"Cookie" or "handle" are definitely good words here. The part "to position the directory descriptor to the start of the entry next to the current" could be simplified a bit to "to position the directory descriptor to the next entry" since the position cannot be in the middle of an entry.

The man page seems to contain the right content now. I just have some English language comments.

In D17547#375528, @kib wrote:

In D17547#375474, @jilles wrote:

Unconditionally allowing absolute paths with O_BENEATH seems a bit strange, as I expect this to be used for partially untrusted paths. An application can easily check for absolute paths and cause either behaviour (allowing or disallowing).

This was one of my questions. But, it is not clear to me what change, if any, you are proposing.

OUTBUFSIZ is somewhat of a strange name given that these buffers contain shell input.

I think it would make more sense to define a new buffer size constant than modifying BUFSIZ.

Unconditionally allowing absolute paths with O_BENEATH seems a bit strange, as I expect this to be used for partially untrusted paths. An application can easily check for absolute paths and cause either behaviour (allowing or disallowing).

I don't think "Show time for sorting" is better than "Use time for sorting". If you want to avoid the weak "use", something like "Sort by (with .Fl t) or write (with .Fl l) time when file ..." may be better.

This is not wrong, but perhaps some details about different types of errors may be helpful, such as that nonexistent usernames in -U are immediately fatal while an empty result (such as from only nonexistent process IDs in -p or only existing users that do not currently run any process in -U) still writes the header line (if not disabled) and also returns a non-zero exit status.

I would like to see a consistent behaviour in handling chown/chmod failures between creating directories and installing files. A -e flag looks ugly and should only be added if both behaviours are necessary in different situations.

There is actually another important difference between reboot and shutdown -r now: reboot does not run /etc/rc.shutdown. This is because reboot has its own shutdown procedure and does not signal init like init 6 and shutdown -r now do (except in the case of rerooting via reboot -r).

This is useful, but some parts seem too specific to usage in appliances.

I think this looks good except that I would like to consider a new errno again.

iflag= and oflag= would be better than inventing something new.

NetBSD and GNU instead have iflag= and oflag= operands that accept various open flags such as direct. I think that makes more sense, even though conv=notrunc could be considered to belong with oflag instead (but does not for historical reasons).

In D16075#340644, @eadler wrote:

For my edification: the two possible solutions to cast alignment are (a) memcpy and (b) aligned_alloc. The issue with the latter is that the compiler likely won't understand it, and thus still warn.

Perhaps the alternative of listing and extracting iso images using tar(1) can be mentioned as well.

Looks good to me apart from the comment. Sorry for the delay.

Thanks for working on this, but I think pedantic compilation modes should be kept working.

I agree that the man page should be changed, but I think it can be done better.

I like it.

The code itself looks good, but something could be improved in the man page and test.

Even though it is from January, this is still a useful patch.

I found two minor issues. It looks good otherwise.

I like the idea. Apparently, the idea of the designers of setfacl was to pipe in a list of filenames from find, but this cannot handle filenames containing newlines and race conditions (such as where an untrusted user replaces a file with a symlink to a different location).

Thanks for writing missing documentation.

In D14725#309715, @cem wrote:

In D14725#309655, @jilles wrote:

I think this kind of compatibility should be provided only if necessary for old code that cannot be changed (such as third party code). If it is just to avoid churn, we should keep using the old timespecadd and timespecsub (that is, abandon this change).

I don't follow that line of argument — that compatibility means we should abandon 3-arg timespecfoo, or bringing timespecfoo into userspace. But I will bow to quorum here, which seems to be: we'd rather churn it than have compatibility.

The changes to adapt to the new API look correct to me.

This patch only affects the -d case. Failure to change owner and modes when installing regular files is fatal in any case. Perhaps the directory case should work the same way?

This seems sensible, but I found some small mistakes in the man page.

I agree that this should be based on unlinkat(), not unlink(). The new call will therefore take two file descriptors.

I agree that hash table resizing would be nicer, but this is acceptable to commit.

Hmm, it is remarkable to see this after the monotonic clock has existed for so long. Also, GNU time and mksh's keyword appear to use CLOCK_REALTIME without configurability.

This was committed by antoine as rS327473.

It looks like it will work.

getopts also allows option-arguments in the same argument as the option, like -jGAOL, or even -ejGAOL (for a jail named GAOL). Therefore, extracting the jail option out without rebuilding the arguments completely is rather hard.

It is already possible to disable swapping out kernel stacks via sysctl vm.swap_enabled (which has a wrong description) and configure it via sysctls vm.swap_idle_threshold1 and vm.swap_idle_threshold2. What is the problem you are trying to solve?

For a long time, "swapping out" a process has only made its U area (later, only the kernel stack) pageable. This is a few pages per thread. Therefore, comparing vmspace_resident_count does not seem to make much sense.

As of rS303524 (July 2016), _WITH_GETLINE is no longer checked by stdio.h. Therefore, there are two possibilities:

Looks useful.

OK for bin/sh tests and man pages.