"Graham Trott" gt@pobox.com writes:
I don't have any books on C programming for Linux, and the ones at Amazon etc. are expensive. Then I came across a free book at
http://www.advancedlinuxprogramming.com/
which I rate as a first-class introduction to the subject and I thoroughly recommend it to anyone else wanting to do 'C'.
I had a brief look and was somewhat underwhelmed. Some complaints include:
* The readlink() example contains a buffer overrun! (Triggered by links longer than 255 characters.)
* They don't seem very hot on error handling, a vital part of writing half-way decent software. Calling fsync() and ignoring the return value is the most eggregious example I noticed, (it'll just slow your program down without making it reliable in the intended way) but it seems to be a common problem in many parts of the book.
* They misdocument access() - it doesn't tell you whether you can read/write/etc the file, it tells you whether the real UID/GID the process is running under can access them, which is different in a setuid/setgid program.
* They seem confused about the reasons to avoid using system() and the contexts in which to do so; you don't avoid it because it's hard to predict what the shell is but because the behaviour of the shell is influenced by many environment variables etc., which means you have to thoroughly sanitize the environment before calling it if there are any kind of security boundaries involved, and system() doesn't do this.
They do at least point out the quoting problems for system/popen.
* The 'security hole: programs with execute permissions' part seems completely confused. Yes, a user could copy a program, add execute bits, and run it, but that wouldn't permit them to do anything they couldn't do by compiling the programs themselves (or compiling it elsewhere and uploading it); if that's a security hole then frankly you have worse things to worry about.