From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id C45703858D33 for ; Wed, 22 May 2024 15:26:29 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C45703858D33 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C45703858D33 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1716391593; cv=none; b=tPIV4fd//P9GCx+DInz6Z44kFedmUA4TZ6gODbUxLj0dsTYaC7KGAVhF9qEvc44qV3mcbpi+OeDi6PyzcAaMoF+aQsbGHhx8uSDyHX2rmdfzqTjZr6p0/DJgT6QIkkljBOjyj6qdrcvyn1ORely0vFabjgsjmdbXpY91g5SPOz0= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1716391593; c=relaxed/simple; bh=YBwJtcEq5zhs6KmwW0OdaqREY1skVRY6IBLdeNtEoTk=; h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=C2I6vvzSWZgw3omzsfp/bFL2u4AHcSQOxY55Q0BSKhy7mWN7nHmYz3odGnCdBSMVK6veFocJSO9XbbMH9hz04zOwcIOcOOAsnY6YPqlAYyW58dvNnBy8Ms6geErSmBBzZZ1OuuQ4tgvTgI78Sum9pZrc7VrHCzo5lT2PZth/GiM= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1716391589; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3kG5855uoikmWGYb+2ieE8/sS9YuQFmtLcxlp+VKBEg=; b=SRyPIz/N179X315UYWSIKp1qnvEmtxc2wEb3BN9Uyzs58PGuiL+3jF5oH4mKWIkJ1bInPX 8yuc45c3hWmWw24L4I2pwocsBDoH5ksJKSYUhptkw4FgM/rLSSsS5p6WRndCbbvl9xgtsA +M/meLHq5vwgKPX1OxurbRAJjf7adG4= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-416-uNFu0m0AM8S7NyWDag40UA-1; Wed, 22 May 2024 11:26:27 -0400 X-MC-Unique: uNFu0m0AM8S7NyWDag40UA-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7727B800042; Wed, 22 May 2024 15:26:27 +0000 (UTC) Received: from oak (unknown [10.22.16.142]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3973F51BF; Wed, 22 May 2024 15:26:27 +0000 (UTC) Date: Wed, 22 May 2024 11:25:49 -0400 From: Joe Simmons-Talbott To: libc-alpha@sourceware.org Cc: Florian Weimer , Paul Eggert , Andreas Schwab Subject: Re: [PATCH v13] posix: Deprecate group_member for Linux Message-ID: <20240522152432.GA2447455@oak> References: <20240328180744.2906269-1-josimmon@redhat.com> MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-11.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,KAM_SHORT,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Wed, Apr 10, 2024 at 03:59:06PM -0400, Joe Simmons-Talbott wrote: > Ping Ping Thanks, Joe > > On Thu, Mar 28, 2024 at 2:07 PM Joe Simmons-Talbott wrote: > > > > The alloca usage in group_member could lead to stack overflow on Linux. > > Removing the alloca usage would require group_member to handle the error > > condition where memory could not be allocated and that cannot be done > > since group_member returns a boolean value. Thus deprecate group_member. > > Add an internal only implementation of __group_member2 using a > > scratch_buffer and return -1 for memory allocation errors. Use > > __group_member2 in place of __group_member internally. Add testcases > > for both group_member and __group_member2. > > --- > > Changes to v12: > > * Rework euidaccess to only call __group_member2 if the euid and egid do > > not match. Use is_group_member rather than gm for the temporary > > variable name in both euidaccess and faccessat. > > > > Changes to v11: > > * Rework faccessat as suggested by Paul Eggert to avoid duplicate checks > > of EACCESS. > > > > Changes to v10: > > * Only call __group_member2 in faccessat if we didn't match the egid or > > gid. > > * Update copyright year for newly added files to 2024 > > > > Changes to v9: > > * v8 didn't actually include the changes due to a missing 'git add'. > > Include those changes. > > > > Changes to v8: > > * Remove duplicate calls to __getegid () and __getgid () and convert > > nested ternary operators into if/else. > > > > Changes to v7: > > * rebased to latest master. > > > > Changes to v6: > > * Use the intial scratch_buffer size as the starting point for > > determining how much space is needed to store the group list. > > * Call getgroups() with a zero size and set the scratch_buffer size > > based on the returned number of groups. > > > > Changes to v5: > > * Add __group_member2 and use it internally in the place of the now > > deprecated group_member. > > * Add a testcase for __group_member2. > > > > Changes to v4: > > * Rebase onto latest commit. > > > > Changes to v3: > > * Fix include guards to match file location _BITS_GROUP_MEMBER_H > > * Fix indentation of preprocessor directives > > > > Changes to v2: > > * Move the linux group_member.h to the bits directory > > * Include the correct group_member.h in posix/unistd.h > > > > Changes to v1: > > * Add NEWS entry > > * Move group_member.h to bits/group_member.h > > * Include bits/group_member.h in installed headers > > * Add tests to group_member.h files to only be included from unistd.h > > > > NEWS | 4 ++ > > bits/group_member.h | 31 +++++++++++++++ > > include/unistd.h | 1 + > > posix/Makefile | 8 ++++ > > posix/group_member.c | 35 +++++++++++++++++ > > posix/tst-group_member.c | 41 ++++++++++++++++++++ > > posix/tst-group_member2.c | 43 +++++++++++++++++++++ > > posix/unistd.h | 6 +-- > > sysdeps/posix/euidaccess.c | 24 ++++++++---- > > sysdeps/unix/sysv/linux/bits/group_member.h | 32 +++++++++++++++ > > sysdeps/unix/sysv/linux/faccessat.c | 27 ++++++++----- > > 11 files changed, 233 insertions(+), 19 deletions(-) > > create mode 100644 bits/group_member.h > > create mode 100644 posix/tst-group_member.c > > create mode 100644 posix/tst-group_member2.c > > create mode 100644 sysdeps/unix/sysv/linux/bits/group_member.h > > > > diff --git a/NEWS b/NEWS > > index da4b2223e9..82e1c43306 100644 > > --- a/NEWS > > +++ b/NEWS > > @@ -141,6 +141,10 @@ Deprecated and removed features, and other changes affecting compatibility: > > > > * The ia64*-*-linux-gnu configurations are no longer supported. > > > > +* Deprecated group_member on Linux as it uses alloca to allocate a large > > + buffer and has no capability for indicating failure for other memory > > + allocations. > > + > > Changes to build and runtime requirements: > > > > * Building on LoongArch requires at a minimum binutils 2.41 for vector > > diff --git a/bits/group_member.h b/bits/group_member.h > > new file mode 100644 > > index 0000000000..4ec1ef0813 > > --- /dev/null > > +++ b/bits/group_member.h > > @@ -0,0 +1,31 @@ > > +/* group_member declaration > > + Copyright (C) 2024 Free Software Foundation, Inc. > > + This file is part of the GNU C Library. > > + > > + The GNU C Library is free software; you can redistribute it and/or > > + modify it under the terms of the GNU Lesser General Public > > + License as published by the Free Software Foundation; either > > + version 2.1 of the License, or (at your option) any later version. > > + > > + The GNU C Library is distributed in the hope that it will be useful, > > + but WITHOUT ANY WARRANTY; without even the implied warranty of > > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > > + Lesser General Public License for more details. > > + > > + You should have received a copy of the GNU Lesser General Public > > + License along with the GNU C Library; if not, see > > + . */ > > + > > +#ifndef _UNISTD_H > > +# error "Never use directly; include instead." > > +#endif > > + > > +#ifndef _BITS_GROUP_MEMBER_H > > +# define _BITS_GROUP_MEMBER_H 1 > > + > > +# ifdef __USE_GNU > > +/* Return nonzero iff the calling process is in group GID. */ > > +extern int group_member (__gid_t __gid) __THROW; > > +# endif > > + > > +#endif /* _BITS_GROUP_MEMBER_H */ > > diff --git a/include/unistd.h b/include/unistd.h > > index e241603b81..39d5bda372 100644 > > --- a/include/unistd.h > > +++ b/include/unistd.h > > @@ -131,6 +131,7 @@ extern __gid_t __getegid (void) attribute_hidden; > > extern int __getgroups (int __size, __gid_t __list[]) attribute_hidden; > > libc_hidden_proto (__getpgid) > > extern int __group_member (__gid_t __gid) attribute_hidden; > > +extern int __group_member2 (__gid_t __gid) attribute_hidden; > > extern int __setuid (__uid_t __uid); > > extern int __setreuid (__uid_t __ruid, __uid_t __euid); > > extern int __setgid (__gid_t __gid); > > diff --git a/posix/Makefile b/posix/Makefile > > index a1e84853a8..b71d6c8750 100644 > > --- a/posix/Makefile > > +++ b/posix/Makefile > > @@ -29,6 +29,7 @@ headers := \ > > bits/getopt_core.h \ > > bits/getopt_ext.h \ > > bits/getopt_posix.h \ > > + bits/group_member.h \ > > bits/local_lim.h \ > > bits/mman_ext.h \ > > bits/posix1_lim.h \ > > @@ -291,6 +292,7 @@ tests := \ > > tst-glob_symlinks \ > > tst-gnuglob \ > > tst-gnuglob64 \ > > + tst-group_member \ > > tst-mmap \ > > tst-mmap-offset \ > > tst-nanosleep \ > > @@ -479,6 +481,10 @@ tests-special += \ > > # tests-special > > endif > > > > +# This test calls __group_member2 directly, which is not exported from glibc. > > +tests-internal += tst-group_member2 > > +tests-static += tst-group_member2 > > + > > include ../Rules > > > > ifeq ($(run-built-tests),yes) > > @@ -606,6 +612,8 @@ bug-glob1-ARGS = "$(objpfx)" > > tst-execvp3-ARGS = --test-dir=$(objpfx) > > CFLAGS-tst-spawn3.c += -DOBJPFX=\"$(objpfx)\" > > > > +CFLAGS-tst-group_member.c += -Wno-error=deprecated-declarations > > + > > # Test voluntarily overflows struct dirent > > CFLAGS-bug-glob2.c += $(no-fortify-source) > > > > diff --git a/posix/group_member.c b/posix/group_member.c > > index 9d68f57a68..bb92f4d631 100644 > > --- a/posix/group_member.c > > +++ b/posix/group_member.c > > @@ -18,6 +18,7 @@ > > > > #include > > #include > > +#include > > #include > > #include > > > > @@ -47,3 +48,37 @@ __group_member (gid_t gid) > > return 0; > > } > > weak_alias (__group_member, group_member) > > + > > +int > > +__group_member2 (gid_t gid) > > +{ > > + int n; > > + gid_t *groups; > > + struct scratch_buffer sbuf; > > + scratch_buffer_init (&sbuf); > > + groups = sbuf.data; > > + > > + do > > + { > > + n = __getgroups (0, NULL); > > + if (n > sbuf.length) > > + { > > + if (!scratch_buffer_set_array_size (&sbuf, sizeof (*groups), n)) > > + return -1; > > + groups = sbuf.data; > > + } > > + > > + n = __getgroups (n, groups); > > + } > > + while (n > sbuf.length); > > + > > + while (n-- > 0) > > + if (groups[n] == gid) > > + { > > + scratch_buffer_free (&sbuf); > > + return 1; > > + } > > + > > + scratch_buffer_free (&sbuf); > > + return 0; > > +} > > diff --git a/posix/tst-group_member.c b/posix/tst-group_member.c > > new file mode 100644 > > index 0000000000..cc7f91618e > > --- /dev/null > > +++ b/posix/tst-group_member.c > > @@ -0,0 +1,41 @@ > > +/* Basic tests for group_member. > > + Copyright (C) 2024 Free Software Foundation, Inc. > > + This file is part of the GNU C Library. > > + > > + The GNU C Library is free software; you can redistribute it and/or > > + modify it under the terms of the GNU Lesser General Public > > + License as published by the Free Software Foundation; either > > + version 2.1 of the License, or (at your option) any later version. > > + > > + The GNU C Library is distributed in the hope that it will be useful, > > + but WITHOUT ANY WARRANTY; without even the implied warranty of > > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > > + Lesser General Public License for more details. > > + > > + You should have received a copy of the GNU Lesser General Public > > + License along with the GNU C Library; if not, see > > + . */ > > + > > +#include > > +#include > > +#include > > +#include > > + > > +#include > > + > > +static int do_test (void) > > +{ > > + int n; > > + gid_t *groups; > > + > > + n = getgroups (0, NULL); > > + groups = alloca (n * sizeof (*groups)); > > + n = getgroups (n, groups); > > + > > + while (n-- > 0) > > + TEST_COMPARE (1, group_member(groups[n])); > > + > > + return EXIT_SUCCESS; > > +} > > + > > +#include > > diff --git a/posix/tst-group_member2.c b/posix/tst-group_member2.c > > new file mode 100644 > > index 0000000000..8f86d5a1e9 > > --- /dev/null > > +++ b/posix/tst-group_member2.c > > @@ -0,0 +1,43 @@ > > +/* Basic tests for group_member. > > + Copyright (C) 2024 Free Software Foundation, Inc. > > + This file is part of the GNU C Library. > > + > > + The GNU C Library is free software; you can redistribute it and/or > > + modify it under the terms of the GNU Lesser General Public > > + License as published by the Free Software Foundation; either > > + version 2.1 of the License, or (at your option) any later version. > > + > > + The GNU C Library is distributed in the hope that it will be useful, > > + but WITHOUT ANY WARRANTY; without even the implied warranty of > > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > > + Lesser General Public License for more details. > > + > > + You should have received a copy of the GNU Lesser General Public > > + License along with the GNU C Library; if not, see > > + . */ > > + > > +#include > > +#include > > +#include > > +#include > > + > > +#include > > + > > +extern int __group_member2 (__gid_t __gid); > > + > > +static int do_test (void) > > +{ > > + int n; > > + gid_t *groups; > > + > > + n = getgroups (0, NULL); > > + groups = alloca (n * sizeof (*groups)); > > + n = getgroups (n, groups); > > + > > + while (n-- > 0) > > + TEST_COMPARE (1, __group_member2(groups[n])); > > + > > + return EXIT_SUCCESS; > > +} > > + > > +#include > > diff --git a/posix/unistd.h b/posix/unistd.h > > index 54d7d7527e..411de1d6d4 100644 > > --- a/posix/unistd.h > > +++ b/posix/unistd.h > > @@ -710,10 +710,10 @@ extern __gid_t getegid (void) __THROW; > > of its supplementary groups in LIST and return the number written. */ > > extern int getgroups (int __size, __gid_t __list[]) __THROW __wur > > __fortified_attr_access (__write_only__, 2, 1); > > + > > #ifdef __USE_GNU > > -/* Return nonzero iff the calling process is in group GID. */ > > -extern int group_member (__gid_t __gid) __THROW; > > -#endif > > +# include > > +#endif > > > > /* Set the user ID of the calling process to UID. > > If the calling process is the super-user, set the real > > diff --git a/sysdeps/posix/euidaccess.c b/sysdeps/posix/euidaccess.c > > index 4c5c2220bd..da185dec3e 100644 > > --- a/sysdeps/posix/euidaccess.c > > +++ b/sysdeps/posix/euidaccess.c > > @@ -81,7 +81,7 @@ extern int errno; > > > > #ifdef _LIBC > > > > -# define group_member __group_member > > +# define group_member __group_member2 > > # define euidaccess __euidaccess > > > > #else > > @@ -120,7 +120,6 @@ int > > euidaccess (const char *path, int mode) > > { > > struct __stat64_t64 stats; > > - int granted; > > > > #ifdef _LIBC > > uid_t euid; > > @@ -167,15 +166,26 @@ euidaccess (const char *path, int mode) > > || (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))) > > return 0; > > > > + int shift; > > + > > if (euid == stats.st_uid) > > - granted = (unsigned int) (stats.st_mode & (mode << 6)) >> 6; > > - else if (egid == stats.st_gid || group_member (stats.st_gid)) > > - granted = (unsigned int) (stats.st_mode & (mode << 3)) >> 3; > > + shift = 6; > > else > > - granted = (stats.st_mode & mode); > > + { > > + int is_group_member = (egid == stats.st_gid); > > + if (!is_group_member) > > + { > > + is_group_member = group_member (stats.st_gid); > > + if (is_group_member < 0) > > + return is_group_member; > > + } > > + shift = is_group_member ? 3 : 0; > > + } > > + > > /* XXX Add support for ACLs. */ > > - if (granted == mode) > > + if ((stats.st_mode >> shift & mode) == mode) > > return 0; > > + > > __set_errno (EACCESS); > > return -1; > > } > > diff --git a/sysdeps/unix/sysv/linux/bits/group_member.h b/sysdeps/unix/sysv/linux/bits/group_member.h > > new file mode 100644 > > index 0000000000..ad77e65f9b > > --- /dev/null > > +++ b/sysdeps/unix/sysv/linux/bits/group_member.h > > @@ -0,0 +1,32 @@ > > +/* group_member declaration > > + Copyright (C) 2024 Free Software Foundation, Inc. > > + This file is part of the GNU C Library. > > + > > + The GNU C Library is free software; you can redistribute it and/or > > + modify it under the terms of the GNU Lesser General Public > > + License as published by the Free Software Foundation; either > > + version 2.1 of the License, or (at your option) any later version. > > + > > + The GNU C Library is distributed in the hope that it will be useful, > > + but WITHOUT ANY WARRANTY; without even the implied warranty of > > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > > + Lesser General Public License for more details. > > + > > + You should have received a copy of the GNU Lesser General Public > > + License along with the GNU C Library; if not, see > > + . */ > > + > > +#ifndef _UNISTD_H > > +# error "Never use directly; include instead." > > +#endif > > + > > +#ifndef _BITS_GROUP_MEMBER_H > > +# define _BITS_GROUP_MEMBER_H 1 > > + > > +# ifdef __USE_GNU > > +/* Return nonzero iff the calling process is in group GID. Deprecated */ > > +extern int group_member (__gid_t __gid) __THROW > > + __attribute_deprecated_msg__ ("may overflow the stack"); > > +# endif > > + > > +#endif /* _BITS_GROUP_MEMBER_H */ > > diff --git a/sysdeps/unix/sysv/linux/faccessat.c b/sysdeps/unix/sysv/linux/faccessat.c > > index 2fa57fd63d..03232103b4 100644 > > --- a/sysdeps/unix/sysv/linux/faccessat.c > > +++ b/sysdeps/unix/sysv/linux/faccessat.c > > @@ -59,15 +59,24 @@ __faccessat (int fd, const char *file, int mode, int flag) > > || (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))) > > return 0; > > > > - int granted = (uid == stats.st_uid > > - ? (unsigned int) (stats.st_mode & (mode << 6)) >> 6 > > - : (stats.st_gid == ((flag & AT_EACCESS) > > - ? __getegid () : __getgid ()) > > - || __group_member (stats.st_gid)) > > - ? (unsigned int) (stats.st_mode & (mode << 3)) >> 3 > > - : (stats.st_mode & mode)); > > - > > - if (granted == mode) > > + int shift; > > + > > + if (uid == stats.st_uid) > > + shift = 6; > > + else > > + { > > + int is_group_member = (stats.st_gid > > + == (flag & AT_EACCESS ? __getegid () : __getgid ())); > > + if (!is_group_member) > > + { > > + is_group_member = __group_member2 (stats.st_gid); > > + if (is_group_member < 0) > > + return is_group_member; > > + } > > + shift = is_group_member ? 3 : 0; > > + } > > + > > + if ((stats.st_mode >> shift & mode) == mode) > > return 0; > > > > return INLINE_SYSCALL_ERROR_RETURN_VALUE (EACCES); > > -- > > 2.44.0 > > > > > -- > Joe Simmons-Talbott