[Toybox] [PATCH] sh: pass "\" to the later app

enh enh at google.com
Fri Jul 7 15:45:09 PDT 2023 

On Fri, Jul 7, 2023 at 1:43 PM Chet Ramey <chet.ramey at case.edu> wrote:

> On 7/7/23 3:29 PM, enh wrote:
>
> >     cd is a weird one. The v7 Bourne shell exited the shell if the
> directory
> >     argument didn't exist, and that didn't change until SVR4.2,
> >
> >
> > and people complain unix isn't user-friendly... :-)
>
> Ha. Sometimes they write books on the subject.
>
> >      > I know there's the "this
> >      > may syntax error and exit the shell" distinction but don't ask me
> >     how set or
> >      > true are supposed to do that.
> >
> >     set exits the shell on an invalid option and was special in the
> Bourne
> >     shell; true isn't a special builtin.
> >
> >     (I _think_ they added set here because set -u can
> >      > cause a shell error later? Maybe? But then why unset?
> >
> >     Well, unset didn't exist in the 7th edition shell, but it's special
> >     in the SVR4 shell. It can only fail if asked to unset a readonly
> >     variable or one of the shell's non-unsettable variables. It takes no
> >     options, does no argument checking for invalid identifiers, and
> unsetting
> >     a variable that's not set isn't an error, but when asked to unset a
> >     variable the shell says you can't, the shell exits.
> >
> >     I think POSIX made unset a special builtin because the SVR4 sh did
> and
> >     so it would be found in the command search before a function. That
> gets
> >     important when you're trying to write a secure script,
> >
> >
> > did the v7 bourne shell just not know whether it was interactive or not?
>
> Of course it did.
>
> > (because, yeah, this kind of thing makes a lot more sense as an early
> `set
> > -e`. but i can't imagine using this interactively!)
>
> The 7th edition shell doesn't exit if it's interactive and a special
> builtin fails, that wouldn't make any sense at all. Interactive shells
> just abort the command and jump back to the main command loop. It's the
> same in POSIX.
>
> The 7th edition shell did have `set -e'; Bourne put it in for `make'.
>
> >     Yeah, there's a ways to go.
> >
> >     https://lists.gnu.org/archive/html/help-bash/2023-06/msg00117.html
> >     <https://lists.gnu.org/archive/html/help-bash/2023-06/msg00117.html>
> >
> >     They mess up the simple stuff.
> >
> >
> > define "mess up"...
>
> Maybe "mess up" was too strong. I think it's rude to send a fatal signal if
> you have the function. Either don't provide it or make it return -1/ENOSYS.
> Android is by no means the only place this is a problem; it happens with
> docker all the time:
>
> https://lists.gnu.org/archive/html/bug-bash/2022-03/msg00010.html


yeah, if it's any consolation we argued about this choice a lot. (which is
probably also why the choice exists in the first place!)

iirc we even _tried_ -1/ENOSYS to test the predictions that (a) most c
programmers don't check for failures (b) even those that do don't log
enough to be able to debug these problems and (c) even in cases where
errors are checked and logged, the ability of folks -- including _end
users_ -- to triage such problems is limited. i'm not a _fan_ of SIGSYS,
but i do still think it was the lesser of the available evils. (but of
course it's the folks who _do_ check for failures who're most likely to
disagree; in an ideal world, it would have been good for "sophisticated"
code to be able to opt out. though that kind of thing always falls apart at
library boundaries; not all code linked together is of the same quality.)


>
> > Android deliberately has strict seccomp filters for
> > apps, and the syscalls mentioned in that post are on the "no" list.
> Android
> > gives each _app_ a different uid, so there's typically nothing useful
> you
> > can do here anyway. (things are a bit different if you're actually part
> of
> > the OS, but bash being GPL makes that unlikely :-( )
>
> Sure. But if you have the function, bash assumes it works as documented in
> the rest of the Linux world.
>

and so it does, if you're not an app.

the tricky case here has always been the conflict between the folks who
want to check at build time versus those who want to check at runtime ...
if we hide things in the headers, people complain "i wasn't going to call
it unless i know i can anyway". (plus in addition to the general rule that
"most configure scripts don't handle cross-compilation correctly", you'd be
surprised how many screw up the simple "is this function available?" test
--- they don't compile a small program that #includes the right header and
tries to call the function; they grep the header or nm the library or
whatever.)


> > (yes, i agree that it's mildly unfortunate that there's no special case
> for
> > "i don't actually want to change anything", which i think is the case
> > they're talking about in that post, and i've wondered about adding that
> to
> > libc once or twice, but my feeling is that it wouldn't be particularly
> > useful in practice because _that_ kind of code probably needs a rethink
> > anyway when porting to Android.)
>
> I just added code to bash that doesn't try to call setresuid/setresgid if
> nothing is actually changing, which will save a couple calls everywhere.
> But killing the process is rude.
>

you're talking to the guy who added the equivalent of `if (fp == NULL)
abort_with_message("you can't pass a null FILE*");` to every stdio function
because too many developers don't check fopen() succeeded, and think libc
is broken if fgets() dereferences a null pointer. killing a process with a
"you called syscall %d and you're not allowed to" message is pretty much
exactly what you'd expect from me :-) (i only wish i could cheaply replace
the %d with a %s ... most people seem to struggle translating the syscall
numbers correctly [grepping their x86-64 host's headers seems to be a
popular choice], but i don't see those bugs often enough to warrant a giant
table of error-message-only strings.)


> > but, yeah, "security" and "self-hosting" aren't exactly friends ... the
> 1%
> > bad guys being the reason we can't have nice things, as usual.
> (executing
> > code off a writable filesystem being frowned upon.)
>
> Oh, I get it.
>
>
> >     Thorsten would be happy for android to keep using mksh, I'm sure.
> >
> >
> > (and i'm going to have a lot of fun dealing with compatibility issues
> > if/when we move /bin/sh over...)
>
> You know you will, it's best to start looking forward to it now.
>

_especially_ when rob's listening, i'm careful to not commit to more than
giving it a go :-)

it might not seem like it from the outsiders (because you only see the
stuff that _does_ break), but i'm sure as the maintainer of something old
and widely-used you're well aware that "not breaking everyone's stuff [even
when it's terrible]" is a large part of the job. (and, ironically, i've
come to believe that breaking it _loudly and clearly_ when you have to [for
security, usually] is the least worst option.)


> Chet
> --
> ``The lyf so short, the craft so long to lerne.'' - Chaucer
>                  ``Ars longa, vita brevis'' - Hippocrates
> Chet Ramey, UTech, CWRU    chet at case.edu    http://tiswww.cwru.edu/~chet/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20230707/6b41a79e/attachment-0001.htm>

More information about the Toybox mailing list