glog: generate a Fatalf-like error message when writing to logsinks f…

…ails (#76)

Writing to logsinks can fail (for example due to "no space left on device" or I/O errors). When that happens glog has no reasonable way to continue and causes the program to exit with exit status 2.

Previously glog reused the metadata of the current call to print an error message, but that was problematic. Depending on the current call's log severity it's possible that the program just exited without printing anything. That's confusing and hard to debug.

To fix that, glog creates now a new FATAL-level metadata object and prints a clearer error message (with stacks). In most situations this will at least be logged to stderr.

Thanks @atetubou for the initial fix!

cl/750790337 (google-internal)
cl/752634801 (google-internal)

glog: have createInDir fail if the file already exists

This prevents an attack like the one described
[here](https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File#:~:text=On%20Unix%20based,with%20elevated%20permissions.).
An unprivileged attacker could use symlinks to trick a privileged
logging process to follow a symlink from the log dir and write logs over
an arbitrary file.

The components of the log names are program, host, username, tag, date,
time and PID. These are all predictable. It's not at all unusual for the
logdir to be writable by unprivileged users, and one of the fallback
directories (/tmp) traditionally has broad write privs with the sticky
bit set on Unix systems.

As a concrete example, let's say I've got a glog-enabled binary running
as a root cronjob. I can gauge when that cron job will run and then use
a bash script to spray the log dir with glog-looking symlinks to
`/etc/shadow` with predicted times and PIDs. When the cronjob runs, the
`os.Create` call will follow the symlink, truncate `/etc/shadow` and
then fill it with logs.

This change defeats that by setting `O_EXCL`, which will cause the open
call to fail if the file already exists.

Fixes CVE-2024-45339

cl/712795111 (google-internal)

glog: fix typo (#73)

cl/648345242 (google-internal)

glog: avoid calling user.Current() on windows (#69)

Use the current process token to look up the user's name on Windows.

This is more reliable than using the USER or USERNAME environment variables, which are not always set, or might be overridden by the user accidentally or
maliciously.

It follows the implementation of the user.Current() implementation in the
standard library.

cl/650142356 (google-internal)

glog: don't hold mutex when sync'ing (#68)

Some environments are slow when syncing and holding the lock might cause contention.

cl/621846576 (google-internal)

glog: add context variants to most log functions

We export this new API to make the internal and external versions
identical.

The context is currently plumbed through to the internal/logsink
package, but effectively discarded there.

cl/560684897 (google-internal)
cl/579771826 (google-internal)

Bugfix release.

glog: use os.Stderr directly for writing to stderr (#62)

This was raised in https://groups.google.com/g/golang-nuts/c/o85vycfiGVY/m/MblpnfF6BQAJ.

Before the 1.1.0 release it was possible to set os.Stderr to a different *os.File (like an os.Pipe) to capture output that is written to stderr. Restore that behavior.

release after update to latest internal version

glog: fix doc comment for V (#47)

V logs if the level is at most the -v setting.
(If it is bigger (V(2) with -v=1) then it doesn't.)
The text said "at least" instead.