Lighttpd

ought to be my last solaris patch.

Indeed it is not documented it is a known feature tough when you get to do solaris native programming, one of the few visible examples you can find is openssh (doing the opposite of course)

https://github.com/openssh/openssh-portable/blob/master/platform-tracing.c#L55

Thanks for the pointer to an example. Should this patch check the return value from setpflags()? Should lighttpd issue trace if setpflags() fails? Should lighttpd fail and exit? (probably not) Should lighttpd use getpflags() to see if this needs to be set? How should lighttpd handle EPERM from setpflags() or will that not occur with __PROC_PROTECT?

should be fine. In openssh case it s important they check since they want to make sure it can't be traced while here it s more like "icing on the cake".

gstrauss wrote in #note-4:

Thanks for the pointer to an example. Should this patch check the return value from setpflags()? Should lighttpd issue trace if setpflags() fails? Should lighttpd fail and exit? (probably not) Should lighttpd use getpflags() to see if this needs to be set? How should lighttpd handle EPERM from setpflags() or will that not occur with __PROC_PROTECT?

at worse a log entry warning about the failure should be good enough, indeed stopping lighttpd "just" because of this sounds harsh. but that s just a suggestion.

FYI with this basic hello world

#include <priv.h>
#include <stdio.h>

int main(void)
{
        printf("1st attempt %d\n", setpflags(__PROC_PROTECT, 0));
        printf("2nd attempt %d\n", setpflags(__PROC_PROTECT, 0));
        return 0;
}

dcarlier@openindianavbox:/tmp$ gcc a.c
dcarlier@openindianavbox:/tmp$ ./a.out 
1st attempt 0
2nd attempt 0

don t think we need getpflags to check.

your last changes work for me.