]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/fs-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #6851 from keszybz/fix-masking-with-empty-files
[thirdparty/systemd.git] / src / basic / fs-util.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <stddef.h>
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <sys/stat.h>
26 #include <linux/magic.h>
27 #include <time.h>
28 #include <unistd.h>
29
30 #include "alloc-util.h"
31 #include "dirent-util.h"
32 #include "fd-util.h"
33 #include "fileio.h"
34 #include "fs-util.h"
35 #include "log.h"
36 #include "macro.h"
37 #include "missing.h"
38 #include "mkdir.h"
39 #include "parse-util.h"
40 #include "path-util.h"
41 #include "stat-util.h"
42 #include "stdio-util.h"
43 #include "string-util.h"
44 #include "strv.h"
45 #include "time-util.h"
46 #include "user-util.h"
47 #include "util.h"
48
49 int unlink_noerrno(const char *path) {
50 PROTECT_ERRNO;
51 int r;
52
53 r = unlink(path);
54 if (r < 0)
55 return -errno;
56
57 return 0;
58 }
59
60 int rmdir_parents(const char *path, const char *stop) {
61 size_t l;
62 int r = 0;
63
64 assert(path);
65 assert(stop);
66
67 l = strlen(path);
68
69 /* Skip trailing slashes */
70 while (l > 0 && path[l-1] == '/')
71 l--;
72
73 while (l > 0) {
74 char *t;
75
76 /* Skip last component */
77 while (l > 0 && path[l-1] != '/')
78 l--;
79
80 /* Skip trailing slashes */
81 while (l > 0 && path[l-1] == '/')
82 l--;
83
84 if (l <= 0)
85 break;
86
87 t = strndup(path, l);
88 if (!t)
89 return -ENOMEM;
90
91 if (path_startswith(stop, t)) {
92 free(t);
93 return 0;
94 }
95
96 r = rmdir(t);
97 free(t);
98
99 if (r < 0)
100 if (errno != ENOENT)
101 return -errno;
102 }
103
104 return 0;
105 }
106
107
108 int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
109 struct stat buf;
110 int ret;
111
112 ret = renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE);
113 if (ret >= 0)
114 return 0;
115
116 /* renameat2() exists since Linux 3.15, btrfs added support for it later.
117 * If it is not implemented, fallback to another method. */
118 if (!IN_SET(errno, EINVAL, ENOSYS))
119 return -errno;
120
121 /* The link()/unlink() fallback does not work on directories. But
122 * renameat() without RENAME_NOREPLACE gives the same semantics on
123 * directories, except when newpath is an *empty* directory. This is
124 * good enough. */
125 ret = fstatat(olddirfd, oldpath, &buf, AT_SYMLINK_NOFOLLOW);
126 if (ret >= 0 && S_ISDIR(buf.st_mode)) {
127 ret = renameat(olddirfd, oldpath, newdirfd, newpath);
128 return ret >= 0 ? 0 : -errno;
129 }
130
131 /* If it is not a directory, use the link()/unlink() fallback. */
132 ret = linkat(olddirfd, oldpath, newdirfd, newpath, 0);
133 if (ret < 0)
134 return -errno;
135
136 ret = unlinkat(olddirfd, oldpath, 0);
137 if (ret < 0) {
138 /* backup errno before the following unlinkat() alters it */
139 ret = errno;
140 (void) unlinkat(newdirfd, newpath, 0);
141 errno = ret;
142 return -errno;
143 }
144
145 return 0;
146 }
147
148 int readlinkat_malloc(int fd, const char *p, char **ret) {
149 size_t l = 100;
150 int r;
151
152 assert(p);
153 assert(ret);
154
155 for (;;) {
156 char *c;
157 ssize_t n;
158
159 c = new(char, l);
160 if (!c)
161 return -ENOMEM;
162
163 n = readlinkat(fd, p, c, l-1);
164 if (n < 0) {
165 r = -errno;
166 free(c);
167 return r;
168 }
169
170 if ((size_t) n < l-1) {
171 c[n] = 0;
172 *ret = c;
173 return 0;
174 }
175
176 free(c);
177 l *= 2;
178 }
179 }
180
181 int readlink_malloc(const char *p, char **ret) {
182 return readlinkat_malloc(AT_FDCWD, p, ret);
183 }
184
185 int readlink_value(const char *p, char **ret) {
186 _cleanup_free_ char *link = NULL;
187 char *value;
188 int r;
189
190 r = readlink_malloc(p, &link);
191 if (r < 0)
192 return r;
193
194 value = basename(link);
195 if (!value)
196 return -ENOENT;
197
198 value = strdup(value);
199 if (!value)
200 return -ENOMEM;
201
202 *ret = value;
203
204 return 0;
205 }
206
207 int readlink_and_make_absolute(const char *p, char **r) {
208 _cleanup_free_ char *target = NULL;
209 char *k;
210 int j;
211
212 assert(p);
213 assert(r);
214
215 j = readlink_malloc(p, &target);
216 if (j < 0)
217 return j;
218
219 k = file_in_same_dir(p, target);
220 if (!k)
221 return -ENOMEM;
222
223 *r = k;
224 return 0;
225 }
226
227 int readlink_and_canonicalize(const char *p, const char *root, char **ret) {
228 char *t, *s;
229 int r;
230
231 assert(p);
232 assert(ret);
233
234 r = readlink_and_make_absolute(p, &t);
235 if (r < 0)
236 return r;
237
238 r = chase_symlinks(t, root, 0, &s);
239 if (r < 0)
240 /* If we can't follow up, then let's return the original string, slightly cleaned up. */
241 *ret = path_kill_slashes(t);
242 else {
243 *ret = s;
244 free(t);
245 }
246
247 return 0;
248 }
249
250 int readlink_and_make_absolute_root(const char *root, const char *path, char **ret) {
251 _cleanup_free_ char *target = NULL, *t = NULL;
252 const char *full;
253 int r;
254
255 full = prefix_roota(root, path);
256 r = readlink_malloc(full, &target);
257 if (r < 0)
258 return r;
259
260 t = file_in_same_dir(path, target);
261 if (!t)
262 return -ENOMEM;
263
264 *ret = t;
265 t = NULL;
266
267 return 0;
268 }
269
270 int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
271 assert(path);
272
273 /* Under the assumption that we are running privileged we
274 * first change the access mode and only then hand out
275 * ownership to avoid a window where access is too open. */
276
277 if (mode != MODE_INVALID)
278 if (chmod(path, mode) < 0)
279 return -errno;
280
281 if (uid != UID_INVALID || gid != GID_INVALID)
282 if (chown(path, uid, gid) < 0)
283 return -errno;
284
285 return 0;
286 }
287
288 int fchmod_umask(int fd, mode_t m) {
289 mode_t u;
290 int r;
291
292 u = umask(0777);
293 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
294 umask(u);
295
296 return r;
297 }
298
299 int fd_warn_permissions(const char *path, int fd) {
300 struct stat st;
301
302 if (fstat(fd, &st) < 0)
303 return -errno;
304
305 if (st.st_mode & 0111)
306 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
307
308 if (st.st_mode & 0002)
309 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
310
311 if (getpid_cached() == 1 && (st.st_mode & 0044) != 0044)
312 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
313
314 return 0;
315 }
316
317 int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
318 _cleanup_close_ int fd;
319 int r;
320
321 assert(path);
322
323 if (parents)
324 mkdir_parents(path, 0755);
325
326 fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY,
327 (mode == 0 || mode == MODE_INVALID) ? 0644 : mode);
328 if (fd < 0)
329 return -errno;
330
331 if (mode != MODE_INVALID) {
332 r = fchmod(fd, mode);
333 if (r < 0)
334 return -errno;
335 }
336
337 if (uid != UID_INVALID || gid != GID_INVALID) {
338 r = fchown(fd, uid, gid);
339 if (r < 0)
340 return -errno;
341 }
342
343 if (stamp != USEC_INFINITY) {
344 struct timespec ts[2];
345
346 timespec_store(&ts[0], stamp);
347 ts[1] = ts[0];
348 r = futimens(fd, ts);
349 } else
350 r = futimens(fd, NULL);
351 if (r < 0)
352 return -errno;
353
354 return 0;
355 }
356
357 int touch(const char *path) {
358 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
359 }
360
361 int symlink_idempotent(const char *from, const char *to) {
362 _cleanup_free_ char *p = NULL;
363 int r;
364
365 assert(from);
366 assert(to);
367
368 if (symlink(from, to) < 0) {
369 if (errno != EEXIST)
370 return -errno;
371
372 r = readlink_malloc(to, &p);
373 if (r < 0)
374 return r;
375
376 if (!streq(p, from))
377 return -EINVAL;
378 }
379
380 return 0;
381 }
382
383 int symlink_atomic(const char *from, const char *to) {
384 _cleanup_free_ char *t = NULL;
385 int r;
386
387 assert(from);
388 assert(to);
389
390 r = tempfn_random(to, NULL, &t);
391 if (r < 0)
392 return r;
393
394 if (symlink(from, t) < 0)
395 return -errno;
396
397 if (rename(t, to) < 0) {
398 unlink_noerrno(t);
399 return -errno;
400 }
401
402 return 0;
403 }
404
405 int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
406 _cleanup_free_ char *t = NULL;
407 int r;
408
409 assert(path);
410
411 r = tempfn_random(path, NULL, &t);
412 if (r < 0)
413 return r;
414
415 if (mknod(t, mode, dev) < 0)
416 return -errno;
417
418 if (rename(t, path) < 0) {
419 unlink_noerrno(t);
420 return -errno;
421 }
422
423 return 0;
424 }
425
426 int mkfifo_atomic(const char *path, mode_t mode) {
427 _cleanup_free_ char *t = NULL;
428 int r;
429
430 assert(path);
431
432 r = tempfn_random(path, NULL, &t);
433 if (r < 0)
434 return r;
435
436 if (mkfifo(t, mode) < 0)
437 return -errno;
438
439 if (rename(t, path) < 0) {
440 unlink_noerrno(t);
441 return -errno;
442 }
443
444 return 0;
445 }
446
447 int get_files_in_directory(const char *path, char ***list) {
448 _cleanup_closedir_ DIR *d = NULL;
449 struct dirent *de;
450 size_t bufsize = 0, n = 0;
451 _cleanup_strv_free_ char **l = NULL;
452
453 assert(path);
454
455 /* Returns all files in a directory in *list, and the number
456 * of files as return value. If list is NULL returns only the
457 * number. */
458
459 d = opendir(path);
460 if (!d)
461 return -errno;
462
463 FOREACH_DIRENT_ALL(de, d, return -errno) {
464 dirent_ensure_type(d, de);
465
466 if (!dirent_is_file(de))
467 continue;
468
469 if (list) {
470 /* one extra slot is needed for the terminating NULL */
471 if (!GREEDY_REALLOC(l, bufsize, n + 2))
472 return -ENOMEM;
473
474 l[n] = strdup(de->d_name);
475 if (!l[n])
476 return -ENOMEM;
477
478 l[++n] = NULL;
479 } else
480 n++;
481 }
482
483 if (list) {
484 *list = l;
485 l = NULL; /* avoid freeing */
486 }
487
488 return n;
489 }
490
491 static int getenv_tmp_dir(const char **ret_path) {
492 const char *n;
493 int r, ret = 0;
494
495 assert(ret_path);
496
497 /* We use the same order of environment variables python uses in tempfile.gettempdir():
498 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
499 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
500 const char *e;
501
502 e = secure_getenv(n);
503 if (!e)
504 continue;
505 if (!path_is_absolute(e)) {
506 r = -ENOTDIR;
507 goto next;
508 }
509 if (!path_is_safe(e)) {
510 r = -EPERM;
511 goto next;
512 }
513
514 r = is_dir(e, true);
515 if (r < 0)
516 goto next;
517 if (r == 0) {
518 r = -ENOTDIR;
519 goto next;
520 }
521
522 *ret_path = e;
523 return 1;
524
525 next:
526 /* Remember first error, to make this more debuggable */
527 if (ret >= 0)
528 ret = r;
529 }
530
531 if (ret < 0)
532 return ret;
533
534 *ret_path = NULL;
535 return ret;
536 }
537
538 static int tmp_dir_internal(const char *def, const char **ret) {
539 const char *e;
540 int r, k;
541
542 assert(def);
543 assert(ret);
544
545 r = getenv_tmp_dir(&e);
546 if (r > 0) {
547 *ret = e;
548 return 0;
549 }
550
551 k = is_dir(def, true);
552 if (k == 0)
553 k = -ENOTDIR;
554 if (k < 0)
555 return r < 0 ? r : k;
556
557 *ret = def;
558 return 0;
559 }
560
561 int var_tmp_dir(const char **ret) {
562
563 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
564 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
565 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
566 * making it a variable that overrides all temporary file storage locations. */
567
568 return tmp_dir_internal("/var/tmp", ret);
569 }
570
571 int tmp_dir(const char **ret) {
572
573 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
574 * backed by an in-memory file system: /tmp. */
575
576 return tmp_dir_internal("/tmp", ret);
577 }
578
579 int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
580 char path[strlen("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
581 int r;
582
583 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
584 xsprintf(path, "/proc/self/fd/%i", what);
585
586 r = inotify_add_watch(fd, path, mask);
587 if (r < 0)
588 return -errno;
589
590 return r;
591 }
592
593 int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret) {
594 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
595 _cleanup_close_ int fd = -1;
596 unsigned max_follow = 32; /* how many symlinks to follow before giving up and returning ELOOP */
597 bool exists = true;
598 char *todo;
599 int r;
600
601 assert(path);
602
603 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
604 * symlinks relative to a root directory, instead of the root of the host.
605 *
606 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
607 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
608 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
609 * prefixed accordingly.
610 *
611 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
612 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
613 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
614 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
615 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
616 * at a minimum.
617 *
618 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
619 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
620 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
621 * specified path.
622 *
623 * Note: there's also chase_symlinks_prefix() (see below), which as first step prefixes the passed path by the
624 * passed root. */
625
626 if (original_root) {
627 r = path_make_absolute_cwd(original_root, &root);
628 if (r < 0)
629 return r;
630
631 if (flags & CHASE_PREFIX_ROOT)
632 path = prefix_roota(root, path);
633 }
634
635 r = path_make_absolute_cwd(path, &buffer);
636 if (r < 0)
637 return r;
638
639 fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
640 if (fd < 0)
641 return -errno;
642
643 todo = buffer;
644 for (;;) {
645 _cleanup_free_ char *first = NULL;
646 _cleanup_close_ int child = -1;
647 struct stat st;
648 size_t n, m;
649
650 /* Determine length of first component in the path */
651 n = strspn(todo, "/"); /* The slashes */
652 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
653
654 /* Extract the first component. */
655 first = strndup(todo, m);
656 if (!first)
657 return -ENOMEM;
658
659 todo += m;
660
661 /* Just a single slash? Then we reached the end. */
662 if (isempty(first) || path_equal(first, "/"))
663 break;
664
665 /* Just a dot? Then let's eat this up. */
666 if (path_equal(first, "/."))
667 continue;
668
669 /* Two dots? Then chop off the last bit of what we already found out. */
670 if (path_equal(first, "/..")) {
671 _cleanup_free_ char *parent = NULL;
672 int fd_parent = -1;
673
674 /* If we already are at the top, then going up will not change anything. This is in-line with
675 * how the kernel handles this. */
676 if (isempty(done) || path_equal(done, "/"))
677 continue;
678
679 parent = dirname_malloc(done);
680 if (!parent)
681 return -ENOMEM;
682
683 /* Don't allow this to leave the root dir. */
684 if (root &&
685 path_startswith(done, root) &&
686 !path_startswith(parent, root))
687 continue;
688
689 free_and_replace(done, parent);
690
691 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
692 if (fd_parent < 0)
693 return -errno;
694
695 safe_close(fd);
696 fd = fd_parent;
697
698 continue;
699 }
700
701 /* Otherwise let's see what this is. */
702 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
703 if (child < 0) {
704
705 if (errno == ENOENT &&
706 (flags & CHASE_NONEXISTENT) &&
707 (isempty(todo) || path_is_safe(todo))) {
708
709 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
710 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
711 * or something else weird. */
712
713 if (!strextend(&done, first, todo, NULL))
714 return -ENOMEM;
715
716 exists = false;
717 break;
718 }
719
720 return -errno;
721 }
722
723 if (fstat(child, &st) < 0)
724 return -errno;
725 if ((flags & CHASE_NO_AUTOFS) &&
726 fd_check_fstype(child, AUTOFS_SUPER_MAGIC) > 0)
727 return -EREMOTE;
728
729 if (S_ISLNK(st.st_mode)) {
730 char *joined;
731
732 _cleanup_free_ char *destination = NULL;
733
734 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
735 * symlinks without bounds. */
736 if (--max_follow <= 0)
737 return -ELOOP;
738
739 r = readlinkat_malloc(fd, first + n, &destination);
740 if (r < 0)
741 return r;
742 if (isempty(destination))
743 return -EINVAL;
744
745 if (path_is_absolute(destination)) {
746
747 /* An absolute destination. Start the loop from the beginning, but use the root
748 * directory as base. */
749
750 safe_close(fd);
751 fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
752 if (fd < 0)
753 return -errno;
754
755 free(done);
756
757 /* Note that we do not revalidate the root, we take it as is. */
758 if (isempty(root))
759 done = NULL;
760 else {
761 done = strdup(root);
762 if (!done)
763 return -ENOMEM;
764 }
765
766 }
767
768 /* Prefix what's left to do with what we just read, and start the loop again,
769 * but remain in the current directory. */
770
771 joined = strjoin("/", destination, todo);
772 if (!joined)
773 return -ENOMEM;
774
775 free(buffer);
776 todo = buffer = joined;
777
778 continue;
779 }
780
781 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
782 if (!done) {
783 done = first;
784 first = NULL;
785 } else {
786 if (!strextend(&done, first, NULL))
787 return -ENOMEM;
788 }
789
790 /* And iterate again, but go one directory further down. */
791 safe_close(fd);
792 fd = child;
793 child = -1;
794 }
795
796 if (!done) {
797 /* Special case, turn the empty string into "/", to indicate the root directory. */
798 done = strdup("/");
799 if (!done)
800 return -ENOMEM;
801 }
802
803 if (ret) {
804 *ret = done;
805 done = NULL;
806 }
807
808 return exists;
809 }
Unnamed repository; edit this file 'description' to name the repository.