diff options
author | Tony Finch <dot@dotat.at> | 2011-06-07 16:48:44 +0100 |
---|---|---|
committer | Tony Finch <dot@dotat.at> | 2011-06-07 20:03:58 +0100 |
commit | 921b12ca0c361b9c543368edf057712afa02ca14 (patch) | |
tree | d0b0f60f1b784793f9574dafb687fe2f0c46768a /doc/doc-txt | |
parent | 0ca0cf52fa9c635984937a3cc813d38fcdacd7ab (diff) |
exiwhat: Ensure the SIGUSR1 signal handler is safe.
exiwhat sends a SIGUSR1 to all exim processes to make them write
their status to the process log. This is all done in the signal
handler, but the logging code makes a number of calls that are not
signal safe. These can all cause crashes or recursive locking in
libc.
Firstly, obtaining and formatting the timestamp is not safe.
Doing so is unnecessary since exiwhat strips off the timestamp.
This change removes timestamps from the process log.
Secondly, exim closes all the logs after writing the process
log. Closing syslog is not signal safe, and isn't necessary.
We now only close the process log after writing to it.
Thirdly, exim may calculate the process_log_path inside the signal
handler which involves some possibly-unsafe string handling code.
This change calculates the path when reading the configuration.
Fourthly, when exim creates the process log file it might have to
call the unsafe directory_create() though this is unlikely in
practice. After this change exim only calls log_create() in a
subprocess which is safe - it sometimes needs to do so anyway, if
it is running as root and needs to drop privileges.
The new code has no process log handling in log.c which eliminates
some awkward special cases. It uses very simple code to write to
the file in the signal handler, so it is obviously safe by inspection.
Diffstat (limited to 'doc/doc-txt')
-rw-r--r-- | doc/doc-txt/ChangeLog | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 8ca5d85af..3af14c39e 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -17,6 +17,21 @@ TK/01 DKIM Verification: Fix relaxed canon for empty headers w/o TF/02 Fix a couple more cases where we did not log the error message when unlink() failed. See also change 4.74-TF/03. +TF/03 Make the exiwhat support code safe for signals. Previously Exim might + lock up or crash if it happened to be inside a call to libc when it + got a SIGUSR1 from exiwhat. + + The SIGUSR1 handler appends the current process status to the process + log which is later printed by exiwhat. It used to use the general + purpose logging code to do this, but several functions it calls are + not safe for signals. + + The new output code in the SIGUSR1 handler is specific to the process + log, and simple enough that it's easy to inspect for signal safety. + Removing some special cases also simplifies the general logging code. + Removing the spurious timestamps from the process log simplifies + exiwhat. + Exim version 4.76 ----------------- |