bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Florian Weimer]

* Rich Felker:

> Note that in any case, musl's lchmod/fchmodat is not affected since it
> always refuses to change symlink modes; I did this because I was
> worried that chmod on the magic symlink in /proc might pass through
> not just to the symlink it refers to, but to the symlink target if one
> exists. With current kernel versions it seems that does not happen; is
> it safe to assume it doesn't?

I saw it happen with sshfs over FUSE. 8-/

Yet another reason to put in a check before performing the chmod.

> Further, I've found some inconsistent behavior with ext4: chmod on the
> magic symlink fails with EOPNOTSUPP as in Florian's test, but fchmod
> on the O_PATH fd succeeds and changes the symlink mode. This is with
> 5.4. Cany anyone else confirm this? Is it a problem?

Interesting. Let me update the other thread.

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Rich Felker]

On Wed, Feb 12, 2020 at 08:05:55AM -0500, Rich Felker wrote:
> On Wed, Feb 12, 2020 at 12:50:19PM +0100, Florian Weimer wrote:
> > * Paul Eggert:
> > 
> > > On 1/22/20 2:05 PM, Rich Felker wrote:
> > >> I think we're approaching a consensus that glibc should fix this too,
> > >> so then it would just be gnulib matching the fix.
> > >
> > > I installed the attached patch to Gnulib in preparation for the upcoming 
> > > glibc fix. The patch causes fchmodat with AT_SYMLINK_NOFOLLOW to work on 
> > > non-symlinks, and similarly for lchmod on non-symlinks. The idea is to 
> > > avoid this sort of problem in the future, and to let Coreutils etc. work 
> > > on older platforms as if glibc 2.32 (or whatever) is already in place.
> > 
> > The lchmod implementation based on /proc tickles an XFS bug:
> > 
> >   
> 
> Uhg, why does Linux even let the fs driver see whether the chmod is
> being performed via a filename, O_PATH fd, or magic symlink in /proc?
> It should just be an operation on the inode.

OK, I don't think it's actually clear from the test that the use of
the magic symlink is the cause. It's plausible that XFS just always
returns failure on success for this operation, and I don't have XFS to
test with.

Note that in any case, musl's lchmod/fchmodat is not affected since it
always refuses to change symlink modes; I did this because I was
worried that chmod on the magic symlink in /proc might pass through
not just to the symlink it refers to, but to the symlink target if one
exists. With current kernel versions it seems that does not happen; is
it safe to assume it doesn't?

Further, I've found some inconsistent behavior with ext4: chmod on the
magic symlink fails with EOPNOTSUPP as in Florian's test, but fchmod
on the O_PATH fd succeeds and changes the symlink mode. This is with
5.4. Cany anyone else confirm this? Is it a problem?

Rich

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Rich Felker]

On Wed, Feb 12, 2020 at 12:50:19PM +0100, Florian Weimer wrote:
> * Paul Eggert:
> 
> > On 1/22/20 2:05 PM, Rich Felker wrote:
> >> I think we're approaching a consensus that glibc should fix this too,
> >> so then it would just be gnulib matching the fix.
> >
> > I installed the attached patch to Gnulib in preparation for the upcoming 
> > glibc fix. The patch causes fchmodat with AT_SYMLINK_NOFOLLOW to work on 
> > non-symlinks, and similarly for lchmod on non-symlinks. The idea is to 
> > avoid this sort of problem in the future, and to let Coreutils etc. work 
> > on older platforms as if glibc 2.32 (or whatever) is already in place.
> 
> The lchmod implementation based on /proc tickles an XFS bug:
> 
>   

Uhg, why does Linux even let the fs driver see whether the chmod is
being performed via a filename, O_PATH fd, or magic symlink in /proc?
It should just be an operation on the inode.

Rich

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Florian Weimer]

* Paul Eggert:

> On 1/22/20 2:05 PM, Rich Felker wrote:
>> I think we're approaching a consensus that glibc should fix this too,
>> so then it would just be gnulib matching the fix.
>
> I installed the attached patch to Gnulib in preparation for the upcoming 
> glibc fix. The patch causes fchmodat with AT_SYMLINK_NOFOLLOW to work on 
> non-symlinks, and similarly for lchmod on non-symlinks. The idea is to 
> avoid this sort of problem in the future, and to let Coreutils etc. work 
> on older platforms as if glibc 2.32 (or whatever) is already in place.

The lchmod implementation based on /proc tickles an XFS bug:

  

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Paul Eggert]

On 1/22/20 2:05 PM, Rich Felker wrote:

I think we're approaching a consensus that glibc should fix this too,
so then it would just be gnulib matching the fix.


I installed the attached patch to Gnulib in preparation for the upcoming 
glibc fix. The patch causes fchmodat with AT_SYMLINK_NOFOLLOW to work on 
non-symlinks, and similarly for lchmod on non-symlinks. The idea is to 
avoid this sort of problem in the future, and to let Coreutils etc. work 
on older platforms as if glibc 2.32 (or whatever) is already in place.
>From b16a04394121e7396569a13161dba02c6752b19f Mon Sep 17 00:00:00 2001
From: Paul Eggert 
Date: Fri, 7 Feb 2020 16:34:12 -0800
Subject: [PATCH] fchmodat: AT_SYMLINK_NOFOLLOW fix for non-symlinks

Fix lchmod, and fchmodat with AT_SYMLINK_NOFOLLOW, so that
they act like chmod on non-symlinks.
* NEWS:
* doc/glibc-functions/lchmod.texi (lchmod):
* doc/posix-functions/fchmodat.texi (fchmodat):
Mention this.
* lib/fchmodat.c: Define __need_system_sys_stat_h before including
config.h, and undef it after including sys/stat.h the first time.
Include fcntl.h, stdio.h, unistd.h, intprops.h, and include
sys/stat.h a second time after defining orig_fchmodat.
(orig_fchmodat) [HAVE_FCHMODAT]: New function.
(fchmodat) [HAVE_FCHMODAT]: Work around the AT_SYMLINK_NOFOLLOW bug.
* lib/lchmod.c: New file.
* lib/sys_stat.in.h (fchmodat, lchmod):
Support replacing these functions.
* m4/fchmodat.m4 (gl_FUNC_FCHMODAT): If fchmodat exists,
test that AT_SYMLINK_NOFOLLOW works on non-symlinks.
* m4/lchmod.m4 (gl_FUNC_LCHMOD): Check for lstat.
Test that lchmod works on non-symlinks.
* m4/sys_stat_h.m4 (gl_SYS_STAT_H_DEFAULTS):
Default REPLACE_FCHMODAT and REPLACE_LCHMOD to 0.
* modules/fchmodat (Depends-on): Add fstatat, intprops, lchmod, unistd.
(Depends-on, configure.ac): Check REPLACE_FCHMODAT too.
* modules/lchmod (Files): Add lib/lchmod.c.
(Depends-on): Add errno, fcntl-h, fchmodat, intprops, lstat, unistd.
(configure.ac): Compile lchmod.c if needed.
(lib_SOURCES): Add lchmod.c.
* modules/sys_stat (sys/stat.h): Substitute REPLACE_FCHMODAT
and REPLACE_LCHMOD.
* tests/test-fchmodat.c: Include fcntl.h, sys/stat.h.
(main): Test fchmodat with AT_SYMLINK_NOFOLLOW on non-symlinks.
---
 ChangeLog | 35 
 NEWS  |  7 +++
 doc/glibc-functions/lchmod.texi   |  4 ++
 doc/posix-functions/fchmodat.texi | 11 ++--
 lib/fchmodat.c| 89 +--
 lib/lchmod.c  | 72 +
 lib/sys_stat.in.h | 41 +++---
 m4/fchmodat.m4| 48 -
 m4/lchmod.m4  | 52 --
 m4/sys_stat_h.m4  |  4 +-
 modules/fchmodat  | 10 ++--
 modules/lchmod| 13 -
 modules/sys_stat  |  2 +
 tests/test-fchmodat.c | 10 
 14 files changed, 348 insertions(+), 50 deletions(-)
 create mode 100644 lib/lchmod.c

diff --git a/ChangeLog b/ChangeLog
index 99e0c2e9e..71dcaba6c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,38 @@
+2020-02-07  Paul Eggert  
+
+	fchmodat: AT_SYMLINK_NOFOLLOW fix for non-symlinks
+	Fix lchmod, and fchmodat with AT_SYMLINK_NOFOLLOW, so that
+	they act like chmod on non-symlinks.
+	* NEWS:
+	* doc/glibc-functions/lchmod.texi (lchmod):
+	* doc/posix-functions/fchmodat.texi (fchmodat):
+	Mention this.
+	* lib/fchmodat.c: Define __need_system_sys_stat_h before including
+	config.h, and undef it after including sys/stat.h the first time.
+	Include fcntl.h, stdio.h, unistd.h, intprops.h, and include
+	sys/stat.h a second time after defining orig_fchmodat.
+	(orig_fchmodat) [HAVE_FCHMODAT]: New function.
+	(fchmodat) [HAVE_FCHMODAT]: Work around the AT_SYMLINK_NOFOLLOW bug.
+	* lib/lchmod.c: New file.
+	* lib/sys_stat.in.h (fchmodat, lchmod):
+	Support replacing these functions.
+	* m4/fchmodat.m4 (gl_FUNC_FCHMODAT): If fchmodat exists,
+	test that AT_SYMLINK_NOFOLLOW works on non-symlinks.
+	* m4/lchmod.m4 (gl_FUNC_LCHMOD): Check for lstat.
+	Test that lchmod works on non-symlinks.
+	* m4/sys_stat_h.m4 (gl_SYS_STAT_H_DEFAULTS):
+	Default REPLACE_FCHMODAT and REPLACE_LCHMOD to 0.
+	* modules/fchmodat (Depends-on): Add fstatat, intprops, lchmod, unistd.
+	(Depends-on, configure.ac): Check REPLACE_FCHMODAT too.
+	* modules/lchmod (Files): Add lib/lchmod.c.
+	(Depends-on): Add errno, fcntl-h, fchmodat, intprops, lstat, unistd.
+	(configure.ac): Compile lchmod.c if needed.
+	(lib_SOURCES): Add lchmod.c.
+	* modules/sys_stat (sys/stat.h): Substitute REPLACE_FCHMODAT
+	and REPLACE_LCHMOD.
+	* tests/test-fchmodat.c: Include fcntl.h, sys/stat.h.
+	(main): Test fchmodat with AT_SYMLINK_NOFOLLOW on non-symlinks.
+
 2020-02-05  Marc Dionne(tiny change)
 
 	mountlist: Consider AFS filesystems as remote
diff --git a/NEWS b/NEWS
index dc5cc71f9..bc81dfc28 100644
--- a/NEWS
+++ b/NEWS
@@ -58,6 +58,13 @@ User visible incompatible changes
 
 Date   

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Rich Felker]

On Wed, Jan 22, 2020 at 01:55:57PM -0800, Paul Eggert wrote:
> On 1/22/20 7:08 AM, Florian Weimer wrote:
> >I think you misread what I wrote: lchmod*always*  returns ENOSYS.  Even
> >if the file is not a symbolic link.  Likewise, fchmodat with
> >AT_SYMLINK_NOFOLLOW *always* returns ENOTSUP.
> 
> That's too bad, because coreutils (and many other applications, I
> expect) assume that lchmod (and fchmodat with AT_SYMLINK_NOFOLLOW)
> to act like chmod except not follow symlinks, in order to make it
> less likely that the application will run afoul of a symlink race
> and chmod the wrong file. Isn't that how the Linux fstatat call
> behaves? And if so, why does glibc fstatat refuse to support this
> behavior?

I think you're confusing fchmodat with fstatat. The Linux fchmodat
syscall lacks a flags argument and thus doesn't suffice to implement
fchmodat. The fstatat syscall does work.

> To work around this bug, I suppose coreutils etc. should do
> something like the following:
> 
> 1. Never use lchmod since the porting nightmare is bad enough without it.
> 
> 2. On non-glibc systems (or glibc systems where the bug is fixed),
> use fchmodat with AT_SYMLINK_NOFOLLOW.
> 
> 3. On glibc systems with the bug, use openat with
> AT_SYMLINK_NOFOLLOW and O_PATH, and then fchmod the resulting file
> descriptor.
> 
> Does this sound right? Or is there some O_PATH gotcha that I haven't
> thought about?

I think fchmod historically did not work on O_PATH file descriptors,
which is why musl is using chmod on the procfs magic symlink. However,
fchmodat might work too with an empty pathname; I'm not sure.

I think these fixes are better encapsulated as a replacement for
missing/broken fchmodat, rather than putting the logic in individual
utilities or coreutils-specific library code.

Also, note that if you want to skip checking stat to make sure you
didn't open a symlink with O_PATH, that depends on confirming
Florian's claim that the kernel documents it will not follow the
symlink.

> Come to think of it, perhaps the best thing would be to change
> Gnulib's lchmod and fchmodat modules so that they do what
> applications expect, even on buggy glibc systems. (Which would be
> ironic, since Gnulib's main goal is to put wrappers around other
> libraries so that they look more like glibc.)

I think we're approaching a consensus that glibc should fix this too,
so then it would just be gnulib matching the fix.

Rich

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Paul Eggert]

On 1/22/20 7:08 AM, Florian Weimer wrote:

I think you misread what I wrote: lchmod*always*  returns ENOSYS.  Even
if the file is not a symbolic link.  Likewise, fchmodat with
AT_SYMLINK_NOFOLLOW *always* returns ENOTSUP.


That's too bad, because coreutils (and many other applications, I 
expect) assume that lchmod (and fchmodat with AT_SYMLINK_NOFOLLOW) to 
act like chmod except not follow symlinks, in order to make it less 
likely that the application will run afoul of a symlink race and chmod 
the wrong file. Isn't that how the Linux fstatat call behaves? And if 
so, why does glibc fstatat refuse to support this behavior?


To work around this bug, I suppose coreutils etc. should do something 
like the following:


1. Never use lchmod since the porting nightmare is bad enough without it.

2. On non-glibc systems (or glibc systems where the bug is fixed), use 
fchmodat with AT_SYMLINK_NOFOLLOW.


3. On glibc systems with the bug, use openat with AT_SYMLINK_NOFOLLOW 
and O_PATH, and then fchmod the resulting file descriptor.


Does this sound right? Or is there some O_PATH gotcha that I haven't 
thought about?


Come to think of it, perhaps the best thing would be to change Gnulib's 
lchmod and fchmodat modules so that they do what applications expect, 
even on buggy glibc systems. (Which would be ironic, since Gnulib's main 
goal is to put wrappers around other libraries so that they look more 
like glibc.)

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Florian Weimer]

* Rich Felker:

> On Wed, Jan 22, 2020 at 09:48:14PM +0100, Florian Weimer wrote:
>> * Rich Felker:
>> 
>> >> Hmm.  The way I read the musl code, the O_PATH descriptor already
>> >> exists.  At this point, you can just chmod the O_PATH descriptor, and
>> >> have the kernel report EOPNOTSUPP if the file system does not support
>> >> that.
>> >
>> > Oh, you mean the second one after it's already open? Maybe that's ok.
>> 
>> Yes, that's what I meant.
>> 
>> > I was concerned it might follow the link and chmod the target at that
>> > point.
>> 
>> In my tests, it works.  I think it's also documented behavior for chown
>> on these pseudo-files.
>
> Do you know where we might find that documentation?

Ugh.  I'm probably misremembering.  It may have been a rejection of
patch to implement another f*at system call with AT_EMPTY_PATH support.
(I did find your 2013 message describing the chmod and chown behavior.)

Thanks,
Florian

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Florian Weimer]

* Rich Felker:

>> Hmm.  The way I read the musl code, the O_PATH descriptor already
>> exists.  At this point, you can just chmod the O_PATH descriptor, and
>> have the kernel report EOPNOTSUPP if the file system does not support
>> that.
>
> Oh, you mean the second one after it's already open? Maybe that's ok.

Yes, that's what I meant.

> I was concerned it might follow the link and chmod the target at that
> point.

In my tests, it works.  I think it's also documented behavior for chown
on these pseudo-files.

I also verified that closing an O_PATH descriptor does not release POSIX
advisory locks for the same file.  But I'm wondering if there's still
something we are missing.

Thanks,
Florian

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Rich Felker]

On Wed, Jan 22, 2020 at 05:19:05PM +0100, Florian Weimer wrote:
> * Rich Felker:
> 
> > On Wed, Jan 22, 2020 at 04:32:45PM +0100, Florian Weimer wrote:
> >> * Rich Felker:
> >> 
> >> > On Wed, Jan 22, 2020 at 04:08:26PM +0100, Florian Weimer wrote:
> >> >> * Rich Felker:
> >> >> 
> >> >> > On Wed, Jan 22, 2020 at 03:34:18PM +0100, Florian Weimer wrote:
> >> >> >> * Rich Felker:
> >> >> >> 
> >> >> >> > coreutils should be opting to use the system-provided lchmod, 
> >> >> >> > which is
> >> >> >> > safe, and correctly handling error returns (silently treating
> >> >> >> > EOPNOTSUPP as success) rather than as hard errors.
> >> >> >> 
> >> >> >> glibc's lchmod always returns ENOSYS (except on Hurd).  I don't know 
> >> >> >> how
> >> >> >> lchmod is used in coreutils, but I suspect it is not particularly
> >> >> >> useful.
> >> >> >
> >> >> > When preserving permissions (cp -p, archive extraction, etc.), you
> >> >> > want lchmod to work correctly just for the purpose of *not* following
> >> >> > the link and thereby unwantedly changing the permissions of the link
> >> >> > target. But, fchmodat with AT_SYMLINK_NOFOLLOW works just as well and
> >> >> > is standard, and that's really what coreutils should be using.
> >> >> 
> >> >> I think you misread what I wrote: lchmod *always* returns ENOSYS.  Even
> >> >> if the file is not a symbolic link.  Likewise, fchmodat with
> >> >> AT_SYMLINK_NOFOLLOW *always* returns ENOTSUP.
> >> >
> >> > Yes, I understood that. I was going into why there should be a real
> >> > implementation, but didn't make it clear that that was what I was
> >> > doing.
> >> 
> >> Ah, yes, there should be a real implementation if we can get full
> >> lchmod/AT_SYMLINK_NOFOLLOW behavior on file systems that support it.  If
> >> we can't, I'm not sure if there is a point to it.
> >
> > The point is to fail when the target is a symlink, rather than
> > (erroneously and possibly dangerously) applying the chmod to the link
> > target. Actually supporting link modes is useless. It's the "not
> > modifying the target" that's important.
> 
> The kernel supports it on some file systems, though:
> 
> $ ls -l /tmp/x
> l-. 1 fweimer fweimer 6 Jan 22 15:27 /tmp/x -> /tmp/x
> 
> Although mode 0 curiously does not prevent readlink calls.
> 
> > It's explained in the bz you just replied on,
> > https://sourceware.org/bugzilla/show_bug.cgi?id=14578
> >
> > The point of the S_ISLNK check is to fail out early with the ENOTSUPP,
> > which the caller should treat as "success-like", in the non-racing
> > condition, without the need to open a fd (which may fail with
> > ENFILE/EMFILE) and without the need for /proc to be mounted.
> > Otherwise, a different error will be produced when one of those cases
> > is hit, and the caller will treat it as a real error.
> 
> Hmm.  The way I read the musl code, the O_PATH descriptor already
> exists.  At this point, you can just chmod the O_PATH descriptor, and
> have the kernel report EOPNOTSUPP if the file system does not support
> that.

Oh, you mean the second one after it's already open? Maybe that's ok.
I was concerned it might follow the link and chmod the target at that
point. I thought you were asking about the ealier check before the
O_PATH open.

Rich

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Florian Weimer]

* Rich Felker:

> On Wed, Jan 22, 2020 at 04:32:45PM +0100, Florian Weimer wrote:
>> * Rich Felker:
>> 
>> > On Wed, Jan 22, 2020 at 04:08:26PM +0100, Florian Weimer wrote:
>> >> * Rich Felker:
>> >> 
>> >> > On Wed, Jan 22, 2020 at 03:34:18PM +0100, Florian Weimer wrote:
>> >> >> * Rich Felker:
>> >> >> 
>> >> >> > coreutils should be opting to use the system-provided lchmod, which 
>> >> >> > is
>> >> >> > safe, and correctly handling error returns (silently treating
>> >> >> > EOPNOTSUPP as success) rather than as hard errors.
>> >> >> 
>> >> >> glibc's lchmod always returns ENOSYS (except on Hurd).  I don't know 
>> >> >> how
>> >> >> lchmod is used in coreutils, but I suspect it is not particularly
>> >> >> useful.
>> >> >
>> >> > When preserving permissions (cp -p, archive extraction, etc.), you
>> >> > want lchmod to work correctly just for the purpose of *not* following
>> >> > the link and thereby unwantedly changing the permissions of the link
>> >> > target. But, fchmodat with AT_SYMLINK_NOFOLLOW works just as well and
>> >> > is standard, and that's really what coreutils should be using.
>> >> 
>> >> I think you misread what I wrote: lchmod *always* returns ENOSYS.  Even
>> >> if the file is not a symbolic link.  Likewise, fchmodat with
>> >> AT_SYMLINK_NOFOLLOW *always* returns ENOTSUP.
>> >
>> > Yes, I understood that. I was going into why there should be a real
>> > implementation, but didn't make it clear that that was what I was
>> > doing.
>> 
>> Ah, yes, there should be a real implementation if we can get full
>> lchmod/AT_SYMLINK_NOFOLLOW behavior on file systems that support it.  If
>> we can't, I'm not sure if there is a point to it.
>
> The point is to fail when the target is a symlink, rather than
> (erroneously and possibly dangerously) applying the chmod to the link
> target. Actually supporting link modes is useless. It's the "not
> modifying the target" that's important.

The kernel supports it on some file systems, though:

$ ls -l /tmp/x
l-. 1 fweimer fweimer 6 Jan 22 15:27 /tmp/x -> /tmp/x

Although mode 0 curiously does not prevent readlink calls.

> It's explained in the bz you just replied on,
> https://sourceware.org/bugzilla/show_bug.cgi?id=14578
>
> The point of the S_ISLNK check is to fail out early with the ENOTSUPP,
> which the caller should treat as "success-like", in the non-racing
> condition, without the need to open a fd (which may fail with
> ENFILE/EMFILE) and without the need for /proc to be mounted.
> Otherwise, a different error will be produced when one of those cases
> is hit, and the caller will treat it as a real error.

Hmm.  The way I read the musl code, the O_PATH descriptor already
exists.  At this point, you can just chmod the O_PATH descriptor, and
have the kernel report EOPNOTSUPP if the file system does not support
that.

Thanks,
Florian

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Rich Felker]

On Wed, Jan 22, 2020 at 04:32:45PM +0100, Florian Weimer wrote:
> * Rich Felker:
> 
> > On Wed, Jan 22, 2020 at 04:08:26PM +0100, Florian Weimer wrote:
> >> * Rich Felker:
> >> 
> >> > On Wed, Jan 22, 2020 at 03:34:18PM +0100, Florian Weimer wrote:
> >> >> * Rich Felker:
> >> >> 
> >> >> > coreutils should be opting to use the system-provided lchmod, which is
> >> >> > safe, and correctly handling error returns (silently treating
> >> >> > EOPNOTSUPP as success) rather than as hard errors.
> >> >> 
> >> >> glibc's lchmod always returns ENOSYS (except on Hurd).  I don't know how
> >> >> lchmod is used in coreutils, but I suspect it is not particularly
> >> >> useful.
> >> >
> >> > When preserving permissions (cp -p, archive extraction, etc.), you
> >> > want lchmod to work correctly just for the purpose of *not* following
> >> > the link and thereby unwantedly changing the permissions of the link
> >> > target. But, fchmodat with AT_SYMLINK_NOFOLLOW works just as well and
> >> > is standard, and that's really what coreutils should be using.
> >> 
> >> I think you misread what I wrote: lchmod *always* returns ENOSYS.  Even
> >> if the file is not a symbolic link.  Likewise, fchmodat with
> >> AT_SYMLINK_NOFOLLOW *always* returns ENOTSUP.
> >
> > Yes, I understood that. I was going into why there should be a real
> > implementation, but didn't make it clear that that was what I was
> > doing.
> 
> Ah, yes, there should be a real implementation if we can get full
> lchmod/AT_SYMLINK_NOFOLLOW behavior on file systems that support it.  If
> we can't, I'm not sure if there is a point to it.

The point is to fail when the target is a symlink, rather than
(erroneously and possibly dangerously) applying the chmod to the link
target. Actually supporting link modes is useless. It's the "not
modifying the target" that's important.

> >> The reason for this is that the kernel does not provide a suitable
> >> system call to implement this, even though some file systems allow a
> >> mode change for symbolic links.  I think we can do better, although I
> >> should note that each time we implement such emulation in userspace, it
> >> comes back to bite us eventually.
> >
> > Emulations in userspace that are approximate, have race conditions,
> > etc. are bad. Ones that are rigorous are good, though.
> 
> Is there a reason for the S_ISLNK check in the musl implementation?
> With current kernels, chmod on the proc pseudo-file will not traverse
> the symbolic link, but I have yet to check if this has always been the
> case.

It's explained in the bz you just replied on,
https://sourceware.org/bugzilla/show_bug.cgi?id=14578

The point of the S_ISLNK check is to fail out early with the ENOTSUPP,
which the caller should treat as "success-like", in the non-racing
condition, without the need to open a fd (which may fail with
ENFILE/EMFILE) and without the need for /proc to be mounted.
Otherwise, a different error will be produced when one of those cases
is hit, and the caller will treat it as a real error.

Rich

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Rich Felker]

On Wed, Jan 22, 2020 at 03:34:18PM +0100, Florian Weimer wrote:
> * Rich Felker:
> 
> > coreutils should be opting to use the system-provided lchmod, which is
> > safe, and correctly handling error returns (silently treating
> > EOPNOTSUPP as success) rather than as hard errors.
> 
> glibc's lchmod always returns ENOSYS (except on Hurd).  I don't know how
> lchmod is used in coreutils, but I suspect it is not particularly
> useful.

When preserving permissions (cp -p, archive extraction, etc.), you
want lchmod to work correctly just for the purpose of *not* following
the link and thereby unwantedly changing the permissions of the link
target. But, fchmodat with AT_SYMLINK_NOFOLLOW works just as well and
is standard, and that's really what coreutils should be using.

Rich

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Rich Felker]

On Wed, Jan 22, 2020 at 04:08:26PM +0100, Florian Weimer wrote:
> * Rich Felker:
> 
> > On Wed, Jan 22, 2020 at 03:34:18PM +0100, Florian Weimer wrote:
> >> * Rich Felker:
> >> 
> >> > coreutils should be opting to use the system-provided lchmod, which is
> >> > safe, and correctly handling error returns (silently treating
> >> > EOPNOTSUPP as success) rather than as hard errors.
> >> 
> >> glibc's lchmod always returns ENOSYS (except on Hurd).  I don't know how
> >> lchmod is used in coreutils, but I suspect it is not particularly
> >> useful.
> >
> > When preserving permissions (cp -p, archive extraction, etc.), you
> > want lchmod to work correctly just for the purpose of *not* following
> > the link and thereby unwantedly changing the permissions of the link
> > target. But, fchmodat with AT_SYMLINK_NOFOLLOW works just as well and
> > is standard, and that's really what coreutils should be using.
> 
> I think you misread what I wrote: lchmod *always* returns ENOSYS.  Even
> if the file is not a symbolic link.  Likewise, fchmodat with
> AT_SYMLINK_NOFOLLOW *always* returns ENOTSUP.

Yes, I understood that. I was going into why there should be a real
implementation, but didn't make it clear that that was what I was
doing.

> The reason for this is that the kernel does not provide a suitable
> system call to implement this, even though some file systems allow a
> mode change for symbolic links.  I think we can do better, although I
> should note that each time we implement such emulation in userspace, it
> comes back to bite us eventually.

Emulations in userspace that are approximate, have race conditions,
etc. are bad. Ones that are rigorous are good, though.

Rich

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Florian Weimer]

* Rich Felker:

> On Wed, Jan 22, 2020 at 04:08:26PM +0100, Florian Weimer wrote:
>> * Rich Felker:
>> 
>> > On Wed, Jan 22, 2020 at 03:34:18PM +0100, Florian Weimer wrote:
>> >> * Rich Felker:
>> >> 
>> >> > coreutils should be opting to use the system-provided lchmod, which is
>> >> > safe, and correctly handling error returns (silently treating
>> >> > EOPNOTSUPP as success) rather than as hard errors.
>> >> 
>> >> glibc's lchmod always returns ENOSYS (except on Hurd).  I don't know how
>> >> lchmod is used in coreutils, but I suspect it is not particularly
>> >> useful.
>> >
>> > When preserving permissions (cp -p, archive extraction, etc.), you
>> > want lchmod to work correctly just for the purpose of *not* following
>> > the link and thereby unwantedly changing the permissions of the link
>> > target. But, fchmodat with AT_SYMLINK_NOFOLLOW works just as well and
>> > is standard, and that's really what coreutils should be using.
>> 
>> I think you misread what I wrote: lchmod *always* returns ENOSYS.  Even
>> if the file is not a symbolic link.  Likewise, fchmodat with
>> AT_SYMLINK_NOFOLLOW *always* returns ENOTSUP.
>
> Yes, I understood that. I was going into why there should be a real
> implementation, but didn't make it clear that that was what I was
> doing.

Ah, yes, there should be a real implementation if we can get full
lchmod/AT_SYMLINK_NOFOLLOW behavior on file systems that support it.  If
we can't, I'm not sure if there is a point to it.

>> The reason for this is that the kernel does not provide a suitable
>> system call to implement this, even though some file systems allow a
>> mode change for symbolic links.  I think we can do better, although I
>> should note that each time we implement such emulation in userspace, it
>> comes back to bite us eventually.
>
> Emulations in userspace that are approximate, have race conditions,
> etc. are bad. Ones that are rigorous are good, though.

Is there a reason for the S_ISLNK check in the musl implementation?
With current kernels, chmod on the proc pseudo-file will not traverse
the symbolic link, but I have yet to check if this has always been the
case.

Thanks,
Florian

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Florian Weimer]

* Rich Felker:

> On Wed, Jan 22, 2020 at 03:34:18PM +0100, Florian Weimer wrote:
>> * Rich Felker:
>> 
>> > coreutils should be opting to use the system-provided lchmod, which is
>> > safe, and correctly handling error returns (silently treating
>> > EOPNOTSUPP as success) rather than as hard errors.
>> 
>> glibc's lchmod always returns ENOSYS (except on Hurd).  I don't know how
>> lchmod is used in coreutils, but I suspect it is not particularly
>> useful.
>
> When preserving permissions (cp -p, archive extraction, etc.), you
> want lchmod to work correctly just for the purpose of *not* following
> the link and thereby unwantedly changing the permissions of the link
> target. But, fchmodat with AT_SYMLINK_NOFOLLOW works just as well and
> is standard, and that's really what coreutils should be using.

I think you misread what I wrote: lchmod *always* returns ENOSYS.  Even
if the file is not a symbolic link.  Likewise, fchmodat with
AT_SYMLINK_NOFOLLOW *always* returns ENOTSUP.

The reason for this is that the kernel does not provide a suitable
system call to implement this, even though some file systems allow a
mode change for symbolic links.  I think we can do better, although I
should note that each time we implement such emulation in userspace, it
comes back to bite us eventually.

Thanks,
Florian

bug#39236: [musl] coreutils cp mishandles error return from lchmod

[Florian Weimer]

* Rich Felker:

> coreutils should be opting to use the system-provided lchmod, which is
> safe, and correctly handling error returns (silently treating
> EOPNOTSUPP as success) rather than as hard errors.

glibc's lchmod always returns ENOSYS (except on Hurd).  I don't know how
lchmod is used in coreutils, but I suspect it is not particularly
useful.

Thanks,
Florian