From owner-freebsd-standards@FreeBSD.ORG Mon Aug 2 07:35:39 2010 Return-Path: Delivered-To: standards@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48D331065673 for ; Mon, 2 Aug 2010 07:35:39 +0000 (UTC) (envelope-from yanegomi@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 086F88FC13 for ; Mon, 2 Aug 2010 07:35:38 +0000 (UTC) Received: by gyg4 with SMTP id 4so1471608gyg.13 for ; Mon, 02 Aug 2010 00:35:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=FIRyN4BRV1q2/99YbzPgXmflVhnAasCNdDpvHszu7fo=; b=X9iGoy+EJq11EyQa+fd5BxdccDc4avghQltsA5yHpHnY5Drl95NVmUfoHDqHDq60dZ yxEgp3aCeOh1KnSJ4hNLlsxIZg2Bl0soLdJQSR77RU/rDWx3cXANrojoKKWchHPs93gT CinWVGdpRJFFFQ5bYl8bYb4wAM83fkjyXOjUE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=v9h/9n3IUaWVap+Y/wEofiNZmOJuqmqBHTQrPino1W0yGC4a4tM7ZGpSZQeD1+8CiB IjrKgOPCxV/OqI6/LZS99JRQbU2TwtG5oIcJCV+afeui4MskrAjaNv2yj3YyjobPcoXU e58DpCmmWzo8wg9LU9jtoFctoHIiuAsO3P+6M= MIME-Version: 1.0 Received: by 10.150.170.15 with SMTP id s15mr6330920ybe.400.1280734538181; Mon, 02 Aug 2010 00:35:38 -0700 (PDT) Received: by 10.231.187.104 with HTTP; Mon, 2 Aug 2010 00:35:38 -0700 (PDT) Date: Mon, 2 Aug 2010 00:35:38 -0700 Message-ID: From: Garrett Cooper To: standards@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: Confusion over wording in glob(3) X-BeenThere: freebsd-standards@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Standards compliance List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2010 07:35:39 -0000 I have some question about the ambiguity of the ERRORS section in our glob(3) manpage. POSIX states: ERRORS The glob() function shall fail and return the corresponding value if: GLOB_ABORTED The scan was stopped because GLOB_ERR was set or (*errfunc()) returned non-zero. GLOB_NOMATCH The pattern does not match any existing pathname, and GLOB_NOCHECK was not set in flags. GLOB_NOSPACE An attempt to allocate memory failed. (Note that there's no mention of `errno'). Our manpage states: If glob() terminates due to an error, it sets errno and returns one of the following non-zero constants, which are defined in the include file : GLOB_NOSPACE An attempt to allocate memory failed, or if errno was 0 GLOB_LIMIT was specified in the flags and pglob->gl_matchc or more patterns were matched. GLOB_ABORTED The scan was stopped because an error was encountered and either GLOB_ERR was set or (*errfunc)() returned non-zero. GLOB_NOMATCH The pattern did not match a pathname and GLOB_NOCHECK was not set. (Note the mention of errno). So far I've only been able to hit a sensical error case once by doing the following (but that could have been a side-effect from a malloc(3) failure in terms of finding malloc.conf -- don't know for sure). The rest of the time I get errno = 0: $ cc -o test_glob test_glob.c $ ln -f test_glob test_glob_nomatch $ ./test_glob_nomatch NOMATCH glob(./test_glob_nomatch.*) didn't match: 0: Unknown error: 0 So I suppose my question is: should the confusing wording be removed for clarity? Thanks, -Garrett /* test_glob.c */ #include #include #include #include #include #include int main(int argc, char **argv) { char p[PATH_MAX]; glob_t globp; int err, ret; sprintf(p, "%s.*", *argv); printf("glob(%s) ", p); ret = glob(p, GLOB_NOESCAPE, NULL, &globp); err = errno; if (ret == 0) { if (globp.gl_pathc) printf("matches !\n"); else errx(1, "what what...?\n"); } else { switch (ret) { case GLOB_NOSPACE: fprintf(stderr, "NOSPACE\n"); break; case GLOB_ABORTED: fprintf(stderr, "ABORTED\n"); break; case GLOB_NOMATCH: fprintf(stderr, "NOMATCH\n"); break; default: fprintf(stderr, "unknown: %d\n", ret); } printf("didn't match: %d: %s\n", err, strerror(err)); } globfree(&globp); return (ret); } From owner-freebsd-standards@FreeBSD.ORG Mon Aug 2 09:53:03 2010 Return-Path: Delivered-To: standards@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BE031065679; Mon, 2 Aug 2010 09:53:03 +0000 (UTC) (envelope-from jh@FreeBSD.org) Received: from gw01.mail.saunalahti.fi (gw01.mail.saunalahti.fi [195.197.172.115]) by mx1.freebsd.org (Postfix) with ESMTP id 1079C8FC1C; Mon, 2 Aug 2010 09:53:02 +0000 (UTC) Received: from a91-153-117-195.elisa-laajakaista.fi (a91-153-117-195.elisa-laajakaista.fi [91.153.117.195]) by gw01.mail.saunalahti.fi (Postfix) with SMTP id AA17D1514C8; Mon, 2 Aug 2010 12:52:56 +0300 (EEST) Date: Mon, 2 Aug 2010 12:52:56 +0300 From: Jaakko Heinonen To: Bruce Evans Message-ID: <20100802095255.GA1122@a91-153-117-195.elisa-laajakaista.fi> References: <20100721072225.GA1102@a91-153-117-195.elisa-laajakaista.fi> <20100721185227.N7492@delplex.bde.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100721185227.N7492@delplex.bde.org> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Garrett Cooper , standards@freebsd.org, hackers@freebsd.org Subject: Re: Chasing down bugs with access(2) X-BeenThere: freebsd-standards@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Standards compliance List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2010 09:53:03 -0000 On 2010-07-21, Bruce Evans wrote: > > See PR kern/125009 (http://www.freebsd.org/cgi/query-pr.cgi?pr=125009). > > I looked at the patches in the PR. It seems reasonable to require an X > but for VEXEC for all file types except directories, like I think the > vaccess() version of your patch does. Thanks for looking at. Both patches require it for non-directories only. I have updated the vaccess*() version of the patch. It now preserves the check in exec_check_permissions() to avoid causing regressions for file systems which are not using vaccess*() functions. %%% Index: sys/kern/kern_exec.c =================================================================== --- sys/kern/kern_exec.c (revision 210492) +++ sys/kern/kern_exec.c (working copy) @@ -1328,13 +1328,13 @@ exec_check_permissions(imgp) /* * 1) Check if file execution is disabled for the filesystem that this * file resides on. - * 2) Insure that at least one execute bit is on - otherwise root + * 2) Ensure that at least one execute bit is on - otherwise root * will always succeed, and we don't want to happen unless the * file really is executable. - * 3) Insure that the file is a regular file. + * 3) Ensure that the file is a regular file. */ if ((vp->v_mount->mnt_flag & MNT_NOEXEC) || - ((attr->va_mode & 0111) == 0) || + (attr->va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0 || (attr->va_type != VREG)) return (EACCES); Index: sys/kern/vfs_subr.c =================================================================== --- sys/kern/vfs_subr.c (revision 210492) +++ sys/kern/vfs_subr.c (working copy) @@ -3600,8 +3600,14 @@ privcheck: !priv_check_cred(cred, PRIV_VFS_LOOKUP, 0)) priv_granted |= VEXEC; } else { + /* + * Ensure that at least one execute bit is on - otherwise + * privileged user will always succeed, and we don't want to + * happen unless the file really is executable. + */ if ((accmode & VEXEC) && ((dac_granted & VEXEC) == 0) && - !priv_check_cred(cred, PRIV_VFS_EXEC, 0)) + !priv_check_cred(cred, PRIV_VFS_EXEC, 0) && + (file_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) != 0) priv_granted |= VEXEC; } Index: sys/kern/subr_acl_posix1e.c =================================================================== --- sys/kern/subr_acl_posix1e.c (revision 210492) +++ sys/kern/subr_acl_posix1e.c (working copy) @@ -90,8 +90,14 @@ vaccess_acl_posix1e(enum vtype type, uid PRIV_VFS_LOOKUP, 0)) priv_granted |= VEXEC; } else { + /* + * Ensure that at least one execute bit is on - otherwise + * privileged user will always succeed, and we don't want to + * happen unless the file really is executable. + */ if ((accmode & VEXEC) && !priv_check_cred(cred, - PRIV_VFS_EXEC, 0)) + PRIV_VFS_EXEC, 0) && (acl_posix1e_acl_to_mode(acl) & + (S_IXUSR | S_IXGRP | S_IXOTH)) != 0) priv_granted |= VEXEC; } Index: sys/kern/subr_acl_nfs4.c =================================================================== --- sys/kern/subr_acl_nfs4.c (revision 210492) +++ sys/kern/subr_acl_nfs4.c (working copy) @@ -162,6 +162,7 @@ vaccess_acl_nfs4(enum vtype type, uid_t accmode_t priv_granted = 0; int denied, explicitly_denied, access_mask, is_directory, must_be_owner = 0; + mode_t file_mode = 0; KASSERT((accmode & ~(VEXEC | VWRITE | VREAD | VADMIN | VAPPEND | VEXPLICIT_DENY | VREAD_NAMED_ATTRS | VWRITE_NAMED_ATTRS | @@ -236,8 +237,15 @@ vaccess_acl_nfs4(enum vtype type, uid_t PRIV_VFS_LOOKUP, 0)) priv_granted |= VEXEC; } else { + /* + * Ensure that at least one execute bit is on - otherwise + * privileged user will always succeed, and we don't want to + * happen unless the file really is executable. + */ + acl_nfs4_sync_mode_from_acl(&file_mode, aclp); if ((accmode & VEXEC) && !priv_check_cred(cred, - PRIV_VFS_EXEC, 0)) + PRIV_VFS_EXEC, 0) && (file_mode & + (S_IXUSR | S_IXGRP | S_IXOTH)) != 0) priv_granted |= VEXEC; } Index: sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c =================================================================== --- sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c (revision 210492) +++ sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c (working copy) @@ -4193,6 +4193,9 @@ zfs_freebsd_access(ap) struct thread *a_td; } */ *ap; { + vnode_t *vp = ap->a_vp; + znode_t *zp = VTOZ(vp); + znode_phys_t *zphys = zp->z_phys; accmode_t accmode; int error = 0; @@ -4209,16 +4212,20 @@ zfs_freebsd_access(ap) if (error == 0) { accmode = ap->a_accmode & ~(VREAD|VWRITE|VEXEC|VAPPEND); if (accmode != 0) { - vnode_t *vp = ap->a_vp; - znode_t *zp = VTOZ(vp); - znode_phys_t *zphys = zp->z_phys; - error = vaccess(vp->v_type, zphys->zp_mode, zphys->zp_uid, zphys->zp_gid, accmode, ap->a_cred, NULL); } } + /* + * For VEXEC, ensure that at least one execute bit is set for + * non-directories. + */ + if (error == 0 && (ap->a_accmode & VEXEC) != 0 && vp->v_type != VDIR && + (zphys->zp_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0) + error = EACCES; + return (error); } %%% -- Jaakko From owner-freebsd-standards@FreeBSD.ORG Mon Aug 2 11:07:11 2010 Return-Path: Delivered-To: freebsd-standards@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 649141065679 for ; Mon, 2 Aug 2010 11:07:11 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 518C78FC26 for ; Mon, 2 Aug 2010 11:07:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o72B7Bdo035234 for ; Mon, 2 Aug 2010 11:07:11 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o72B7ADq035232 for freebsd-standards@FreeBSD.org; Mon, 2 Aug 2010 11:07:10 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Aug 2010 11:07:10 GMT Message-Id: <201008021107.o72B7ADq035232@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-standards@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-standards@FreeBSD.org X-BeenThere: freebsd-standards@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Standards compliance List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2010 11:07:11 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o stand/147210 standards xmmintrin.h and cstdlib conflicts with each other with p stand/145517 standards POSIX getline() missing o stand/144231 standards bind/connect/sendto too strict about sockaddr length o stand/143358 standards [libm] nearbyint(3) raises spurious inexact exception o stand/142803 standards j0 Bessel function inaccurate near zeros of the functi s stand/141705 standards [libc] [request] libc lacks cexp (and friends) o stand/130067 standards Wrong numeric limits in system headers? o stand/124860 standards flockfile(3) doesn't work when the memory has been exh o stand/123688 standards POSIX standard changes in unistd.h and grp.h o stand/121921 standards [patch] Add leap second support to at(1), atrun(8) o stand/116826 standards [patch] sh support for POSIX character classes o stand/116477 standards rm(1): rm behaves unexpectedly when using -r and relat o bin/116413 standards incorrect getconf(1) handling of unsigned constants gi o stand/116081 standards make does not work with the directive sinclude p stand/107561 standards [libc] [patch] [request] Missing SUS function tcgetsid o stand/104743 standards [headers] [patch] Wrong values for _POSIX_ minimal lim o stand/100017 standards [Patch] Add fuser(1) functionality to fstat(1) o stand/96236 standards [patch] [posix] sed(1) incorrectly describes a functio o stand/96016 standards [headers] clock_getres et al should be in o stand/94729 standards [libc] fcntl() throws undocumented ENOTTY o kern/93705 standards [headers] [patch] ENODATA and EGREGIOUS (for glibc com o stand/92362 standards [headers] [patch] Missing SIGPOLL in kernel headers a stand/86484 standards [patch] mkfifo(1) uses wrong permissions o stand/83845 standards [libm] [patch] add log2() and log2f() support for libm o stand/82654 standards C99 long double math functions are missing o stand/81287 standards [patch] fingerd(8) might send a line not ending in CRL a stand/80293 standards sysconf() does not support well-defined unistd values o stand/79056 standards [feature request] [atch] regex(3) regression tests o stand/70813 standards [patch] ls(1) not Posix compliant o stand/66357 standards make POSIX conformance problem ('sh -e' & '+' command- s kern/64875 standards [libc] [patch] [request] add a system call: fdatasync( s stand/62858 standards malloc(0) not C99 compliant o stand/56476 standards [patch] cd9660 unicode support simple hack o stand/54410 standards one-true-awk not POSIX compliant (no extended REs) o stand/46119 standards Priority problems for SCHED_OTHER using pthreads p stand/41576 standards ln(1): replacing old dir-symlinks o stand/39256 standards snprintf/vsnprintf aren't POSIX-conformant for strings o kern/27835 standards [libc] execve() doesn't conform to execve(2) spec in s a docs/26003 standards getgroups(2) lists NGROUPS_MAX but not syslimits.h s stand/24590 standards timezone function not compatible witn Single Unix Spec o stand/21519 standards sys/dir.h should be deprecated some more s bin/14925 standards getsubopt isn't poisonous enough 42 problems total.