summaryrefslogtreecommitdiff
path: root/src/misc/issetugid.c
AgeCommit message (Collapse)AuthorLines
2018-09-12fix issues from public functions defined without declaration visibleRich Felker-0/+1
policy is that all public functions which have a public declaration should be defined in a context where that public declaration is visible, to avoid preventable type mismatches. an audit performed using GCC's -Wmissing-declarations turned up the violations corrected here. in some cases the public header had not been included; in others, a feature test macro needed to make the declaration visible had been omitted. in the case of gethostent and getnetent, the omission seems to have been intentional, as a hack to admit a single stub definition for both functions. this kind of hack is no longer acceptable; it's UB and would not fly with LTO or advanced toolchains. the hack is undone to make exposure of the declarations possible.
2014-07-19add issetugid function to check for elevated privilegeBrent Cook-0/+7
this function provides a way for third-party library code to use the same logic that's used internally in libc for suppressing untrusted input/state (e.g. the environment) when the application is running with privleges elevated by the setuid or setgid bit or some other mechanism. its semantics are intended to match the openbsd function by the same name. there was some question as to whether this function is necessary: getauxval(AT_SECURE) was proposed as an alternative. however, this has several drawbacks. the most obvious is that it asks programmers to be aware of an implementation detail of ELF-based systems (the aux vector) rather than simply the semantic predicate to be checked. and trying to write a safe, reliable version of issetugid in terms of getauxval is difficult. for example, early versions of the glibc getauxval did not report ENOENT, which could lead to false negatives if AT_SECURE was not present in the aux vector (this could probably only happen when running on non-linux kernels under linux emulation, since glibc does not support linux versions old enough to lack AT_SECURE). as for musl, getauxval has always properly reported errors, but prior to commit 7bece9c2095ee81f14b1088f6b0ba2f37fecb283, the musl implementation did not emulate AT_SECURE if missing, which would result in a false positive. since musl actually does partially support kernels that lack AT_SECURE, this was problematic. the intent is that library authors will use issetugid if its availability is detected at build time, and only fall back to the unreliable alternatives on systems that lack it. patch by Brent Cook. commit message/rationale by Rich Felker.