backupfile, chdir-long, fts, savedir: make safer

* lib/backupfile.c (includes): Use "dirent--.h", since
numbered_backup can write to stderr during readdir.
* lib/savedir.c (includes): Likewise.
* lib/chdir-long.c (includes): Use "fcntl--.h", since openat
emulation can write to stderr on failure.
* lib/fts.c (includes) [!_LIBC]: Likewise for opendir and openat.
* lib/getcwd.c: Document why opendir_safer is unused.
* lib/glob.c: Likewise.
* lib/scandir.c: Likewise.
* lib/openat-proc.c: Likewise, for open_safer.
* modules/backupfile (Depends-on): Add dirent-safer.
* modules/savedir (Depends-on): Likewise.
* modules/fts (Depends-on): Add dirent-safer and openat-safer.
* modules/chdir-long (Depends-on): Add openat-safer.

Signed-off-by: Eric Blake <ebb9@byu.net>

ChangeLog

@@ -1,5 +1,21 @@
 2009-09-02  Eric Blake  <ebb9@byu.net>
 
+	backupfile, chdir-long, fts, savedir: make safer
+	* lib/backupfile.c (includes): Use "dirent--.h", since
+	numbered_backup can write to stderr during readdir.
+	* lib/savedir.c (includes): Likewise.
+	* lib/chdir-long.c (includes): Use "fcntl--.h", since openat
+	emulation can write to stderr on failure.
+	* lib/fts.c (includes) [!_LIBC]: Likewise for opendir and openat.
+	* lib/getcwd.c: Document why opendir_safer is unused.
+	* lib/glob.c: Likewise.
+	* lib/scandir.c: Likewise.
+	* lib/openat-proc.c: Likewise, for open_safer.
+	* modules/backupfile (Depends-on): Add dirent-safer.
+	* modules/savedir (Depends-on): Likewise.
+	* modules/fts (Depends-on): Add dirent-safer and openat-safer.
+	* modules/chdir-long (Depends-on): Add openat-safer.
+
 	openat-safer: new module
 	* modules/openat-safer: New file.
 	* lib/openat-safer.c: Likewise.

lib/backupfile.c

@@ -1,7 +1,7 @@
 /* backupfile.c -- make Emacs style backup file names
 
    Copyright (C) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998,
-   1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software
+   1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009 Free Software
    Foundation, Inc.
 
    This program is free software: you can redistribute it and/or modify
@@ -37,7 +37,7 @@
 
 #include <unistd.h>
 
-#include <dirent.h>
+#include "dirent--.h"
 #ifndef _D_EXACT_NAMLEN
 # define _D_EXACT_NAMLEN(dp) strlen ((dp)->d_name)
 #endif
@@ -80,11 +80,6 @@
    of `digit' even when the host does not conform to POSIX.  */
 #define ISDIGIT(c) ((unsigned int) (c) - '0' <= 9)
 
-/* The results of opendir() in this file are not used with dirfd and fchdir,
-   therefore save some unnecessary work in fchdir.c.  */
-#undef opendir
-#undef closedir
-
 /* The extension added to file names to produce a simple (as opposed
    to numbered) backup file name. */
 char const *simple_backup_suffix = "~";

lib/chdir-long.c

@@ -1,5 +1,5 @@
 /* provide a chdir function that tries not to fail due to ENAMETOOLONG
-   Copyright (C) 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+   Copyright (C) 2004-2009 Free Software Foundation, Inc.
 
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -20,7 +20,6 @@
 
 #include "chdir-long.h"
 
-#include <fcntl.h>
 #include <stdlib.h>
 #include <stdbool.h>
 #include <string.h>
@@ -28,7 +27,7 @@
 #include <stdio.h>
 #include <assert.h>
 
-#include "openat.h"
+#include "fcntl--.h"
 
 #ifndef PATH_MAX
 # error "compile this file only if your system defines PATH_MAX"

lib/fts.c

@@ -69,7 +69,7 @@ static char sccsid[] = "@(#)fts.c	8.6 (Berkeley) 8/14/94";
 
 #if ! _LIBC
 # include "fcntl--.h"
-# include "openat.h"
+# include "dirent--.h"
 # include "unistd--.h"
 # include "same-inode.h"
 #endif

lib/getcwd.c

@@ -1,4 +1,4 @@
-/* Copyright (C) 1991-1999, 2004-2008 Free Software Foundation, Inc.
+/* Copyright (C) 1991-1999, 2004-2009 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    This program is free software: you can redistribute it and/or modify
@@ -103,7 +103,11 @@
 #endif
 
 /* The results of opendir() in this file are not used with dirfd and fchdir,
-   therefore save some unnecessary recursion in fchdir.c.  */
+   and we do not leak fds to any single-threaded code that could use stdio,
+   therefore save some unnecessary recursion in fchdir.c.
+   FIXME - if the kernel ever adds support for multi-thread safety for
+   avoiding standard fds, then we should use opendir_safer and
+   openat_safer.  */
 #undef opendir
 #undef closedir
 

lib/glob.c

@@ -1,4 +1,4 @@
-/* Copyright (C) 1991-2002, 2003, 2004, 2005, 2006, 2007, 2008
+/* Copyright (C) 1991-2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
    Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -186,7 +186,10 @@ static const char *next_brace_sub (const char *begin, int flags) __THROW;
 
 #ifndef _LIBC
 /* The results of opendir() in this file are not used with dirfd and fchdir,
-   therefore save some unnecessary work in fchdir.c.  */
+   and we do not leak fds to any single-threaded code that could use stdio,
+   therefore save some unnecessary recursion in fchdir.c and opendir_safer.c.
+   FIXME - if the kernel ever adds support for multi-thread safety for
+   avoiding standard fds, then we should use opendir_safer.  */
 # undef opendir
 # undef closedir
 

lib/openat-proc.c

@@ -1,6 +1,6 @@
 /* Create /proc/self/fd-related names for subfiles of open directories.
 
-   Copyright (C) 2006 Free Software Foundation, Inc.
+   Copyright (C) 2006, 2009 Free Software Foundation, Inc.
 
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -34,7 +34,10 @@
 #include "xalloc.h"
 
 /* The results of open() in this file are not used with fchdir,
-   therefore save some unnecessary work in fchdir.c.  */
+   and we do not leak fds to any single-threaded code that could use stdio,
+   therefore save some unnecessary work in fchdir.c.
+   FIXME - if the kernel ever adds support for multi-thread safety for
+   avoiding standard fds, then we should use open_safer.  */
 #undef open
 #undef close
 

lib/savedir.c

@@ -26,7 +26,7 @@
 
 #include <errno.h>
 
-#include <dirent.h>
+#include "dirent--.h"
 #ifndef _D_EXACT_NAMLEN
 # define _D_EXACT_NAMLEN(dp)	strlen ((dp)->d_name)
 #endif
@@ -41,11 +41,6 @@
 # define NAME_SIZE_DEFAULT 512
 #endif
 
-/* The results of opendir() in this file are not used with dirfd and fchdir,
-   therefore save some unnecessary work in fchdir.c.  */
-#undef opendir
-#undef closedir
-
 /* Return a freshly allocated string containing the file names
    in directory DIRP, separated by '\0' characters;
    the end is marked by two '\0' characters in a row.

lib/scandir.c

@@ -45,6 +45,14 @@
 # define __opendir opendir
 # define __closedir closedir
 # define __set_errno(val) errno = (val)
+
+/* The results of opendir() in this file are not used with dirfd and fchdir,
+   and we do not leak fds to any single-threaded code that could use stdio,
+   therefore save some unnecessary recursion in fchdir.c and opendir_safer.c.
+   FIXME - if the kernel ever adds support for multi-thread safety for
+   avoiding standard fds, then we should use opendir_safer.  */
+# undef opendir
+# undef closedir
 #endif
 
 #ifndef SCANDIR_CANCEL

modules/backupfile

@@ -11,6 +11,7 @@ m4/backupfile.m4
 Depends-on:
 argmatch
 d-ino
+dirent-safer
 dirname
 memcmp
 stdbool

modules/chdir-long

@@ -10,7 +10,7 @@ Depends-on:
 atexit
 fchdir
 fcntl-h
-openat
+openat-safer
 memchr
 mempcpy
 memrchr

modules/fts

@@ -11,6 +11,7 @@ Depends-on:
 cycle-check
 d-ino
 d-type
+dirent-safer
 dirfd
 fchdir
 fcntl-h
@@ -19,7 +20,7 @@ hash
 i-ring
 lstat
 memmove
-openat
+openat-safer
 stdbool
 unistd-safer
 

modules/savedir

@@ -7,6 +7,7 @@ lib/savedir.c
 m4/savedir.m4
 
 Depends-on:
+dirent-safer
 fdopendir
 xalloc