diff options
| author | Eric Blake <ebb9@byu.net> | 2009-10-28 14:36:09 -0600 |
|---|---|---|
| committer | Eric Blake <ebb9@byu.net> | 2009-10-28 21:12:41 -0600 |
| commit | 1c59bb3cefff73c532033863e60e9130892a50dd (patch) | |
| tree | 42f89ad649d5be625ac200f044c3f7acd5ee5e08 /src/su.c | |
| parent | doc: tell --enable-gcc-warnings users where to report problems (diff) | |
| download | coreutils-1c59bb3cefff73c532033863e60e9130892a50dd.tar.gz coreutils-1c59bb3cefff73c532033863e60e9130892a50dd.zip | |
nice, nohup, su: detect write failure to stderr
These programs can print non-fatal diagnostics to stderr prior to
exec'ing a subsidiary program. However, if we thought the situation
warranted a diagnostic, we insist that the diagnostic be printed
without error, rather than blindly exec, as it may be a security risk.
For an example, try 'nice -n -1 nice 2>/dev/full'. Failure to raise
priority (by lowering niceness) is not fatal, but failure to inform
the user about failure to change priority is dangerous.
* src/nice.c (main): Declare failure if writing advisory message
to stderr fails.
* src/nohup.c (main): Likewise.
* src/su.c (main): Likewise.
* tests/misc/nice: Test this.
* tests/misc/nohup: Likewise.
* NEWS: Document this.
Diffstat (limited to 'src/su.c')
| -rw-r--r-- | src/su.c | 8 |
1 files changed, 8 insertions, 0 deletions
@@ -506,5 +506,13 @@ main (int argc, char **argv) if (simulate_login && chdir (pw->pw_dir) != 0) error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir); + /* error() flushes stderr, but does not check for write failure. + Normally, we would catch this via our atexit() hook of + close_stdout, but execv() gets in the way. If stderr + encountered a write failure, there is no need to try calling + error() again. */ + if (ferror (stderr)) + exit (EXIT_CANCELED); + run_shell (shell, command, argv + optind, MAX (0, argc - optind)); } |