On Fri, May 29, 2009 at 05:38:20AM -0700, John.Zolnowsky at Sun.COM wrote: > PROPOSED SOLUTION:
I like this a lot, but there are a few small improvements that need to be made. > The system_noshell_x() allows variable number of arguments and can be > used to supply argument strings containing special characters > (including whitespaces and quotes) literally. The system_noshell_xv() > allows for the same functionality with an execv(2) style array of > pointers to null-terminated strings. The 'flags' field may be used to > pass the value 'SN_RESETIDS' to reset the process's effective user and > group IDs to the real IDs. Without this flag, the process will run with > the privileges of the effective user and effective group. The sense of the SN_RESETIDS should be reversed -- doing setgid(getgid()) and setuid(getuid()) should be the default. It's also possible to arrange the caller's privs such that privilege awareness will not be reset on exec(). Should this be checked for? E.g., the child process should call getpflag(2) to see if the PRIV_AWARE flags is on, and if it is and the caller did not request that IDs not be reset, then exit immediately with an error. > As with the system(3C) function, the system_noshell(3C) and variant > functions set SIGCHLD to be blocked for the calling thread, while > waiting for the file execution to terminate. Er, why do anything at all about SIGCHLD? With forkx(2) and the POSIX_SPAWN_NOSIGCHLD_NP and POSIX_SPAWN_WAITPID_NP flags you can just avoid this altogether. The system(3C) function uses those posix_spawn() flags, and it still blocks SIGCHLD only because the standard requires it, but system_noshell*() have no such requirement, so there's no need for them to bother with blocking SIGCHLD. > Unlike the existing > system(3C) implementation however, the system_noshell*() functions set > SIGINT and SIGQUIT to be ignored only in the child process, making > them MT-safe. OK. Perhaps a flag to not bother should be included, or perhaps if there's no controlling tty then don't bother with SIGINT/QUIT. (If there's no ctty then what's the point?) > The system_noshell*(3C) functions are not designed to be a replacement > for the system(3C) function. The new functions should be recommended > for execution of files that do not require the shell. On the other hand, one could recommend that a program be structure such that a shell not be required. I expect that that generally could not be done for user-entered commands, of course, but it can be done in many other cases. I guess what I'm saying is this: the system(3C) manpage should have a NOTE that recommends the use of system_noshell*(3C) whenever possible instead of system(3C), and which describes when system(3C) is better than system_noshell*(3C) (namely: whenever you absolutely need to have a shell interpret shell meta-characters, apply IFS, ...). Nico --
