Add getpwnam and related functions

[ctrlcctrlv]

This PR closes #862.

Implemented functions:

• As User::query:
  • getpwnam
  • getpwuid
• As Group::query:
  • getgrgid
  • getgrnam
• As Users iterator:
  • getpwent
  • setpwent
  • endpwent
• As Groups iterator:
  • getgrent
  • setgrent
  • endgrent

I wanted to implement getgrent, setgrent and endgrent, but they are missing from libc. (See rust-lang/libc#923 )

[kristate]

Thanks for your commit!

[kristate]

I wonder if it is smart to use CStrings here (as opposed to Strings).
Does the library use CStrings in any other places?

[kristate]

I took a quick search of the code, and it does seem that we are using String and not CString as an interface. Please switch to String.

Ref:

• nix/src/ifaddrs.rs

  Line 21 in a00bd10

  pub interface_name: String,

• nix/src/pty.rs

  Line 146 in ebf7505

  pub unsafe fn ptsname(fd: &PtyMaster) -> Result<String> {

• nix/src/pty.rs

  Line 167 in ebf7505

  pub fn ptsname_r(fd: &PtyMaster) -> Result<String> {

• et cetera

Thanks!

[ctrlcctrlv]

Thank you very much for your review. I did have what I believed to be a good reason to use CStrings. If this function is ran on a non UTF8 system, the fields, especially gecos, can be in a non UTF8 encoding such as SHIFTIJIS. from_utf8_lossy will cause data loss. Should String still be used in light of this?

[asomers]

Does Nix support any operating systems that run in non-UTF8 mode?

[ctrlcctrlv]

Yes, many. FreeBSD, Linux etc can all use /etc/passwd files that are in the user's non-UTF8 locale. I hate to keep mentioning SHIFT-JIS, but because in my day job I'm dealing with a lot of SJIS data and SJIS systems, I am accutely aware of this problem. Japanese sysadmins, even in 2018, in many cases still prefer SJIS because it is byte for byte around 2/3 to 1/2 the size of UTF-8. So that means an uncompressed database of Japanese text data is double the size if it's UTF-8. Therefore, many many Unix systems in Japan use SJIS everywhere, including the passwd and group files.

[kristate]

This looks like it has too many moving parts.

[ctrlcctrlv]

I couldn't think of another way to decode a **char

[kristate]

Is it smart to check the errno in this way?

[ctrlcctrlv]

It works, but I do have to admit that I did not really understand too well the errno.rs module.

[asomers]

libc::getpwent also uses a static object. It also isn't very Rusty, because it's basically the next method for an implied iterator. I don't think it should be directly exposed by Nix. Instead, I think you should create an iterator class that will internally use libc::getpwent_r to iterate through the password file. Something like this:

struct PwEntries {
    ...
}
impl PwEntries {
    fn new() -> Self {
        libc::setpwent();
        ...
    }
}
impl Iterator for PwEntries {
    type item = Passwd;
    fn next(&mut self) -> Option<Passwd> {
        ...
    }
}
impl Drop for PwEntries {
    fn drop(&mut self) {
        libc::endpwent();
    }
}

Unfortunately, this still isn't 100% reentrant since those setpwent and endpwent functions still store their file descriptors in static variables. But I don't see a better option.

[ctrlcctrlv]

libc::getpwent_r does not exist, so I suppose this is on hold until I can figure out how to get it added to libc...

[kristate]

ditto.

[kristate]

Is it important to mark these all as pub?

[ctrlcctrlv]

I think so. . . the whole point of these functions is to get data from this struct.

[asomers]

One thing that other Nix modules do is create a Newtype to wrap the libc struct, and define accessors for that. See for example nix::sys::Kevent or nix::sys::UtsName. I think that pattern would work well here. You'd do something like:

pub struct Passwd(libc::passwd);
impl Passwd {
    pub fn name(&self) -> &str {
        ...
    }
}

[ctrlcctrlv]

@asomers That seems very Java-like to me and not necessary for these structs. Furthermore, some day I may also add putpwent, which would require a user to build this struct. putpwent is basically how the shell utilitty adduser works. http://man7.org/linux/man-pages/man3/putpwent.3.html

[asomers]

Accessor functions may seem unnecessary to you, but converting C's struct passwd to a different layout seems unnecessary to me. As long as we're dealing with C and Rust datatypes that have incompatible layouts, we're going to need some kind of conversion. I like the accessor method version better, because that way we won't waste time converting fields that the user doesn't care about. We'll probably save RAM too.

[asomers]

The man page says that applications should explicitly set errno to 0 before calling getpwnam.

[asomers]

libc::getpwnam is not thread safe because it uses a static buffer. In fact, it's worse than that, because the static buffer is malloced on demand, and libc will free it and reallocate it if it isn't large enough. That means that multithreaded programs can use-after-free if they call getpwnam without synchronization. You should use libc::getpwnam_r instead.

[asomers]

Same concerns here about thread-safety and initializing errno.

[asomers]

libc::getpwent also uses a static object. It also isn't very Rusty, because it's basically the next method for an implied iterator. I don't think it should be directly exposed by Nix. Instead, I think you should create an iterator class that will internally use libc::getpwent_r to iterate through the password file. Something like this:

struct PwEntries {
    ...
}
impl PwEntries {
    fn new() -> Self {
        libc::setpwent();
        ...
    }
}
impl Iterator for PwEntries {
    type item = Passwd;
    fn next(&mut self) -> Option<Passwd> {
        ...
    }
}
impl Drop for PwEntries {
    fn drop(&mut self) {
        libc::endpwent();
    }
}

Unfortunately, this still isn't 100% reentrant since those setpwent and endpwent functions still store their file descriptors in static variables. But I don't see a better option.

[asomers]

Ditto all the comments for the getpwent family of functions.

[asomers]

Does Nix support any operating systems that run in non-UTF8 mode?

[asomers]

One thing that other Nix modules do is create a Newtype to wrap the libc struct, and define accessors for that. See for example nix::sys::Kevent or nix::sys::UtsName. I think that pattern would work well here. You'd do something like:

pub struct Passwd(libc::passwd);
impl Passwd {
    pub fn name(&self) -> &str {
        ...
    }
}

[ctrlcctrlv]

I was able to get a bunch of functions added to libc in rust-lang/libc#934 .

I am now working on getting the APIs I added there into nix again. Hoping no more libc changes are needed.

[ctrlcctrlv]

@kristate @asomers @Susurrus I would very much appreciate it if y'all could read what I wrote in the commit message here 3612526

I'm worried that this problem will cause all my work on this PR to go to waste, very stressed since I've poured hours into this already 😢

[ctrlcctrlv]

I don't know why the test system is doing this:

   Compiling libc v0.2.38 (https://github.com/rust-lang/libc#936e16bc)
   Compiling libc v0.2.37

Why it immediately compiles old version after new? I got a PR into libc for the express purpose of getting this PR into nix, so using 0.2.38 is an absolute must. My branch will not compile without it.

[ctrlcctrlv]

😟

[asomers]

This change is unnecessary and can be reverted. Cargo will always try to use the latest version when you use a "git" specification. If the included libc version in your workspace seems behind, then you should run cargo update.

[asomers]

Do you really need the into_owned?

[asomers]

format is basically what the println is doing. I think you can shorten this entire line to pw.uid)

[asomers]

When you run cargo test, does all this stuff get printed? If so, you must silence it.

[ctrlcctrlv]

Even with nocapture, nothing is printed.

   Doc-tests nix

running 1 test
test src/unistd.rs - unistd::Users (line 2300) ... ok

test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 47 filtered out

[asomers]

This line seems unlikely to compile on android

[ctrlcctrlv]

Yup you're right, I thought the compiler was smarter than it is, since the struct doesn't exist when compiling for Android.

[asomers]

0u8 would be more appropriate than 0i8, I think. A 0i8 array can't store any text encodings that use the high bit.

[ctrlcctrlv]

I can't, type mismatch. libc's type c_char = i8.

[asomers]

Accessor functions may seem unnecessary to you, but converting C's struct passwd to a different layout seems unnecessary to me. As long as we're dealing with C and Rust datatypes that have incompatible layouts, we're going to need some kind of conversion. I like the accessor method version better, because that way we won't waste time converting fields that the user doesn't care about. We'll probably save RAM too.

[asomers]

You need a way to distinguish between "entry not found" (errno==0) and "not enough buffer space" (errno==ERANGE)

[asomers]

Don't forget to initialize errno to zero before calling this function.

[ctrlcctrlv]

To be certain, you mean I have to make a call to Errno::clear, right?

[asomers]

Yeah, that'll do.

[asomers]

You should probably initialize errno=0 here too.

[asomers]

Need to handle ERANGE here too.

[asomers]

We already have a way of serializing tests that use global variables. Look in tests/test.rs at the bottom. There are several mutexes there. You should add another one to protect the global variables used by the getpwent family of functions.

[ctrlcctrlv]

Oh okay thanks, I get it, I'll make the tests use that when I get home from church, as well as deal with your other concerns 😃

[ctrlcctrlv]

Alright, got a bunch of work done today, but as you can see from the failing builds there is still more to do :-)

Thank you everyone for your patience with me while I sort this out. Just realized I'm going to have to open another libc PR as my original accidentally neglected FreeBSD.

[ctrlcctrlv]

FreeBSD build will stop failing when rust-lang/libc#939 is merged.

[ctrlcctrlv]

Hey @asomers , really curious what you think of this API for querying instead of just exposing it under the names of the POSIX functions. It's getting late here, if you like it I'll make the Group version of it tomorrow.

[ctrlcctrlv]

P.S. Anybody know what's up with https://travis-ci.org/nix-rust/nix/jobs/349841588 ? I can't get test_users_iterator_smallbuf to do that on my Linux VM.

[asomers]

The query API could certainly work. One problem is that it's not specific enough. Why have enum values that can't be used to look up a user? Why have values that can't be used to look up a group? Better to have one enum for User queries, and one for Group queries. That way you'll catch usage problems at compile time. Another problem is that you aren't handling "user not found" errors correctly. You shouldn't return an Errno in that case.

[ctrlcctrlv]

Happy to report my build is now passing :D

If you have no more concerns it's ready to be merged. I responded to or fixed every concern in the previous reviews to my knowledge (hope I didn't miss anything).

@asomers @Susurrus @kristate

[asomers]

The branch specification isn't necessary. Please revert changes to this file.

[asomers]

Why did you have to exclude so many architectures? Shouldn't this be architecture independent?

[ctrlcctrlv]

Not really sure -- my builds were failing due to missing functions on those architectures. Could be a libc issue, but it's also not unheard of for GNU libc to not have every function in every platform.

[asomers]

Why make some fields String if others must be CString? The inconsistency is weird.

[ctrlcctrlv]

Because it's guaranteed that the fields I made String will conform to NAME_REGEX. gecos ("real name") has no such guarantee.

[asomers]

Ahh, makes sense. Could you add a comment to that effect?

[dario23]

this seems done as well since d4d5a00.

[asomers]

Should the concerns about shift-jis force this structure to use CString too?

[ctrlcctrlv]

Addressed above.

[asomers]

Doc comments, here and elsewhere, should begin with a short description. Then there should be a blank line followed by the detailed description.

[asomers]

Please put this in a # Safety section.

[ArniDagur]

This seems done

[asomers]

Please put this in an # Examples section.

[ArniDagur]

This seems done

[asomers]

Use a # Safety section here.

[ArniDagur]

This seems done

[asomers]

This isn't a very good test. That field would've been zero even if getpwnam did nothing, because you initialize the struct to zero. Can you find a more interesting field to check?

[ctrlcctrlv]

I transformed this into a doctest. About to push it.

[asomers]

Change the name to _m and you won't need the #[allow(unused_variables)]

[ctrlcctrlv]

I copied this pattern from elsewhere in the file. I think that the reason that other tests do it this way is because maybe the compiler will optimize it out, but I did not test.

[asomers]

I'm pretty sure the reason that other tests do it this way is because they were added back when the minimum compiler version was 1.14.0 or something, and it didn't understand that leading underscores denoted unused variables.

[ctrlcctrlv]

I think that would be best left to another PR, since I'd be editing many other unrelated tests, which I'd be happy to work on after this one.

[Susurrus]

Let's add the underscore and get rid of the #[allow( as part of this PR. You don't need to clean up existing examples, but since this is new code it should do this the right way from the start.

[ctrlcctrlv]

@asomers Any further concerns?

[asomers]

s/Example/Examples for consistency with the rest of the project

[ctrlcctrlv]

@asomers What consistency? mkfifo, getcwd etc use "Example"...this makes sense because it's a lone example, in their case as well as mine.

[asomers]

I'm not saying we're perfect, but currently Nix has 30 "Examples" compared to 9 "Example". Best stick to the predominant style.

[ctrlcctrlv]

@asomers OK

[asomers]

There are still two things that concern me:

1. You have some really big unsafe blocks. Can you shrink the scope of those blocks to the absolute minimum?
2. You have some from functions that take their arguments by value, even though it looks like a reference would work fine. Unless it's absolutely necessary, it's better to take arguments by reference. That gives the caller more flexibility.

[ctrlcctrlv]

@asomers f47800c

Hoping this will be the final commit. 🤞

[asomers]

Why did you use raw pointers instead of references? Dereferencing raw pointers is unsafe.

[ctrlcctrlv]

@asomers Because I only ever convert libc::passwd and libc::group from raw pointers, and that is the only way to get their data. A reference to one of them would just be a reference to a raw pointer...I think. You have to dereference them, I just changed where that happens.

[asomers]

Yeah, but you moved the raw pointer dereference into part of the public API! And in a safe function, no less! That means that any user can pass us a *const libc::passwd (which they can create in safe code by casting), and we'll dereference it and potentially crash. That's not ok. We need to control when and where that pointer is dereferenced. It should only happen when we have control of how the pointer was created, and we know that it's valid.

[ctrlcctrlv]

@asomers OK, I understand. Thank you very much for the explanation. I'm sorry if I'm annoying you. This is my first major commit to a Rust library. I'll think about how to handle this. Maybe using the From trait at all is unwise, I think probably this should not be public.

[Susurrus]

A lot of minor style changes.

[Susurrus]

These should always come after the doccomments.

Also is there a reason you didn't derive the other commonly-derived traits as well?

[dario23]

moved below the doc-comments, and added the full set of Debug, Copy, Clone, Eq, PartialEq, Hash, Default, for UserQuery, GroupQuery, Users, Groups (where applicable, not all can be Copy, enums can't be Default)

[Susurrus]

Can you use a more descriptive variable name here? i is almost always a counter variable as well, so this is confusing.

[dario23]

changed i to error for all four occurences

[Susurrus]

If you're just doing an if/else like this I'd recommend doing that instead of a match, which is a little more heavyweight.

[dario23]

changed it to an if/else.

[Susurrus]

You can just do use libc::{self, c_char};

[dario23]

done.

[Susurrus]

Is there any reason the user of this API needs to set the internal value? If not, you should make it private and add a getter to get the value instead. This is more common with Rust types and used elsewhere in nix.

[dario23]

done.

[Susurrus]

The first letters in all these doccomments should be capitalized.

[dario23]

done.

[Susurrus]

The OSes need to be alphabetized. Additionally, these sould not use a negation and instead explicitly list all OSes.

[dario23]

alphabetical order done; avoiding negations seems quite verbose to me, and cfg(not( seems to occur more througout the existing part as well.

[Susurrus]

Attributes should got under the doccomments.

[dario23]

done.

[Susurrus]

Doccomments go above the attributes.

[dario23]

done.

[Susurrus]

This probably should be public, yes?

Additionally, what's with the weird Option<Result<_>> type?

[ctrlcctrlv]

The Option<Result<_>> type makes sense in this case due to the lower level API.

If you receive Some(Ok(_)), it means that there was a user found and its data fit in the buffer and is now wrapped in the result.
If you receive a Some(Err(_)), it means that there was a user found but its data did not fit in the buffer, and you should recall with one of the WithBufsize variants with a higher size.
If you receive a None, it means that no user was found.

[Susurrus]

I'm wondering if we shouldn't use our own return type to specify these different states. I haven't thought hard about this, so maybe one doesn't exist, but glancing at this I'd think we could have a more ergonomic API here.

[ctrlcctrlv]

With all due respect, I'm not sure what that would look like and don't think there's anything wrong with the current return type...maybe an alternate return type would look better, but using standard types like this is certainly more ergonomic IMO.

[asomers]

I think a better API would be for the caller to supply an optional bufsize. If not provided, then Nix will choose a bufsize, retrying with a larger buffer if necessary. Also, why is there a need for the Queryable trait? I get that User and Group have a similar API. But if there's never going to be any generic function with an indiscriminate Queryable type in its signature, then there's no need to define a trait. I might do it like this:

pub enum GroupQuery<'a> {
    Gid(gid),
    Name(&'a str)
}
impl Group {
    fn query(q: GroupQuery, bufsize: Option<usize>) -> Option<Result<Self>>;
}

let res = Group::query(GroupQuery::Name("root"), Some(2048)).unwrap();

However, it would be even simpler to eliminate the GroupQuery type entirely, replacing it with two separate constructors:

impl Group {
    fn from_gid(gid: Gid, bufsize: Option<usize>) -> Option<Result<Self>>;
    fn from_name(name: &str, bufsize: Option<usize>) -> Option<Result<Self>>;
}

let res = Group::from_name("root", Some(2048)).unwrap();

What @Susurrus was suggesting would be to create a bespoke return type to get rid of the double unwrap wart. It would look like this:

enum GroupResult {
    /// No group found
    None,
    /// An error was encountered while searching
    Err(Error),
    Some(Group)
}

Such a type could still support most of the common operators that are defined for std::option::Option and std::result::Result, i.e. unwrap, is_some, is_err, is_none, etc.

[ctrlcctrlv]

OK, sorry everyone, the priorities of my company changed so I hadn't had much time to work on this, but the microservice I wrote which uses this API is back under scrutiny again so I'll be soon working on getting this commit into nix since we do not want to use private branches of modules if we can help it for important parts of our code.

[asomers]

That looks like a step in the right direction. It certainly reduced duplication.

[asomers]

Extending by only one byte at a time could take awhile. It would be better to double the storage instead. That's what the C library does. Also, you shouldn't extend the buffer ad infinitum. At some point you should give up and return ERANGE. The C library does that at 1MB.

[otavio]

I think we can add a top limit, however, the same strategy is used inside std. For example: https://doc.rust-lang.org/src/alloc/vec.rs.html#949

Also, inside nix code it is also used. See: https://github.com/nix-rust/nix/blob/master/src/unistd.rs#L579-L583

[asomers]

The link from inside of Vec is very different. In that case, it really is only 1 additional element's worth of space that is needed. Here, an unknown amount of additional space is needed. That's why I suggest doubling the storage. Nix's getcwd() method should probably do the same.

[otavio]

The link from inside of Vec is very different. In that case, it really is only 1 additional element's worth of space that is needed. Here, an unknown amount of additional space is needed. That's why I suggest doubling the storage. Nix's getcwd() method should probably do the same.

From reading the std code, it seems different. See:

https://github.com/rust-lang/rust/blob/bdfd698f37184da42254a03ed466ab1f90e6fb6c/src/liballoc/raw_vec.rs#L494-L500

and

https://github.com/rust-lang/rust/blob/bdfd698f37184da42254a03ed466ab1f90e6fb6c/src/liballoc/raw_vec.rs#L421-L434

So it seems todo exactly this; it seems good to keep the code simple but if really desired, I can rework this.

[asomers]

That's just the current implementation. Nix shouldn't rely upon it. We should actually try to reserve a reasonable amount of space for what our application needs.

[asomers]

This signature is so big that it would probably be written better with a where clause:

    fn from_anything<F>(f: F) -> Result<Option<Self>>
    where
        F: Fn(
            *mut libc::passwd,
            *mut libc::c_char,
            libc::size_t,
            *mut *mut libc::passwd,
        ) -> libc::c_int

[asomers]

No, absolutely not. This is very unsafe and totally unnecessary. Did you mean to commit this line?

[asomers]

This should be >=, not ==

[asomers]

No need to override the standard library. You can use reserve instead of reserve_exact. I just don't want to rely on reserve(1) actually reserving more space than 1.

[asomers]

Not that it's defined in any publicly visible place, but FreeBSD internally sets this limit to 1MB.

[asomers]

You were right the first time. GETPW_R_SIZE_MAX is the suggested initial size of the buffer for password entries, not the maximum size (earlier versions of POSIX did specify the maximum size).

[asomers]

As above, bufsize should be the intial sizes of the vec, not the maximum.

[asomers]

The sets the initial and maximum sizes to the same value. You should probably choose a larger maximum size. As I said, FreeBSD internally uses 1MB.

[otavio]

And how we can inquiry the OS to get this information? Blindly put a number does not sounds right.

[asomers]

You can't. There's no way to query it. And there's no need to, for consumers of the C API. It's irrelevant for getpwnam_r since the user provides his own buffer, and the user doesn't need to know it when using getpwnam. But if we want to provide a Rusty API that is both reentrant and allocates the buffer internally, then we need to choose a sane limit ourselves. Do you have a better idea?

[asomers]

I'm curious. Why 16KB for the pwent limit?

[asomers]

I think the code would be more readable if you moved Errno::result(...)? closer to the call site on line 1339.

[otavio]

Reworked. Also, the 16Kb was taken from https://linux.die.net/man/3/getpwuid_r example code.

[asomers]

What I meant is that it would be more idiomatic to write it like this:

let ngroups = unsafe { libc::getgroups(0, ptr::null_mut()) }? as usize;

[ctrlcctrlv]

I'm closing this because I'm tired of seeing it in my PR list. I won't delete the underlying branch, please just open a new PR if you will try to revive whatever wasn't included in #1139.

Should you care to know why, I've written a small blog about it: https://gist.github.com/ctrlcctrlv/978b3ee4f55d4b4ec415a985e01cb1c9