From 1c59bb3cefff73c532033863e60e9130892a50dd Mon Sep 17 00:00:00 2001
From: Eric Blake <ebb9@byu.net>
Date: Wed, 28 Oct 2009 14:36:09 -0600
Subject: nice, nohup, su: detect write failure to stderr

These programs can print non-fatal diagnostics to stderr prior to
exec'ing a subsidiary program.  However, if we thought the situation
warranted a diagnostic, we insist that the diagnostic be printed
without error, rather than blindly exec, as it may be a security risk.

For an example, try 'nice -n -1 nice 2>/dev/full'.  Failure to raise
priority (by lowering niceness) is not fatal, but failure to inform
the user about failure to change priority is dangerous.

* src/nice.c (main): Declare failure if writing advisory message
to stderr fails.
* src/nohup.c (main): Likewise.
* src/su.c (main): Likewise.
* tests/misc/nice: Test this.
* tests/misc/nohup: Likewise.
* NEWS: Document this.
---
 NEWS | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index abf2466b6..076077525 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,10 @@ GNU coreutils NEWS                                    -*- outline -*-
   call fails with errno == EACCES.
   [the bug dates back to the initial implementation]
 
+  nice, nohup, and su now refuse to execute the subsidiary program if
+  they detect write failure in printing an otherwise non-fatal warning
+  message to stderr.
+
   stat -f recognizes more file system types: afs, cifs, anon-inode FS,
   btrfs, cgroupfs, cramfs-wend, debugfs, futexfs, hfs, inotifyfs, minux3,
   nilfs, securityfs, selinux, xenfs
-- 
cgit v1.2.3-70-g09d2