWUID */
+#else /* !USE_GETPWUID */
     cached_uid = getuid();
-#endif /* !HAVE_GETPWUID */
+#endif /* !USE_GETPWUID */
     return cached_username;
 }
 
@@ -1306,7 +1306,7 @@
 	return str;
     }
 
-#ifdef HAVE_GETPWNAM
+#ifdef USE_GETPWNAM
     {
 	/* Retrieve an entry from the password table/database for this user. */
 	struct passwd *pw;
@@ -1322,7 +1322,7 @@
 		return dupstring(pw->pw_dir);
 	}
     }
-#endif /* HAVE_GETPWNAM */
+#endif /* USE_GETPWNAM */
 
     /* There are no more possible sources of directory names, so give up. */
     return NULL;
--- a/Src/Modules/stat.c
+++ b/Src/Modules/stat.c
@@ -137,13 +137,13 @@
 	    strcat(outbuf, " (");
     }
     if (flags & STF_STRING) {
-#ifdef HAVE_GETPWUID
+#ifdef USE_GETPWUID
 	struct passwd *pwd;
 	pwd = getpwuid(uid);
 	if (pwd)
 	    strcat(outbuf, pwd->pw_name);
 	else
-#endif /* !HAVE_GETPWUID */
+#endif /* !USE_GETPWUID */
 	{
 	    char *optr;
 	    for (optr = outbuf; *optr; optr++)
--- a/Src/Modules/parameter.c
+++ b/Src/Modules/parameter.c
@@ -2055,7 +2055,9 @@
 
     /* Get group names */
     for (gaptr = gs->array; gaptr < gs->array + gs->num; gaptr++) {
+#ifdef USE_GETGRGID
 	grptr = getgrgid(gaptr->gid);
+#endif /* USE_GETGRGID */
 	if (!grptr) {
 	    return NULL;
 	}
--- a/Src/Modules/files.c
+++ b/Src/Modules/files.c
@@ -734,6 +734,7 @@
 	struct passwd *pwd;
 	if(end)
 	    *end = 0;
+#ifdef USE_GETPWNAM
 	pwd = getpwnam(p);
 	if(pwd)
 	    chm.uid = pwd->pw_uid;
@@ -746,20 +747,35 @@
 		return 1;
 	    }
 	}
+#else /* !USE_GETPWNAM */
+	zwarnnam(nam, "%s: getpwnam not usable in static build", p);
+	free(uspec);
+	return 1;
+#endif /* !USE_GETPWNAM */
 	if(end) {
 	    p = end+1;
 	    if(!*p) {
+#ifdef USE_GETPWUID
 		if(!pwd && !(pwd = getpwuid(chm.uid))) {
 		    zwarnnam(nam, "%s: no such user", uspec);
 		    free(uspec);
 		    return 1;
 		}
+#else /* !USE_GETPWUID */
+                if(!pwd) {
+		    zwarnnam(nam, "%s: getpwuid not usable in static build",
+			     uspec);
+		    free(uspec);
+		    return 1;
+		}
+#endif /* !USE_GETPWUID */
 		chm.gid = pwd->pw_gid;
 	    } else if(p[0] == ':' && !p[1]) {
 		chm.gid = -1;
 	    } else {
 		struct group *grp;
 		dogroup:
+#ifdef USE_GETGRNAM
 		grp = getgrnam(p);
 		if(grp)
 		    chm.gid = grp->gr_gid;
@@ -772,6 +788,11 @@
 			return 1;
 		    }
 		}
+#else /* !USE_GETGRNAM */
+		zwarnnam(nam, "%s: getgrnam not usable in static build", p);
+		free(uspec);
+		return 1;
+#endif /* !USE_GETGRNAM */
 	    }
 	 } else
 	    chm.gid = -1;

[-- Attachment #1.3: zsh-static-still-segfaults.strace --]
[-- Type: text/plain, Size: 8360 bytes --]

execve("tmp/zsh-static", ["tmp/zsh-static"], 0x7fffde861e50 /* 53 vars */) = 0
brk(NULL)                               = 0xea9000
brk(0xea9e00)                           = 0xea9e00
arch_prctl(ARCH_SET_FS, 0xea9400)       = 0
uname({sysname="Linux", nodename="emehari", ...}) = 0
readlink("/proc/self/exe", "/home/abe/tmp/zsh-static", 4096) = 24
brk(0xecae00)                           = 0xecae00
brk(0xecb000)                           = 0xecb000
mprotect(0x642000, 32768, PROT_READ)    = 0
prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1
prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, CAP_CHECKPOINT_RESTORE) = 1
prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=3726656, ...}) = 0
mmap(NULL, 3726656, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8581aba000
close(3)                                = 0
prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=4*1024, rlim_max=4*1024}) = 0
getuid()                                = 1000
geteuid()                               = 1000
getgid()                                = 1000
getegid()                               = 1000
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
readlink("/proc/self/fd/0", "/dev/pts/0", 4095) = 10
stat("/dev/pts/0", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
openat(AT_FDCWD, "/dev/pts/0", O_RDWR|O_NOCTTY) = 3
fcntl(3, F_DUPFD, 10)                   = 10
close(3)                                = 0
fcntl(10, F_GETFD)                      = 0
fcntl(10, F_SETFD, FD_CLOEXEC)          = 0
fcntl(10, F_GETFL)                      = 0x8002 (flags O_RDWR|O_LARGEFILE)
ioctl(10, TCGETS, {B38400 opost isig icanon echo ...}) = 0
getpid()                                = 32389
getpgrp()                               = 32386
getpgrp()                               = 32386
rt_sigprocmask(SIG_BLOCK, [TSTP TTIN TTOU], [], 8) = 0
ioctl(10, TIOCGPGRP, [32386])           = 0
setpgid(0, 0)                           = 0
ioctl(10, TIOCSPGRP, [32389])           = 0
rt_sigprocmask(SIG_SETMASK, [], [TSTP TTIN TTOU], 8) = 0
pipe([3, 4])                            = 0
dup(0)                                  = 5
dup(0)                                  = 6
dup(0)                                  = 7
dup(0)                                  = 8
dup(0)                                  = 9
getppid()                               = 32386
getpid()                                = 32389
getuid()                                = 1000
stat("/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
stat("/home/abe", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8581ab6000
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 11
fstat(11, {st_mode=S_IFREG|0644, st_size=27002, ...}) = 0
mmap(NULL, 27002, PROT_READ, MAP_SHARED, 11, 0) = 0x7f8581aaf000
close(11)                               = 0
uname({sysname="Linux", nodename="emehari", ...}) = 0
openat(AT_FDCWD, "/proc/self/loginuid", O_RDONLY) = 11
read(11, "1000", 12)                    = 4
close(11)                               = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 11
connect(11, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(11)                               = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 11
connect(11, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(11)                               = 0
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 11
fstat(11, {st_mode=S_IFREG|0644, st_size=494, ...}) = 0
read(11, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 494
read(11, "", 4096)                      = 0
close(11)                               = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 11
fstat(11, {st_mode=S_IFREG|0644, st_size=161344, ...}) = 0
mmap(NULL, 161344, PROT_READ, MAP_PRIVATE, 11, 0) = 0x7f8581a87000
close(11)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 11
read(11, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0003\0\0\0\0\0\0"..., 832) = 832
fstat(11, {st_mode=S_IFREG|0644, st_size=51696, ...}) = 0
mmap(NULL, 79672, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 11, 0) = 0x7f8581a73000
mmap(0x7f8581a76000, 28672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x3000) = 0x7f8581a76000
mmap(0x7f8581a7d000, 8192, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0xa000) = 0x7f8581a7d000
mmap(0x7f8581a7f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0xb000) = 0x7f8581a7f000
mmap(0x7f8581a81000, 22328, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f8581a81000
close(11)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 11
read(11, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@n\2\0\0\0\0\0"..., 832) = 832
fstat(11, {st_mode=S_IFREG|0755, st_size=1839792, ...}) = 0
mmap(NULL, 1852680, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 11, 0) = 0x7f85818ae000
mprotect(0x7f85818d3000, 1662976, PROT_NONE) = 0
mmap(0x7f85818d3000, 1355776, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x25000) = 0x7f85818d3000
mmap(0x7f8581a1e000, 303104, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x170000) = 0x7f8581a1e000
mmap(0x7f8581a69000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x1ba000) = 0x7f8581a69000
mmap(0x7f8581a6f000, 13576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f8581a6f000
close(11)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", O_RDONLY|O_CLOEXEC) = 11
read(11, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\20\0\0\0\0\0\0"..., 832) = 832
fstat(11, {st_mode=S_IFREG|0755, st_size=177928, ...}) = 0
mmap(NULL, 180600, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 11, 0) = 0x7f8581881000
mprotect(0x7f8581882000, 167936, PROT_NONE) = 0
mmap(0x7f8581882000, 131072, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x1000) = 0x7f8581882000
mmap(0x7f85818a2000, 32768, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x21000) = 0x7f85818a2000
mmap(0x7f85818ab000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x29000) = 0x7f85818ab000
mmap(0x7f85818ad000, 376, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f85818ad000
close(11)                               = 0
mprotect(0x7f85818ab000, 4096, PROT_READ) = 0
mprotect(0x7f8581a69000, 12288, PROT_READ) = 0
mprotect(0x7f8581a7f000, 4096, PROT_READ) = 0
openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 11
fstat(11, {st_mode=S_IFREG|0644, st_size=2996, ...}) = 0
read(11, "# Locale name alias data base.\n#"..., 4096) = 2996
read(11, "", 4096)                      = 0
close(11)                               = 0
openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "zsh-static: dl-call-libc-early-i"..., 100) = 100
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8581880000
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
getpid()                                = 32389
gettid()                                = 32389
tgkill(32389, 32389, SIGABRT)           = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=32389, si_uid=1000} ---
+++ killed by SIGABRT (core dumped) +++

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-15 14:31 ` Axel Beckert
@ 2021-09-15 19:13   ` Bart Schaefer
  2021-09-16  7:37     ` Jun T
  0 siblings, 1 reply; 15+ messages in thread
From: Bart Schaefer @ 2021-09-15 19:13 UTC (permalink / raw)
  To: Zsh hackers list, 993843

On Wed, Sep 15, 2021 at 7:32 AM Axel Beckert <abe@debian.org> wrote:
>
> But copying zsh-static on a system with a different libc6 version
> still segfaults, so this patch might be necessary but not sufficient.
>
> Last line is:
>
>   zsh-static: dl-call-libc-early-init.c:37: _dl_call_libc_early_init: Assertion `sym != NULL' failed.

Based on the strace, my guess would be that getrlimit() is what's
attempting to link to the dynamic library.  This is based on the
success of the uname() call and on what does NOT appear in the
subsequent trace output.  If getrlimit() does have this effect, it's
possible that getrusage() will as well.


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-15 19:13   ` Bart Schaefer
@ 2021-09-16  7:37     ` Jun T
  2021-09-16 12:10       ` Axel Beckert
  0 siblings, 1 reply; 15+ messages in thread
From: Jun T @ 2021-09-16  7:37 UTC (permalink / raw)
  To: zsh-workers


> 2021/09/16 4:13、Bart Schaefer <schaefer@brasslantern.com> wrote:

> Based on the strace, my guess would be that getrlimit() is what's
> attempting to link to the dynamic library.  This is based on the
> success of the uname() call and on what does NOT appear in the
> subsequent trace output.

Probably getrlimit() is implemented by prlimit64() that appears
in the strace log, I guess.

Modules/tcp.c uses
gethostbyname2(), gethostbyadr(), getservbyname()
that are NSS-functions?

How about disabling the tcp module by setting
link=no
in config.modules, for the module name=zsh/net/tcp?

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-16  7:37     ` Jun T
@ 2021-09-16 12:10       ` Axel Beckert
  2021-09-16 16:48         ` Bart Schaefer
  0 siblings, 1 reply; 15+ messages in thread
From: Axel Beckert @ 2021-09-16 12:10 UTC (permalink / raw)
  To: zsh-workers

Hi Jun,

On Thu, Sep 16, 2021 at 04:37:31PM +0900, Jun T wrote:
> > Based on the strace, my guess would be that getrlimit() is what's
> > attempting to link to the dynamic library.  This is based on the
> > success of the uname() call and on what does NOT appear in the
> > subsequent trace output.
> 
> Probably getrlimit() is implemented by prlimit64() that appears
> in the strace log, I guess.
> 
> Modules/tcp.c uses
> gethostbyname2(), gethostbyadr(), getservbyname()
> that are NSS-functions?
> 
> How about disabling the tcp module by setting
> link=no
> in config.modules, for the module name=zsh/net/tcp?

Doesn't seem to suffice as my test builds for that already have

  name=zsh/net/tcp modfile=Src/Modules/tcp.mdd link=no auto=yes load=no functions=Functions/TCP/*

in config.modules.

		Kind regards, Axel
-- 
PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe@deuxchevaux.org  \ /  Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe@noone.org  X
https://axel.beckert.ch/   / \  I love long mails: https://email.is-not-s.ms/


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-16 12:10       ` Axel Beckert
@ 2021-09-16 16:48         ` Bart Schaefer
  2021-09-16 18:21           ` Jun. T
  0 siblings, 1 reply; 15+ messages in thread
From: Bart Schaefer @ 2021-09-16 16:48 UTC (permalink / raw)
  To: Zsh hackers list

> > > Based on the strace, my guess would be that getrlimit() is what's
> > > attempting to link to the dynamic library.  This is based on the
> > > success of the uname() call and on what does NOT appear in the
> > > subsequent trace output.
> >
> > Probably getrlimit() is implemented by prlimit64() that appears
> > in the strace log, I guess.

Hmm.  There are two calls to uname() in the strace.  There are only
two places in the source code that might call uname(), both happen via
createparamtable(), and createparamtable() is called from setupvals()
before it calls getrlimit() to populate the limits array.  Yet the two
uname() calls are one before prlimit64() and one after, so if prlimit
== getrlimit, I can't find a code flow that matches the order of
events in the strace.


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-16 16:48         ` Bart Schaefer
@ 2021-09-16 18:21           ` Jun. T
  2021-09-16 18:34             ` Axel Beckert
  2021-09-17  1:23             ` Jun T
  0 siblings, 2 replies; 15+ messages in thread
From: Jun. T @ 2021-09-16 18:21 UTC (permalink / raw)
  To: zsh-workers


> 2021/09/17 1:48, Bart Schaefer <schaefer@brasslantern.com> wrote:
> 
> Hmm.  There are two calls to uname() in the strace.

Sorry, I missed the second one.
The first one is before
readlink("/proc/self/exe", "/home/abe/tmp/zsh-static", 4096)
and I guess it is not from zsh code.

So I think the second one is from createparamtable(),
and createparamtable() seems to have finished, but getrlimit() are not
called, as you pointed out.

But it is not be probable that getrlimit(0 = RLIMIT_CPU) uses NSS.
(prlimit64() has succeeded for RLIMIT_NOFILE)

Is adjustwinsize() called? If it is called, ioctl() should be in
strace log?


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-16 18:21           ` Jun. T
@ 2021-09-16 18:34             ` Axel Beckert
  2021-09-16 22:01               ` Bart Schaefer
  2021-09-17  1:23             ` Jun T
  1 sibling, 1 reply; 15+ messages in thread
From: Axel Beckert @ 2021-09-16 18:34 UTC (permalink / raw)
  To: zsh-workers

[-- Attachment #1: Type: text/plain, Size: 868 bytes --]

Hi,

On Fri, Sep 17, 2021 at 03:21:43AM +0900, Jun. T wrote:
> > Hmm.  There are two calls to uname() in the strace.
> 
> Sorry, I missed the second one.
> The first one is before
> readlink("/proc/self/exe", "/home/abe/tmp/zsh-static", 4096)
> and I guess it is not from zsh code.

Sorry, I forgot to use "-f" and my zshrc is using grml's zshrc as well
as zsh-syntax-highlighting. New strace attached.

Then again, they differ only a few bytes in size
and seemingly only in pids and hex addresses wrt. to their contents.
So I assume the crash happens even before my .zshrc was loaded.

		Kind regards, Axel
-- 
PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe@deuxchevaux.org  \ /  Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe@noone.org  X
https://axel.beckert.ch/   / \  I love long mails: https://email.is-not-s.ms/

[-- Attachment #2: zsh-static-dash-f.strace --]
[-- Type: text/plain, Size: 8370 bytes --]

execve("tmp/zsh-static", ["tmp/zsh-static", "-f"], 0x7ffdcb1ffbf8 /* 53 vars */) = 0
brk(NULL)                               = 0x10ef000
brk(0x10efe00)                          = 0x10efe00
arch_prctl(ARCH_SET_FS, 0x10ef400)      = 0
uname({sysname="Linux", nodename="emehari", ...}) = 0
readlink("/proc/self/exe", "/home/abe/tmp/zsh-static", 4096) = 24
brk(0x1110e00)                          = 0x1110e00
brk(0x1111000)                          = 0x1111000
mprotect(0x642000, 32768, PROT_READ)    = 0
prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1
prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, CAP_CHECKPOINT_RESTORE) = 1
prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=3726656, ...}) = 0
mmap(NULL, 3726656, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f642899d000
close(3)                                = 0
prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=4*1024, rlim_max=4*1024}) = 0
getuid()                                = 1000
geteuid()                               = 1000
getgid()                                = 1000
getegid()                               = 1000
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
readlink("/proc/self/fd/0", "/dev/pts/0", 4095) = 10
stat("/dev/pts/0", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
openat(AT_FDCWD, "/dev/pts/0", O_RDWR|O_NOCTTY) = 3
fcntl(3, F_DUPFD, 10)                   = 10
close(3)                                = 0
fcntl(10, F_GETFD)                      = 0
fcntl(10, F_SETFD, FD_CLOEXEC)          = 0
fcntl(10, F_GETFL)                      = 0x8002 (flags O_RDWR|O_LARGEFILE)
ioctl(10, TCGETS, {B38400 opost isig icanon echo ...}) = 0
getpid()                                = 28930
getpgrp()                               = 28927
getpgrp()                               = 28927
rt_sigprocmask(SIG_BLOCK, [TSTP TTIN TTOU], [], 8) = 0
ioctl(10, TIOCGPGRP, [28927])           = 0
setpgid(0, 0)                           = 0
ioctl(10, TIOCSPGRP, [28930])           = 0
rt_sigprocmask(SIG_SETMASK, [], [TSTP TTIN TTOU], 8) = 0
pipe([3, 4])                            = 0
dup(0)                                  = 5
dup(0)                                  = 6
dup(0)                                  = 7
dup(0)                                  = 8
dup(0)                                  = 9
getppid()                               = 28927
getpid()                                = 28930
getuid()                                = 1000
stat("/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
stat("/home/abe", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6428999000
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 11
fstat(11, {st_mode=S_IFREG|0644, st_size=27002, ...}) = 0
mmap(NULL, 27002, PROT_READ, MAP_SHARED, 11, 0) = 0x7f6428992000
close(11)                               = 0
uname({sysname="Linux", nodename="emehari", ...}) = 0
openat(AT_FDCWD, "/proc/self/loginuid", O_RDONLY) = 11
read(11, "1000", 12)                    = 4
close(11)                               = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 11
connect(11, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(11)                               = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 11
connect(11, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(11)                               = 0
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 11
fstat(11, {st_mode=S_IFREG|0644, st_size=494, ...}) = 0
read(11, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 494
read(11, "", 4096)                      = 0
close(11)                               = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 11
fstat(11, {st_mode=S_IFREG|0644, st_size=161344, ...}) = 0
mmap(NULL, 161344, PROT_READ, MAP_PRIVATE, 11, 0) = 0x7f642896a000
close(11)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 11
read(11, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0003\0\0\0\0\0\0"..., 832) = 832
fstat(11, {st_mode=S_IFREG|0644, st_size=51696, ...}) = 0
mmap(NULL, 79672, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 11, 0) = 0x7f6428956000
mmap(0x7f6428959000, 28672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x3000) = 0x7f6428959000
mmap(0x7f6428960000, 8192, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0xa000) = 0x7f6428960000
mmap(0x7f6428962000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0xb000) = 0x7f6428962000
mmap(0x7f6428964000, 22328, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6428964000
close(11)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 11
read(11, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@n\2\0\0\0\0\0"..., 832) = 832
fstat(11, {st_mode=S_IFREG|0755, st_size=1839792, ...}) = 0
mmap(NULL, 1852680, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 11, 0) = 0x7f6428791000
mprotect(0x7f64287b6000, 1662976, PROT_NONE) = 0
mmap(0x7f64287b6000, 1355776, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x25000) = 0x7f64287b6000
mmap(0x7f6428901000, 303104, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x170000) = 0x7f6428901000
mmap(0x7f642894c000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x1ba000) = 0x7f642894c000
mmap(0x7f6428952000, 13576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6428952000
close(11)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", O_RDONLY|O_CLOEXEC) = 11
read(11, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\20\0\0\0\0\0\0"..., 832) = 832
fstat(11, {st_mode=S_IFREG|0755, st_size=177928, ...}) = 0
mmap(NULL, 180600, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 11, 0) = 0x7f6428764000
mprotect(0x7f6428765000, 167936, PROT_NONE) = 0
mmap(0x7f6428765000, 131072, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x1000) = 0x7f6428765000
mmap(0x7f6428785000, 32768, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x21000) = 0x7f6428785000
mmap(0x7f642878e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x29000) = 0x7f642878e000
mmap(0x7f6428790000, 376, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6428790000
close(11)                               = 0
mprotect(0x7f642878e000, 4096, PROT_READ) = 0
mprotect(0x7f642894c000, 12288, PROT_READ) = 0
mprotect(0x7f6428962000, 4096, PROT_READ) = 0
openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 11
fstat(11, {st_mode=S_IFREG|0644, st_size=2996, ...}) = 0
read(11, "# Locale name alias data base.\n#"..., 4096) = 2996
read(11, "", 4096)                      = 0
close(11)                               = 0
openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "zsh-static: dl-call-libc-early-i"..., 100) = 100
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6428763000
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
getpid()                                = 28930
gettid()                                = 28930
tgkill(28930, 28930, SIGABRT)           = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=28930, si_uid=1000} ---
+++ killed by SIGABRT (core dumped) +++

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-16 18:34             ` Axel Beckert
@ 2021-09-16 22:01               ` Bart Schaefer
  0 siblings, 0 replies; 15+ messages in thread
From: Bart Schaefer @ 2021-09-16 22:01 UTC (permalink / raw)
  To: Zsh hackers list

On Thu, Sep 16, 2021 at 12:07 PM Axel Beckert <abe@deuxchevaux.org> wrote:
>
> New strace attached.

Instead of "strace", can you load this into "gdb" and "run -f" ?


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-16 18:21           ` Jun. T
  2021-09-16 18:34             ` Axel Beckert
@ 2021-09-17  1:23             ` Jun T
  2021-09-17  8:45               ` Jun T
  1 sibling, 1 reply; 15+ messages in thread
From: Jun T @ 2021-09-17  1:23 UTC (permalink / raw)
  To: zsh-workers


> 2021/09/17 3:21, Jun. T <takimoto-j@kba.biglobe.ne.jp> wrote:
> 
> So I think the second one is from createparamtable(),
> and createparamtable() seems to have finished,

Sorry, maybe createparamtable() has not finished.

I guess the problem is getlogin() called from createparamtable().

#line 847 in params.c (of current git HEAD).


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-17  1:23             ` Jun T
@ 2021-09-17  8:45               ` Jun T
  2021-09-17 13:44                 ` Axel Beckert
  2021-09-17 15:02                 ` Bart Schaefer
  0 siblings, 2 replies; 15+ messages in thread
From: Jun T @ 2021-09-17  8:45 UTC (permalink / raw)
  To: zsh-workers

[-- Attachment #1: Type: text/plain, Size: 5923 bytes --]


> 2021/09/17 10:23, Jun T <takimoto-j@kba.biglobe.ne.jp> wrote:
> 
> I guess the problem is getlogin() called from createparamtable().

Yes, this can be confirmed by statically linking a test program
(just call getlogin() and exit). I _hope_ there are no other places
where NSS-functions are indirectly called.

Revised the Axel's patch (also attached a file):

params.c:
do not call getlogin()

Modules/parameter.c:
Special parameter $usergroups can't be supported without NSS.
So the possibilities are:
(1) issue an error message when user try to use $usergroups
(2) do not issue an error but the parameter exists
(3) remove the parameter (remove from the table partab[])
The patch below uses (1), but I have no idea which is the best.

hashnameddir.c, options.c, utils.c:
HAVE_xxx --> USE_xxx (same as the Axel's patch)

Modules/{stat.c,files.c}:
These (and tcp.c, zftp.c) use NSS but are not patched since they are
disabled by default in static build.


diff --git a/Src/Modules/parameter.c b/Src/Modules/parameter.c
index ef9148d7b..b44555323 100644
--- a/Src/Modules/parameter.c
+++ b/Src/Modules/parameter.c
@@ -2011,6 +2011,9 @@ scanpmdissaliases(HashTable ht, ScanFunc func, int flags)
 /**/
 static Groupset get_all_groups(void)
 {
+#ifdef DISABLE_DYNAMIC_NSS
+    return NULL;
+#else
     Groupset gs = zhalloc(sizeof(*gs));
     Groupmap gaptr;
     gid_t *list, *lptr, egid;
@@ -2063,6 +2066,7 @@ static Groupset get_all_groups(void)
     }
 
     return gs;
+#endif /* DISABLE_DYNAMIC_NSS */
 }
 
 /* Standard hash element lookup. */
@@ -2081,7 +2085,11 @@ getpmusergroups(UNUSED(HashTable ht), const char *name)
     pm->gsu.s = &nullsetscalar_gsu;
 
     if (!gs) {
+#ifdef DISABLE_DYNAMIC_NSS
+	zerr("parameter 'usergroups' not available: NSS is disabled");
+#else
 	zerr("failed to retrieve groups for user: %e", errno);
+#endif
 	pm->u.str = dupstring("");
 	pm->node.flags |= (PM_UNSET|PM_SPECIAL);
 	return &pm->node;
@@ -2113,7 +2121,11 @@ scanpmusergroups(UNUSED(HashTable ht), ScanFunc func, int flags)
     Groupmap gaptr;
 
     if (!gs) {
+#ifdef DISABLE_DYNAMIC_NSS
+	zerr("parameter 'usergroups' not available: NSS is disabled");
+#else
 	zerr("failed to retrieve groups for user: %e", errno);
+#endif
 	return;
     }
 
diff --git a/Src/hashnameddir.c b/Src/hashnameddir.c
index bed43d025..cbd1344ef 100644
--- a/Src/hashnameddir.c
+++ b/Src/hashnameddir.c
@@ -178,7 +178,7 @@ fillnameddirtable(UNUSED(HashTable ht))
 	    /* Using NIS or NIS+ didn't add any user directories. This seems
 	     * fishy, so we fall back to using getpwent(). If we don't have
 	     * that, we only use the passwd file. */
-#ifdef HAVE_GETPWENT
+#ifdef USE_GETPWENT
 	    struct passwd *pw;
 
 	    setpwent();
@@ -190,7 +190,7 @@ fillnameddirtable(UNUSED(HashTable ht))
 
 	    endpwent();
 	    usepwf = 0;
-#endif /* HAVE_GETPWENT */
+#endif /* USE_GETPWENT */
 	}
 	if (usepwf) {
 	    /* Don't forget the non-NIS matches from the flat passwd file */
@@ -229,7 +229,7 @@ fillnameddirtable(UNUSED(HashTable ht))
 	    adduserdir(pw->pw_name, pw->pw_dir, ND_USERNAME, 1);
 
 	endpwent();
-#endif /* HAVE_GETPWENT */
+#endif /* USE_GETPWENT */
 #endif
 	allusersadded = 1;
     }
diff --git a/Src/options.c b/Src/options.c
index 783022591..a1fe918fc 100644
--- a/Src/options.c
+++ b/Src/options.c
@@ -811,7 +811,7 @@ dosetopt(int optno, int value, int force, char *new_opts)
 	    return -1;
 	}
 
-# ifdef HAVE_INITGROUPS
+# ifdef USE_INITGROUPS
 	/* Set the supplementary groups list.
 	 *
 	 * Note that on macOS, FreeBSD, and possibly some other platforms,
diff --git a/Src/params.c b/Src/params.c
index 4f6b361f9..704aad588 100644
--- a/Src/params.c
+++ b/Src/params.c
@@ -843,9 +843,12 @@ createparamtable(void)
     setsparam("HOST", ztrdup_metafy(hostnam));
     zfree(hostnam, 256);
 
-    setsparam("LOGNAME",
-	      ztrdup_metafy((str = getlogin()) && *str ?
-			    str : cached_username));
+    setsparam("LOGNAME", ztrdup_metafy(
+#ifndef DISABLE_DYNAMIC_NSS
+			(str = getlogin()) && *str ?  str :
+#endif
+				cached_username
+			));
 
 #if !defined(HAVE_PUTENV) && !defined(USE_SET_UNSET_ENV)
     /* Copy the environment variables we are inheriting to dynamic *
@@ -4430,7 +4433,7 @@ usernamegetfn(UNUSED(Param pm))
 void
 usernamesetfn(UNUSED(Param pm), char *x)
 {
-#if defined(HAVE_SETUID) && defined(HAVE_GETPWNAM)
+#if defined(HAVE_SETUID) && defined(USE_GETPWNAM)
     struct passwd *pswd;
 
     if (x && (pswd = getpwnam(x)) && (pswd->pw_uid != cached_uid)) {
@@ -4447,7 +4450,7 @@ usernamesetfn(UNUSED(Param pm), char *x)
 	    cached_uid = pswd->pw_uid;
 	}
     }
-#endif /* HAVE_SETUID && HAVE_GETPWNAM */
+#endif /* HAVE_SETUID && USE_GETPWNAM */
     zsfree(x);
 }
 
diff --git a/Src/utils.c b/Src/utils.c
index c32741ca7..a74c8bd2c 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1119,7 +1119,7 @@ char *cached_username;
 char *
 get_username(void)
 {
-#ifdef HAVE_GETPWUID
+#ifdef USE_GETPWUID
     struct passwd *pswd;
     uid_t current_uid;
 
@@ -1132,9 +1132,9 @@ get_username(void)
 	else
 	    cached_username = ztrdup("");
     }
-#else /* !HAVE_GETPWUID */
+#else /* !USE_GETPWUID */
     cached_uid = getuid();
-#endif /* !HAVE_GETPWUID */
+#endif /* !USE_GETPWUID */
     return cached_username;
 }
 
@@ -1310,7 +1310,7 @@ getnameddir(char *name)
 	return str;
     }
 
-#ifdef HAVE_GETPWNAM
+#ifdef USE_GETPWNAM
     {
 	/* Retrieve an entry from the password table/database for this user. */
 	struct passwd *pw;
@@ -1326,7 +1326,7 @@ getnameddir(char *name)
 		return dupstring(pw->pw_dir);
 	}
     }
-#endif /* HAVE_GETPWNAM */
+#endif /* USE_GETPWNAM */
 
     /* There are no more possible sources of directory names, so give up. */
     return NULL;




[-- Attachment #2: nss.patch --]
[-- Type: application/octet-stream, Size: 4757 bytes --]

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-17  8:45               ` Jun T
@ 2021-09-17 13:44                 ` Axel Beckert
  2021-09-17 13:55                   ` Roman Perepelitsa
  2021-09-17 15:02                 ` Bart Schaefer
  1 sibling, 1 reply; 15+ messages in thread
From: Axel Beckert @ 2021-09-17 13:44 UTC (permalink / raw)
  To: zsh-workers

Hi,

On Fri, Sep 17, 2021 at 05:45:37PM +0900, Jun T wrote:
> > I guess the problem is getlogin() called from createparamtable().
> 
> Yes, this can be confirmed by statically linking a test program
> (just call getlogin() and exit). I _hope_ there are no other places
> where NSS-functions are indirectly called.
> 
> Revised the Axel's patch (also attached a file):

Yay, this patch works for me! zsh-static built on Debian Unstable
(glibc 2.32) no more segfaults when copied to and executed on Debian
11 Bullseye (glibc 2.31) for me. (Just my way to test it, the issue
popped up in Debian Unstable the other way round when glibc was
upgraded from 2.31 to 2.32.)

Bart: Sorry for not providing a gdb backtrace in time. Was too tired
last night to figure out where to put Debian's debug symbols when not
installing the built packages (or to set up a fitting chroot for
testing with the built packages) for generating a backtrace with gdb.

		Kind regards, Axel
-- 
PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe@deuxchevaux.org  \ /  Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe@noone.org  X
https://axel.beckert.ch/   / \  I love long mails: https://email.is-not-s.ms/


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-17 13:44                 ` Axel Beckert
@ 2021-09-17 13:55                   ` Roman Perepelitsa
  2021-09-17 14:16                     ` Axel Beckert
  0 siblings, 1 reply; 15+ messages in thread
From: Roman Perepelitsa @ 2021-09-17 13:55 UTC (permalink / raw)
  To: Zsh hackers list

On Fri, Sep 17, 2021 at 3:45 PM Axel Beckert <abe@deuxchevaux.org> wrote:
>
> Hi,
>
> On Fri, Sep 17, 2021 at 05:45:37PM +0900, Jun T wrote:
> > > I guess the problem is getlogin() called from createparamtable().
> >
> > Yes, this can be confirmed by statically linking a test program
> > (just call getlogin() and exit). I _hope_ there are no other places
> > where NSS-functions are indirectly called.
> >
> > Revised the Axel's patch (also attached a file):
>
> Yay, this patch works for me! zsh-static built on Debian Unstable
> (glibc 2.32) no more segfaults when copied to and executed on Debian
> 11 Bullseye (glibc 2.31) for me.

If your goal is to create a binary that runs on any Linux x64 box
regardless of libc runtimes that may or may not be available on it,
link against musl libc. Static linking against glibc is a lost cause.
Zsh can link against musl libc out of the box. This is how I build
mine.

Roman.


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-17 13:55                   ` Roman Perepelitsa
@ 2021-09-17 14:16                     ` Axel Beckert
  0 siblings, 0 replies; 15+ messages in thread
From: Axel Beckert @ 2021-09-17 14:16 UTC (permalink / raw)
  To: zsh-workers

Hi Roman,

On Fri, Sep 17, 2021 at 03:55:43PM +0200, Roman Perepelitsa wrote:
> > Yay, this patch works for me! zsh-static built on Debian Unstable
> > (glibc 2.32) no more segfaults when copied to and executed on Debian
> > 11 Bullseye (glibc 2.31) for me.
> 
> If your goal is to create a binary that runs on any Linux x64 box
> regardless of libc runtimes that may or may not be available on it,
> link against musl libc.

Thanks for that idea, but the main goal for now was to make zsh-static
survive glibc upgrades in Debian (Unstable first and foremost).

> Static linking against glibc is a lost cause.

Not the first time I've read that, yes.

> Zsh can link against musl libc out of the box. This is how I build
> mine.

I've just checked: At least bash-static, busybox-static and sash
(static by default as that's its purpose) are built against glibc in
Debian, so I'll probably stay with glibc for now in Debian's
zsh-static package.

Nevertheless thanks for that hint. Will keep it in mind in case we run
into more severe glibc issues with static builds in the future.

		Kind regards, Axel
-- 
PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe@deuxchevaux.org  \ /  Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe@noone.org  X
https://axel.beckert.ch/   / \  I love long mails: https://email.is-not-s.ms/


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
  2021-09-17  8:45               ` Jun T
  2021-09-17 13:44                 ` Axel Beckert
@ 2021-09-17 15:02                 ` Bart Schaefer
  1 sibling, 0 replies; 15+ messages in thread
From: Bart Schaefer @ 2021-09-17 15:02 UTC (permalink / raw)
  To: Jun T; +Cc: Zsh hackers list

On Fri, Sep 17, 2021 at 1:46 AM Jun T <takimoto-j@kba.biglobe.ne.jp> wrote:
>
> Special parameter $usergroups can't be supported without NSS.
> So the possibilities are:
> (1) issue an error message when user try to use $usergroups
> (2) do not issue an error but the parameter exists
> (3) remove the parameter (remove from the table partab[])
> The patch below uses (1), but I have no idea which is the best.

I think I'd go with (2) but add the new PM_DEFAULTED flag so that the
parameter is permanently unset.


^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2021-09-17 15:03 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-08  1:12 [BUG] With --disable-dynamic-nss, not all functions calls are protected Vincent Lefevre
2021-09-15 14:31 ` Axel Beckert
2021-09-15 19:13   ` Bart Schaefer
2021-09-16  7:37     ` Jun T
2021-09-16 12:10       ` Axel Beckert
2021-09-16 16:48         ` Bart Schaefer
2021-09-16 18:21           ` Jun. T
2021-09-16 18:34             ` Axel Beckert
2021-09-16 22:01               ` Bart Schaefer
2021-09-17  1:23             ` Jun T
2021-09-17  8:45               ` Jun T
2021-09-17 13:44                 ` Axel Beckert
2021-09-17 13:55                   ` Roman Perepelitsa
2021-09-17 14:16                     ` Axel Beckert
2021-09-17 15:02                 ` Bart Schaefer

zsh-workers

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.vuxu.org/zsh-workers

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 zsh-workers zsh-workers/ https://inbox.vuxu.org/zsh-workers \
		zsh-workers@zsh.org
	public-inbox-index zsh-workers

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.zsh.workers


code repositories for the project(s) associated with this inbox:

	https://git.vuxu.org/mirror/zsh/

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git