]>
Commit | Line | Data |
---|---|---|
5fe915ee | 1 | /* hairy bits of Hurd file name lookup |
bfff8b1b | 2 | Copyright (C) 1992-2017 Free Software Foundation, Inc. |
5fe915ee RM |
3 | This file is part of the GNU C Library. |
4 | ||
5 | The GNU C Library is free software; you can redistribute it and/or | |
41bdb6e2 AJ |
6 | modify it under the terms of the GNU Lesser General Public |
7 | License as published by the Free Software Foundation; either | |
8 | version 2.1 of the License, or (at your option) any later version. | |
5fe915ee RM |
9 | |
10 | The GNU C Library is distributed in the hope that it will be useful, | |
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
41bdb6e2 | 13 | Lesser General Public License for more details. |
5fe915ee | 14 | |
41bdb6e2 | 15 | You should have received a copy of the GNU Lesser General Public |
59ba27a6 PE |
16 | License along with the GNU C Library; if not, see |
17 | <http://www.gnu.org/licenses/>. */ | |
5fe915ee RM |
18 | |
19 | #include <hurd.h> | |
20 | #include <hurd/lookup.h> | |
21 | #include <hurd/term.h> | |
22 | #include <hurd/paths.h> | |
23 | #include <limits.h> | |
24 | #include <fcntl.h> | |
25 | #include <string.h> | |
eb96ffb0 | 26 | #include <_itoa.h> |
4f75b7a0 | 27 | #include <eloop-threshold.h> |
5fe915ee RM |
28 | |
29 | /* Translate the error from dir_lookup into the error the user sees. */ | |
30 | static inline error_t | |
31 | lookup_error (error_t error) | |
32 | { | |
33 | switch (error) | |
34 | { | |
35 | case EOPNOTSUPP: | |
36 | case MIG_BAD_ID: | |
37 | /* These indicate that the server does not understand dir_lookup | |
38 | at all. If it were a directory, it would, by definition. */ | |
39 | return ENOTDIR; | |
40 | default: | |
41 | return error; | |
42 | } | |
43 | } | |
44 | ||
45 | error_t | |
46 | __hurd_file_name_lookup_retry (error_t (*use_init_port) | |
10589b4a | 47 | (int which, error_t (*operate) (file_t)), |
5fe915ee RM |
48 | file_t (*get_dtable_port) (int fd), |
49 | error_t (*lookup) | |
10589b4a | 50 | (file_t dir, char *name, |
5fe915ee RM |
51 | int flags, mode_t mode, |
52 | retry_type *do_retry, string_t retry_name, | |
53 | mach_port_t *result), | |
54 | enum retry_type doretry, | |
55 | char retryname[1024], | |
56 | int flags, mode_t mode, | |
57 | file_t *result) | |
58 | { | |
59 | error_t err; | |
60 | char *file_name; | |
61 | int nloops; | |
62 | ||
63 | error_t lookup_op (file_t startdir) | |
64 | { | |
e42ce0f4 FC |
65 | if (file_name[0] == '/' && file_name[1] != '\0') |
66 | { | |
67 | while (file_name[1] == '/') | |
68 | /* Remove double leading slash. */ | |
69 | file_name++; | |
70 | if (file_name[1] != '\0') | |
71 | /* Remove leading slash when we have more than the slash. */ | |
72 | file_name++; | |
73 | } | |
5fe915ee RM |
74 | |
75 | return lookup_error ((*lookup) (startdir, file_name, flags, mode, | |
76 | &doretry, retryname, result)); | |
77 | } | |
78 | error_t reauthenticate (file_t unauth) | |
79 | { | |
80 | error_t err; | |
81 | mach_port_t ref = __mach_reply_port (); | |
82 | error_t reauth (auth_t auth) | |
83 | { | |
84 | return __auth_user_authenticate (auth, ref, | |
85 | MACH_MSG_TYPE_MAKE_SEND, | |
86 | result); | |
87 | } | |
88 | err = __io_reauthenticate (unauth, ref, MACH_MSG_TYPE_MAKE_SEND); | |
89 | if (! err) | |
90 | err = (*use_init_port) (INIT_PORT_AUTH, &reauth); | |
91 | __mach_port_destroy (__mach_task_self (), ref); | |
92 | __mach_port_deallocate (__mach_task_self (), unauth); | |
93 | return err; | |
94 | } | |
95 | ||
96 | if (! lookup) | |
97 | lookup = __dir_lookup; | |
98 | ||
99 | nloops = 0; | |
100 | err = 0; | |
101 | do | |
102 | { | |
103 | file_t startdir = MACH_PORT_NULL; | |
104 | int dirport = INIT_PORT_CWDIR; | |
105 | ||
106 | switch (doretry) | |
107 | { | |
108 | case FS_RETRY_REAUTH: | |
109 | if (err = reauthenticate (*result)) | |
110 | return err; | |
111 | /* Fall through. */ | |
112 | ||
113 | case FS_RETRY_NORMAL: | |
4f75b7a0 | 114 | if (nloops++ >= __eloop_threshold ()) |
5fe915ee RM |
115 | { |
116 | __mach_port_deallocate (__mach_task_self (), *result); | |
117 | return ELOOP; | |
118 | } | |
119 | ||
120 | /* An empty RETRYNAME indicates we have the final port. */ | |
121 | if (retryname[0] == '\0' && | |
122 | /* If reauth'd, we must do one more retry on "" to give the new | |
123 | translator a chance to make a new port for us. */ | |
124 | doretry == FS_RETRY_NORMAL) | |
125 | { | |
126 | if (flags & O_NOFOLLOW) | |
127 | { | |
128 | /* In Linux, O_NOFOLLOW means to reject symlinks. If we | |
129 | did an O_NOLINK lookup above and io_stat here to check | |
130 | for S_IFLNK, a translator like firmlink could easily | |
131 | spoof this check by not showing S_IFLNK, but in fact | |
132 | redirecting the lookup to some other name | |
133 | (i.e. opening the very same holes a symlink would). | |
134 | ||
135 | Instead we do an O_NOTRANS lookup above, and stat the | |
136 | underlying node: if it has a translator set, and its | |
137 | owner is not root (st_uid 0) then we reject it. | |
138 | Since the motivation for this feature is security, and | |
139 | that security presumes we trust the containing | |
140 | directory, this check approximates the security of | |
141 | refusing symlinks while accepting mount points. | |
142 | Note that we actually permit something Linux doesn't: | |
143 | we follow root-owned symlinks; if that is deemed | |
144 | undesireable, we can add a final check for that | |
145 | one exception to our general translator-based rule. */ | |
337738b7 | 146 | struct stat64 st; |
5fe915ee RM |
147 | err = __io_stat (*result, &st); |
148 | if (!err | |
149 | && (st.st_mode & (S_IPTRANS|S_IATRANS))) | |
150 | { | |
151 | if (st.st_uid != 0) | |
152 | err = ENOENT; | |
153 | else if (st.st_mode & S_IPTRANS) | |
154 | { | |
155 | char buf[1024]; | |
156 | char *trans = buf; | |
157 | size_t translen = sizeof buf; | |
158 | err = __file_get_translator (*result, | |
159 | &trans, &translen); | |
160 | if (!err | |
161 | && translen > sizeof _HURD_SYMLINK | |
162 | && !memcmp (trans, | |
163 | _HURD_SYMLINK, sizeof _HURD_SYMLINK)) | |
164 | err = ENOENT; | |
165 | } | |
166 | } | |
167 | } | |
168 | ||
169 | /* We got a successful translation. Now apply any open-time | |
170 | action flags we were passed. */ | |
171 | ||
172 | if (!err && (flags & O_TRUNC)) /* Asked to truncate the file. */ | |
173 | err = __file_set_size (*result, 0); | |
174 | ||
175 | if (err) | |
176 | __mach_port_deallocate (__mach_task_self (), *result); | |
177 | return err; | |
178 | } | |
179 | ||
180 | startdir = *result; | |
181 | file_name = retryname; | |
182 | break; | |
183 | ||
184 | case FS_RETRY_MAGICAL: | |
185 | switch (retryname[0]) | |
186 | { | |
187 | case '/': | |
188 | dirport = INIT_PORT_CRDIR; | |
189 | if (*result != MACH_PORT_NULL) | |
190 | __mach_port_deallocate (__mach_task_self (), *result); | |
4f75b7a0 | 191 | if (nloops++ >= __eloop_threshold ()) |
5fe915ee RM |
192 | return ELOOP; |
193 | file_name = &retryname[1]; | |
194 | break; | |
195 | ||
196 | case 'f': | |
197 | if (retryname[1] == 'd' && retryname[2] == '/') | |
198 | { | |
199 | int fd; | |
200 | char *end; | |
201 | int save = errno; | |
202 | errno = 0; | |
10589b4a | 203 | fd = (int) __strtoul_internal (&retryname[3], &end, 10, 0); |
5fe915ee RM |
204 | if (end == NULL || errno || /* Malformed number. */ |
205 | /* Check for excess text after the number. A slash | |
206 | is valid; it ends the component. Anything else | |
207 | does not name a numeric file descriptor. */ | |
208 | (*end != '/' && *end != '\0')) | |
209 | { | |
210 | errno = save; | |
211 | return ENOENT; | |
212 | } | |
213 | if (! get_dtable_port) | |
214 | err = EGRATUITOUS; | |
215 | else | |
216 | { | |
217 | *result = (*get_dtable_port) (fd); | |
218 | if (*result == MACH_PORT_NULL) | |
219 | { | |
220 | /* If the name was a proper number, but the file | |
221 | descriptor does not exist, we return EBADF instead | |
222 | of ENOENT. */ | |
223 | err = errno; | |
224 | errno = save; | |
225 | } | |
226 | } | |
227 | errno = save; | |
228 | if (err) | |
229 | return err; | |
230 | if (*end == '\0') | |
231 | return 0; | |
232 | else | |
233 | { | |
234 | /* Do a normal retry on the remaining components. */ | |
235 | startdir = *result; | |
236 | file_name = end + 1; /* Skip the slash. */ | |
237 | break; | |
238 | } | |
239 | } | |
240 | else | |
241 | goto bad_magic; | |
242 | break; | |
243 | ||
244 | case 'm': | |
245 | if (retryname[1] == 'a' && retryname[2] == 'c' && | |
246 | retryname[3] == 'h' && retryname[4] == 't' && | |
247 | retryname[5] == 'y' && retryname[6] == 'p' && | |
248 | retryname[7] == 'e') | |
249 | { | |
250 | error_t err; | |
251 | struct host_basic_info hostinfo; | |
252 | mach_msg_type_number_t hostinfocnt = HOST_BASIC_INFO_COUNT; | |
253 | char *p; | |
254 | /* XXX want client's host */ | |
255 | if (err = __host_info (__mach_host_self (), HOST_BASIC_INFO, | |
8ad684db | 256 | (integer_t *) &hostinfo, |
5fe915ee RM |
257 | &hostinfocnt)) |
258 | return err; | |
259 | if (hostinfocnt != HOST_BASIC_INFO_COUNT) | |
260 | return EGRATUITOUS; | |
261 | p = _itoa (hostinfo.cpu_subtype, &retryname[8], 10, 0); | |
262 | *--p = '/'; | |
263 | p = _itoa (hostinfo.cpu_type, &retryname[8], 10, 0); | |
264 | if (p < retryname) | |
265 | abort (); /* XXX write this right if this ever happens */ | |
266 | if (p > retryname) | |
267 | strcpy (retryname, p); | |
268 | startdir = *result; | |
269 | } | |
270 | else | |
271 | goto bad_magic; | |
272 | break; | |
273 | ||
274 | case 't': | |
275 | if (retryname[1] == 't' && retryname[2] == 'y') | |
276 | switch (retryname[3]) | |
277 | { | |
278 | error_t opentty (file_t *result) | |
279 | { | |
280 | error_t err; | |
281 | error_t ctty_open (file_t port) | |
282 | { | |
283 | if (port == MACH_PORT_NULL) | |
284 | return ENXIO; /* No controlling terminal. */ | |
285 | return __termctty_open_terminal (port, | |
286 | flags, | |
287 | result); | |
288 | } | |
289 | err = (*use_init_port) (INIT_PORT_CTTYID, &ctty_open); | |
290 | if (! err) | |
291 | err = reauthenticate (*result); | |
292 | return err; | |
293 | } | |
294 | ||
295 | case '\0': | |
296 | return opentty (result); | |
297 | case '/': | |
298 | if (err = opentty (&startdir)) | |
299 | return err; | |
300 | strcpy (retryname, &retryname[4]); | |
301 | break; | |
302 | default: | |
303 | goto bad_magic; | |
304 | } | |
305 | else | |
306 | goto bad_magic; | |
307 | break; | |
308 | ||
309 | default: | |
310 | bad_magic: | |
311 | return EGRATUITOUS; | |
312 | } | |
313 | break; | |
314 | ||
315 | default: | |
316 | return EGRATUITOUS; | |
317 | } | |
318 | ||
319 | if (startdir != MACH_PORT_NULL) | |
320 | { | |
321 | err = lookup_op (startdir); | |
322 | __mach_port_deallocate (__mach_task_self (), startdir); | |
323 | startdir = MACH_PORT_NULL; | |
324 | } | |
325 | else | |
326 | err = (*use_init_port) (dirport, &lookup_op); | |
327 | } while (! err); | |
328 | ||
329 | return err; | |
330 | } | |
331 | weak_alias (__hurd_file_name_lookup_retry, hurd_file_name_lookup_retry) |