Date: Wed, 22 Jan 2020 11:07:43 -0500 From: Rich Felker <dalias@...c.org> To: Florian Weimer <fweimer@...hat.com> Cc: 39236@...bugs.gnu.org, musl@...ts.openwall.com Subject: Re: coreutils cp mishandles error return from lchmod On Wed, Jan 22, 2020 at 04:32:45PM +0100, Florian Weimer wrote: > * Rich Felker: > > > On Wed, Jan 22, 2020 at 04:08:26PM +0100, Florian Weimer wrote: > >> * Rich Felker: > >> > >> > On Wed, Jan 22, 2020 at 03:34:18PM +0100, Florian Weimer wrote: > >> >> * Rich Felker: > >> >> > >> >> > coreutils should be opting to use the system-provided lchmod, which is > >> >> > safe, and correctly handling error returns (silently treating > >> >> > EOPNOTSUPP as success) rather than as hard errors. > >> >> > >> >> glibc's lchmod always returns ENOSYS (except on Hurd). I don't know how > >> >> lchmod is used in coreutils, but I suspect it is not particularly > >> >> useful. > >> > > >> > When preserving permissions (cp -p, archive extraction, etc.), you > >> > want lchmod to work correctly just for the purpose of *not* following > >> > the link and thereby unwantedly changing the permissions of the link > >> > target. But, fchmodat with AT_SYMLINK_NOFOLLOW works just as well and > >> > is standard, and that's really what coreutils should be using. > >> > >> I think you misread what I wrote: lchmod *always* returns ENOSYS. Even > >> if the file is not a symbolic link. Likewise, fchmodat with > >> AT_SYMLINK_NOFOLLOW *always* returns ENOTSUP. > > > > Yes, I understood that. I was going into why there should be a real > > implementation, but didn't make it clear that that was what I was > > doing. > > Ah, yes, there should be a real implementation if we can get full > lchmod/AT_SYMLINK_NOFOLLOW behavior on file systems that support it. If > we can't, I'm not sure if there is a point to it. The point is to fail when the target is a symlink, rather than (erroneously and possibly dangerously) applying the chmod to the link target. Actually supporting link modes is useless. It's the "not modifying the target" that's important. > >> The reason for this is that the kernel does not provide a suitable > >> system call to implement this, even though some file systems allow a > >> mode change for symbolic links. I think we can do better, although I > >> should note that each time we implement such emulation in userspace, it > >> comes back to bite us eventually. > > > > Emulations in userspace that are approximate, have race conditions, > > etc. are bad. Ones that are rigorous are good, though. > > Is there a reason for the S_ISLNK check in the musl implementation? > With current kernels, chmod on the proc pseudo-file will not traverse > the symbolic link, but I have yet to check if this has always been the > case. It's explained in the bz you just replied on, https://sourceware.org/bugzilla/show_bug.cgi?id=14578 The point of the S_ISLNK check is to fail out early with the ENOTSUPP, which the caller should treat as "success-like", in the non-racing condition, without the need to open a fd (which may fail with ENFILE/EMFILE) and without the need for /proc to be mounted. Otherwise, a different error will be produced when one of those cases is hit, and the caller will treat it as a real error. Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.