[Toybox] [PATCH] sh: pass "\" to the later app

Chet Ramey chet.ramey at case.edu
Sun Jul 9 17:54:37 PDT 2023 

On 7/7/23 6:45 PM, enh wrote:

>      > define "mess up"...
> 
>     Maybe "mess up" was too strong. I think it's rude to send a fatal signal if
>     you have the function. Either don't provide it or make it return -1/ENOSYS.
>     Android is by no means the only place this is a problem; it happens with
>     docker all the time:
> 
>     https://lists.gnu.org/archive/html/bug-bash/2022-03/msg00010.html
>     <https://lists.gnu.org/archive/html/bug-bash/2022-03/msg00010.html>
> 
> 
> yeah, if it's any consolation we argued about this choice a lot. (which is 
> probably also why the choice exists in the first place!)
> 
> iirc we even _tried_ -1/ENOSYS to test the predictions that (a) most c 
> programmers don't check for failures (b) even those that do don't log 
> enough to be able to debug these problems 

It penalizes those who do.

> and (c) even in cases where 
> errors are checked and logged, the ability of folks -- including _end 
> users_ -- to triage such problems is limited. 

Killing the process certainly doesn't improve that. How is it better for
triage when the process dies unexpectedly with a fatal signal -- when
running a builtin command -- that can't be reproduced anywhere else? If
Grisha Levit hadn't recognized what was going on, I never would have even
looked at it. I don't use Android as a development platform.


> i'm not a _fan_ of SIGSYS, 
> but i do still think it was the lesser of the available evils. (but of 
> course it's the folks who _do_ check for failures who're most likely to 
> disagree;

OK, I'm going to disagree.


>      > Android deliberately has strict seccomp filters for
>      > apps, and the syscalls mentioned in that post are on the "no" list.
>     Android
>      > gives each _app_ a different uid, so there's typically nothing
>     useful you
>      > can do here anyway. (things are a bit different if you're actually
>     part of
>      > the OS, but bash being GPL makes that unlikely :-( )
> 
>     Sure. But if you have the function, bash assumes it works as documented in
>     the rest of the Linux world.
> 
> 
> and so it does, if you're not an app.
> 
> the tricky case here has always been the conflict between the folks who 
> want to check at build time versus those who want to check at runtime ... 
> if we hide things in the headers, people complain "i wasn't going to call 
> it unless i know i can anyway". (plus in addition to the general rule that 
> "most configure scripts don't handle cross-compilation correctly", you'd be 
> surprised how many screw up the simple "is this function available?" test 
> --- they don't compile a small program that #includes the right header and 
> tries to call the function; they grep the header or nm the library or 
> whatever.)

If AC_CHECK_FUNCS doesn't do the right thing when cross-compiling, maybe
the autotools folks should hear about it?

>      > (yes, i agree that it's mildly unfortunate that there's no special
>     case for
>      > "i don't actually want to change anything", which i think is the case
>      > they're talking about in that post, and i've wondered about adding
>     that to
>      > libc once or twice, but my feeling is that it wouldn't be particularly
>      > useful in practice because _that_ kind of code probably needs a rethink
>      > anyway when porting to Android.)

I'm not sure moving that burden to the application is appropriate, either.
But bash has no android-specific code; there's no "porting to android" at
this point.

> 
>     I just added code to bash that doesn't try to call setresuid/setresgid if
>     nothing is actually changing, which will save a couple calls everywhere.
>     But killing the process is rude.
> 
> 
> you're talking to the guy who added the equivalent of `if (fp == NULL) 
> abort_with_message("you can't pass a null FILE*");` to every stdio function 
> because too many developers don't check fopen() succeeded, and think libc 
> is broken if fgets() dereferences a null pointer.

Oh, come on, really? What's next? Adding checks in the str* functions
for NULL pointers? I am sure that catering to bad programming is not the
way to improve programming practices.

> killing a process with a 
> "you called syscall %d and you're not allowed to" message is pretty much 
> exactly what you'd expect from me :-) 

Yeah, alex didn't get that.

 > bash-5.2$ set +p
 >
 > [Process completed (signal 31) - press Enter]
 >

Bash catches SIGSYS in interactive shells so it can clean up the terminal
pgrps and save the history, so the user's not going to see that message
from bash (assuming you print it from the default signal `handler'). Bash
will kill itself with SIGSYS after restoring the default signal handler,
so it's up to the parent to catch that exit status and report it, which
termux did. It's not that unusual. You can't count on the user seeing it.



> it might not seem like it from the outsiders (because you only see the 
> stuff that _does_ break), but i'm sure as the maintainer of something old 
> and widely-used you're well aware that "not breaking everyone's stuff [even 
> when it's terrible]" is a large part of the job. (and, ironically, i've 
> come to believe that breaking it _loudly and clearly_ when you have to [for 
> security, usually] is the least worst option.)

Backwards compatibility is important, and something in which I put a lot
of value, but you're right, sometimes you have to break it. That's why bash
has its compatibility mode. But it seems like gradually fixing things, or
adding a compatibility mode setting, sometimes only gives people the
opportunity to complain simultaneously about both the problem and the
solution.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet at case.edu    http://tiswww.cwru.edu/~chet/

More information about the Toybox mailing list