summaryrefslogtreecommitdiff
path: root/COPYRIGHT
diff options
context:
space:
mode:
authorBrent Cook <busterb@gmail.com>2014-07-15 16:30:07 +0000
committerRich Felker <dalias@aerifal.cx>2014-07-19 21:39:18 -0400
commitddddec106fd17c3aca3287005d21e92f742aa9d4 (patch)
treeb980289dde0d827262451c93780690db16b4272e /COPYRIGHT
parentcec33b2c6079195c687331beda5409f449125b06 (diff)
downloadmusl-ddddec106fd17c3aca3287005d21e92f742aa9d4.tar.gz
musl-ddddec106fd17c3aca3287005d21e92f742aa9d4.tar.bz2
musl-ddddec106fd17c3aca3287005d21e92f742aa9d4.tar.xz
musl-ddddec106fd17c3aca3287005d21e92f742aa9d4.zip
add issetugid function to check for elevated privilege
this function provides a way for third-party library code to use the same logic that's used internally in libc for suppressing untrusted input/state (e.g. the environment) when the application is running with privleges elevated by the setuid or setgid bit or some other mechanism. its semantics are intended to match the openbsd function by the same name. there was some question as to whether this function is necessary: getauxval(AT_SECURE) was proposed as an alternative. however, this has several drawbacks. the most obvious is that it asks programmers to be aware of an implementation detail of ELF-based systems (the aux vector) rather than simply the semantic predicate to be checked. and trying to write a safe, reliable version of issetugid in terms of getauxval is difficult. for example, early versions of the glibc getauxval did not report ENOENT, which could lead to false negatives if AT_SECURE was not present in the aux vector (this could probably only happen when running on non-linux kernels under linux emulation, since glibc does not support linux versions old enough to lack AT_SECURE). as for musl, getauxval has always properly reported errors, but prior to commit 7bece9c2095ee81f14b1088f6b0ba2f37fecb283, the musl implementation did not emulate AT_SECURE if missing, which would result in a false positive. since musl actually does partially support kernels that lack AT_SECURE, this was problematic. the intent is that library authors will use issetugid if its availability is detected at build time, and only fall back to the unreliable alternatives on systems that lack it. patch by Brent Cook. commit message/rationale by Rich Felker.
Diffstat (limited to 'COPYRIGHT')
0 files changed, 0 insertions, 0 deletions