Mark nix::unistd::daemon unsafe and document why.

blp · blp · commit 2d74279caeff · 2025-08-22T14:24:10.000-07:00
Fixes: #2663 Signed-off-by: Ben Pfaff <blp@cs.stanford.edu>
diff --git a/changelog/2664.changed.md b/changelog/2664.changed.md
@@ -0,0 +1,2 @@
+Changed `nix::unistd::daemon` to be `unsafe`.  The documentation for
+the function explains why.
diff --git a/src/unistd.rs b/src/unistd.rs
@@ -1262,13 +1262,23 @@ pub fn execveat<Fd: std::os::fd::AsFd, SA: AsRef<CStr>, SE: AsRef<CStr>>(
 ///   descriptors will remain identical after daemonizing.
 /// * `noclose = false`: The process' stdin, stdout, and stderr will point to
 ///   `/dev/null` after daemonizing.
+///
+/// # Safety
+///
+/// Running in the child process of a fork is unsafe, with issues that are
+/// specially pronounced for multithreaded processes.  The documentation for
+/// [CommandExt::pre_exec] discusses some of these issues, and [`rust-lang`
+/// issue 39575] has a few further examples.
+///
+/// [CommandExt::pre_exec]: std::os::unix::process::CommandExt::pre_exec
+/// [`rust-lang` issue 39575]: https://github.com/rust-lang/rust/issues/39575
 #[cfg(any(
         linux_android,
         freebsdlike,
         solarish,
         netbsdlike
 ))]
-pub fn daemon(nochdir: bool, noclose: bool) -> Result<()> {
+pub unsafe fn daemon(nochdir: bool, noclose: bool) -> Result<()> {
     let res = unsafe { libc::daemon(nochdir as c_int, noclose as c_int) };
     Errno::result(res).map(drop)
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Changed `nix::unistd::daemon` to be `unsafe`. The documentation for
	`2`	`+the function explains why.`