Jacob Vosmaer:
The patch below makes runit ignore this type of bad path entry.
What do you think?
It's not good enough.
I was all set to apply this to djbwares, as the runit code for pathexec
is actually Daniel J. Bernstein's original code. But it highlighted
some basic problems of running execve() in a loop to do a PATH search.
Simply put: One wants to (largely) ignore the error if there's a problem
with the directory prefix from the search path; and one wants to retain
the error if there's a problem with the final pathname component, the
name that is being searched for or the actual node that it names.
Unfortunately, execve() can return EACCESS in both cases, and simply
deciding to exit the loop based upon nothing but the errno value is
therefore an unworkable strategy.
If you look at the BSD C library in FreeBSD, you'll see that it attempts
to distinguish between the two cases in its execvpe() by calling stat()
on error. If the stat() succeeds, then the problem cannot be with the
directory prefix. So it remembers the EACCESS, which must be a problem
with the file itself. If the stat() fails, then the problem is with the
directory prefix (or with symbolic link traversal, hence the use of
stat() not lstat()) and it largely ignores the EACCESS.
If you look at the internal_execve() function in the next release of the
nosh toolset, you'll see that I've used a different design and made use
of (relatively, they still being over a decade old) newer API functions,
instead. The code uses openat() on the path prefixes with O_DIRECTORY
(and O_CLOEXEC), if that fails largely ignoring that error and
continuing to the next PATH component. It then uses, relative to that
file descriptor, openat() with O_EXEC and then fexecve() for the final
component (which it also this way does not have to do string
concatenation with), retaining that error if that fails. Things are
slightly complicated by some trickiness relating to executable scripts
with interpreters, but that's the gist of it.
pathexec_run() needs similar attention.
