On 3/11/20 1:45 AM, Florian Weimer wrote:
I now wonder if neither gnulib nor glibc should pretend that they can implement lchmod and fchmodat on Linux in a usable fashion.
That ship sailed long ago for Gnulib, since it long emulated lchmod by using chmod (with no symlink check!), and Gnulib-using programs rely on this: some know about the lack of a symlink check and therefore have races of there own, whereas others don't know and have more-serious bugs. At the very least we can improve on this by adding a symlink check to Gnulib lchmod. There will still be races but some Gnulib-using programs will be better off than before.
Portable programs really need the ability to do lchmod to avoid races, and as lchmod works on non-Linux kernels we don't want to lose this capability.
I agree that Linux should have a proper lchmod system call. I am puzzled as to why this wasn't added long ago. I suppose the kernel folks thought that lchmod was nonsense because symlink permissions are nonsense, and missed the point that lchmod avoids races.
For glibc I think it'd be better to keep the change to lchmod and fchmodat. Problems occur only when /proc is not mounted, and the problems are the same as before the change so this is not a regression. However, I don't feel strongly about this.
