From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=m4Dq=AH=clisp.org=bruno@sourceware.org>
Received: from mo4-p00-ob.smtp.rzone.de (mo4-p00-ob.smtp.rzone.de [81.169.146.218])
	by sourceware.org (Postfix) with ESMTPS id 317D93858D1E
	for <cygwin@cygwin.com>; Sun, 16 Apr 2023 11:46:30 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 317D93858D1E
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=clisp.org
Authentication-Results: sourceware.org; spf=none smtp.mailfrom=clisp.org
ARC-Seal: i=1; a=rsa-sha256; t=1681645587; cv=none;
    d=strato.com; s=strato-dkim-0002;
    b=NVMnxXzQtaDj3gSf5qXX/gH4ySPOT1pN+wFQkqncSWd9qU1KBBQHInN7d8dTIRS5jN
    34bzDlVSpqDGBGYd6R2MVb7eVhNBbYXt8bb/ArBCHLX37dr4lESpB8S5XjY1HYXIrWQa
    8cdDhQrEJlZ7Kgre/KVzPYGySiZQ5vf31JgF1emd5tF2DeXBSgTMycptP1+V692fLfxR
    4ZWSHTLVRDwXtJvs4W1ctJD8K7HIY8ehv6M38IKRKOb34Z9roIeERJ24u9XL1r6qr+hQ
    lSSgtmkAxrTMbQpIHXE1Hznw0eC1DDMF94LnK6Ydfd4Zj3cqICeRbfhy6jJDuj7gkVNk
    m5JA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1681645587;
    s=strato-dkim-0002; d=strato.com;
    h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender;
    bh=4oaUNJZyTrjpkeWTLmt49NAIcXgOARb0BCK6fSRGy1o=;
    b=PEFBu0oCILvBWixzeY4q8s7FfUpuatRs9ACJH+UuG5/vOkkZLj2avDwDRU/J+MeX9h
    Eig/n2HbWzWxPuflHSkiimXmOpCDmxK0QeACYG5RyIf6qdE1iiiEHqa0I2feuyl7MeqO
    BRBl2HzyRx+97fyfTozTyjjIU7RDXefrNoxXBy/JiVx7u1rQDVKftVa0b1EeWLGptAOT
    7w0TWPoOWACex5sGQxBSaCxW1RTKUuDDYqDu/amTsxNJ92BQfuFstJC6s1nIxiMZBKxa
    DtFDZ1MsoytXtnKmOpPneUZiyVp1w/xlVyjBKlfUrMwTjSkPyvHb3mfnkkDCD7ycNiI7
    rrKg==
ARC-Authentication-Results: i=1; strato.com;
    arc=none;
    dkim=none
X-RZG-CLASS-ID: mo00
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1681645587;
    s=strato-dkim-0002; d=clisp.org;
    h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender;
    bh=4oaUNJZyTrjpkeWTLmt49NAIcXgOARb0BCK6fSRGy1o=;
    b=SRwZQ1MOoDn2UdgmiqsLhq4WerKCXNMPrSBgBIXdCUZAfR5m8Y/d2VZogBUG44BMzT
    vCB01KELvPSBZrKx4LckTcbw4RLscQZfoMRt1aGgUbQY+vS6TTuVu62z8Oz78qyeoC74
    HHiZNt8RNSIooDH7erEuiDrMndXkJJ/zVKqTlhaoIc+9gqIlJ5WSuVkmnVpA7pIMQyAM
    IKk2hW1wir9dienn1JBh5/kx8wE9sqVY1MWC9zOd0he3i71xtfGTmb2v75PmthGOvag5
    uBKrGAA7Wpq/HHo68jS2hmBqEA3yXRb/fSZO54bgcP06heJ1v3hTGWxNyifstISa0A3j
    rRmA==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1681645587;
    s=strato-dkim-0003; d=clisp.org;
    h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender;
    bh=4oaUNJZyTrjpkeWTLmt49NAIcXgOARb0BCK6fSRGy1o=;
    b=MpSzn+tI7wP3H+BmEK2AcV0PQUD7BMySezrsvGBg1xAfCAkd/hxaLvY9omy3KE2j4D
    O0DdsDvs6LmcitKRYoCg==
X-RZG-AUTH: ":Ln4Re0+Ic/6oZXR1YgKryK8brlshOcZlIWs+iCP5vnk6shH0WWb0LN8XZoH94zq68+3cfpORj/S5ZbhmOq7DrkkPw86ewZAL"
Received: from nimes.localnet
    by smtp.strato.de (RZmta 49.4.0 AUTH)
    with ESMTPSA id D064b6z3GBkREs1
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits))
	(Client did not present a certificate);
    Sun, 16 Apr 2023 13:46:27 +0200 (CEST)
From: Bruno Haible <bruno@clisp.org>
To: cygwin@cygwin.com
Subject: posix_spawn facility
Date: Sun, 16 Apr 2023 13:46:27 +0200
Message-ID: <1752276.7aRn1RRit1@nimes>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_ASCII_DIVIDERS,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <cygwin.cygwin.com>

Hi,

AFAIU, Cygwin has a working posix_spawn[p] implementation since 2020
(commit 3fbfcd11fb09d5f47af3043ee47ec5c7d863d872, 2020-08-03, Cygwin 3.1.7).

Additionally, Gnulib has a posix_spawn[p] implementation since 2022,
that works on all platforms, including native Windows. Based on it,
I recommend posix_spawn[p] over fork+exec, see
https://savannah.gnu.org/news/?id=10219 . It allows to have a single
application code for spawning subprocesses.

The GNU groff maintainer asks about the performance of posix_spawn[p]
on Cygwin. And here's the problem: While Cygwin has an implementation
that avoids the slow fork(), by calling child_info_spawn::worker more
or less directly, Gnulib prefers its own implementation over the Cygwin
one, and the Gnulib implementation uses slow fork()+exec().

The reason is that we consider posix_spawn[p] unsecure if it will
readily execute plain text files without a #! marker as if they were
shell scripts, usually leading to plenty of syntax errors, but also
exhibiting undefined behaviour.

This reasoning follows what was done in GNU libc:
https://sourceware.org/bugzilla/show_bug.cgi?id=13134
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=d96de9634a334af16c0ac711074c15ac1762b23c
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=13adfa34aff03fd9f1c1612b537a0d736ddb6c2b

These are the two configure tests that Gnulib uses:

======================= test secure posix_spawn ==========================
Preparation:
  echo ':' > conftest.scr
  chmod a+x conftest.scr
C program:
       #include <errno.h>
       #include <spawn.h>
       #include <stddef.h>
       #include <sys/types.h>
       #include <sys/wait.h>
       int
       main ()
       {
         const char *prog_path = "./conftest.scr";
         const char *prog_argv[2] = { prog_path, NULL };
         const char *environment[2] = { "PATH=.", NULL };
         pid_t child;
         int status;
         int err = posix_spawn (&child, prog_path, NULL, NULL,
                                (char **) prog_argv, (char **) environment);
         if (err == ENOEXEC)
           return 0;
         if (err != 0)
           return 1;
         status = 0;
         while (waitpid (child, &status, 0) != child)
           ;
         if (!WIFEXITED (status))
           return 2;
         if (WEXITSTATUS (status) != 127)
           return 3;
         return 0;
       }
======================= test secure posix_spawnp =========================
Preparation:
  echo ':' > conftest.scr
  chmod a+x conftest.scr
C program:
       #include <errno.h>
       #include <spawn.h>
       #include <stddef.h>
       #include <sys/types.h>
       #include <sys/wait.h>
       int
       main ()
       {
         const char *prog_path = "./conftest.scr";
         const char *prog_argv[2] = { prog_path, NULL };
         const char *environment[2] = { "PATH=.", NULL };
         pid_t child;
         int status;
         int err = posix_spawnp (&child, prog_path, NULL, NULL,
                                 (char **) prog_argv, (char **) environment);
         if (err == ENOEXEC)
           return 0;
         if (err != 0)
           return 1;
         status = 0;
         while (waitpid (child, &status, 0) != child)
           ;
         if (!WIFEXITED (status))
           return 2;
         if (WEXITSTATUS (status) != 127)
           return 3;
         return 0;
       }
==========================================================================

In Cygwin, the "test secure posix_spawn" recipe succeeds, whereas the
"test secure posix_spawnp" fails; the latter is the obstacle that
prevents Gnulib from using Cygwin's implementation.

Would it be possible to change Cygwin's posix_spawnp implementation,
so that both tests succeed?

Disclaimer: I have done my tests with Cygwin 2.9.0; so, if things have
improved since then, the better!

Bruno