]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/fs-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #7365 from poettering/nspawn-bind-userns
[thirdparty/systemd.git] / src / basic / fs-util.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <stddef.h>
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <sys/stat.h>
26 #include <linux/magic.h>
27 #include <time.h>
28 #include <unistd.h>
29
30 #include "alloc-util.h"
31 #include "dirent-util.h"
32 #include "fd-util.h"
33 #include "fileio.h"
34 #include "fs-util.h"
35 #include "log.h"
36 #include "macro.h"
37 #include "missing.h"
38 #include "mkdir.h"
39 #include "parse-util.h"
40 #include "path-util.h"
41 #include "stat-util.h"
42 #include "stdio-util.h"
43 #include "string-util.h"
44 #include "strv.h"
45 #include "time-util.h"
46 #include "user-util.h"
47 #include "util.h"
48
49 int unlink_noerrno(const char *path) {
50 PROTECT_ERRNO;
51 int r;
52
53 r = unlink(path);
54 if (r < 0)
55 return -errno;
56
57 return 0;
58 }
59
60 int rmdir_parents(const char *path, const char *stop) {
61 size_t l;
62 int r = 0;
63
64 assert(path);
65 assert(stop);
66
67 l = strlen(path);
68
69 /* Skip trailing slashes */
70 while (l > 0 && path[l-1] == '/')
71 l--;
72
73 while (l > 0) {
74 char *t;
75
76 /* Skip last component */
77 while (l > 0 && path[l-1] != '/')
78 l--;
79
80 /* Skip trailing slashes */
81 while (l > 0 && path[l-1] == '/')
82 l--;
83
84 if (l <= 0)
85 break;
86
87 t = strndup(path, l);
88 if (!t)
89 return -ENOMEM;
90
91 if (path_startswith(stop, t)) {
92 free(t);
93 return 0;
94 }
95
96 r = rmdir(t);
97 free(t);
98
99 if (r < 0)
100 if (errno != ENOENT)
101 return -errno;
102 }
103
104 return 0;
105 }
106
107 int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
108 struct stat buf;
109 int ret;
110
111 ret = renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE);
112 if (ret >= 0)
113 return 0;
114
115 /* renameat2() exists since Linux 3.15, btrfs added support for it later.
116 * If it is not implemented, fallback to another method. */
117 if (!IN_SET(errno, EINVAL, ENOSYS))
118 return -errno;
119
120 /* The link()/unlink() fallback does not work on directories. But
121 * renameat() without RENAME_NOREPLACE gives the same semantics on
122 * directories, except when newpath is an *empty* directory. This is
123 * good enough. */
124 ret = fstatat(olddirfd, oldpath, &buf, AT_SYMLINK_NOFOLLOW);
125 if (ret >= 0 && S_ISDIR(buf.st_mode)) {
126 ret = renameat(olddirfd, oldpath, newdirfd, newpath);
127 return ret >= 0 ? 0 : -errno;
128 }
129
130 /* If it is not a directory, use the link()/unlink() fallback. */
131 ret = linkat(olddirfd, oldpath, newdirfd, newpath, 0);
132 if (ret < 0)
133 return -errno;
134
135 ret = unlinkat(olddirfd, oldpath, 0);
136 if (ret < 0) {
137 /* backup errno before the following unlinkat() alters it */
138 ret = errno;
139 (void) unlinkat(newdirfd, newpath, 0);
140 errno = ret;
141 return -errno;
142 }
143
144 return 0;
145 }
146
147 int readlinkat_malloc(int fd, const char *p, char **ret) {
148 size_t l = 100;
149 int r;
150
151 assert(p);
152 assert(ret);
153
154 for (;;) {
155 char *c;
156 ssize_t n;
157
158 c = new(char, l);
159 if (!c)
160 return -ENOMEM;
161
162 n = readlinkat(fd, p, c, l-1);
163 if (n < 0) {
164 r = -errno;
165 free(c);
166 return r;
167 }
168
169 if ((size_t) n < l-1) {
170 c[n] = 0;
171 *ret = c;
172 return 0;
173 }
174
175 free(c);
176 l *= 2;
177 }
178 }
179
180 int readlink_malloc(const char *p, char **ret) {
181 return readlinkat_malloc(AT_FDCWD, p, ret);
182 }
183
184 int readlink_value(const char *p, char **ret) {
185 _cleanup_free_ char *link = NULL;
186 char *value;
187 int r;
188
189 r = readlink_malloc(p, &link);
190 if (r < 0)
191 return r;
192
193 value = basename(link);
194 if (!value)
195 return -ENOENT;
196
197 value = strdup(value);
198 if (!value)
199 return -ENOMEM;
200
201 *ret = value;
202
203 return 0;
204 }
205
206 int readlink_and_make_absolute(const char *p, char **r) {
207 _cleanup_free_ char *target = NULL;
208 char *k;
209 int j;
210
211 assert(p);
212 assert(r);
213
214 j = readlink_malloc(p, &target);
215 if (j < 0)
216 return j;
217
218 k = file_in_same_dir(p, target);
219 if (!k)
220 return -ENOMEM;
221
222 *r = k;
223 return 0;
224 }
225
226 int readlink_and_canonicalize(const char *p, const char *root, char **ret) {
227 char *t, *s;
228 int r;
229
230 assert(p);
231 assert(ret);
232
233 r = readlink_and_make_absolute(p, &t);
234 if (r < 0)
235 return r;
236
237 r = chase_symlinks(t, root, 0, &s);
238 if (r < 0)
239 /* If we can't follow up, then let's return the original string, slightly cleaned up. */
240 *ret = path_kill_slashes(t);
241 else {
242 *ret = s;
243 free(t);
244 }
245
246 return 0;
247 }
248
249 int readlink_and_make_absolute_root(const char *root, const char *path, char **ret) {
250 _cleanup_free_ char *target = NULL, *t = NULL;
251 const char *full;
252 int r;
253
254 full = prefix_roota(root, path);
255 r = readlink_malloc(full, &target);
256 if (r < 0)
257 return r;
258
259 t = file_in_same_dir(path, target);
260 if (!t)
261 return -ENOMEM;
262
263 *ret = t;
264 t = NULL;
265
266 return 0;
267 }
268
269 int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
270 assert(path);
271
272 /* Under the assumption that we are running privileged we
273 * first change the access mode and only then hand out
274 * ownership to avoid a window where access is too open. */
275
276 if (mode != MODE_INVALID)
277 if (chmod(path, mode) < 0)
278 return -errno;
279
280 if (uid != UID_INVALID || gid != GID_INVALID)
281 if (chown(path, uid, gid) < 0)
282 return -errno;
283
284 return 0;
285 }
286
287 int fchmod_umask(int fd, mode_t m) {
288 mode_t u;
289 int r;
290
291 u = umask(0777);
292 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
293 umask(u);
294
295 return r;
296 }
297
298 int fd_warn_permissions(const char *path, int fd) {
299 struct stat st;
300
301 if (fstat(fd, &st) < 0)
302 return -errno;
303
304 if (st.st_mode & 0111)
305 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
306
307 if (st.st_mode & 0002)
308 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
309
310 if (getpid_cached() == 1 && (st.st_mode & 0044) != 0044)
311 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
312
313 return 0;
314 }
315
316 int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
317 _cleanup_close_ int fd;
318 int r;
319
320 assert(path);
321
322 if (parents)
323 mkdir_parents(path, 0755);
324
325 fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY,
326 IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode);
327 if (fd < 0)
328 return -errno;
329
330 if (mode != MODE_INVALID) {
331 r = fchmod(fd, mode);
332 if (r < 0)
333 return -errno;
334 }
335
336 if (uid != UID_INVALID || gid != GID_INVALID) {
337 r = fchown(fd, uid, gid);
338 if (r < 0)
339 return -errno;
340 }
341
342 if (stamp != USEC_INFINITY) {
343 struct timespec ts[2];
344
345 timespec_store(&ts[0], stamp);
346 ts[1] = ts[0];
347 r = futimens(fd, ts);
348 } else
349 r = futimens(fd, NULL);
350 if (r < 0)
351 return -errno;
352
353 return 0;
354 }
355
356 int touch(const char *path) {
357 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
358 }
359
360 int symlink_idempotent(const char *from, const char *to) {
361 int r;
362
363 assert(from);
364 assert(to);
365
366 if (symlink(from, to) < 0) {
367 _cleanup_free_ char *p = NULL;
368
369 if (errno != EEXIST)
370 return -errno;
371
372 r = readlink_malloc(to, &p);
373 if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
374 return -EEXIST;
375 if (r < 0) /* Any other error? In that case propagate it as is */
376 return r;
377
378 if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
379 return -EEXIST;
380 }
381
382 return 0;
383 }
384
385 int symlink_atomic(const char *from, const char *to) {
386 _cleanup_free_ char *t = NULL;
387 int r;
388
389 assert(from);
390 assert(to);
391
392 r = tempfn_random(to, NULL, &t);
393 if (r < 0)
394 return r;
395
396 if (symlink(from, t) < 0)
397 return -errno;
398
399 if (rename(t, to) < 0) {
400 unlink_noerrno(t);
401 return -errno;
402 }
403
404 return 0;
405 }
406
407 int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
408 _cleanup_free_ char *t = NULL;
409 int r;
410
411 assert(path);
412
413 r = tempfn_random(path, NULL, &t);
414 if (r < 0)
415 return r;
416
417 if (mknod(t, mode, dev) < 0)
418 return -errno;
419
420 if (rename(t, path) < 0) {
421 unlink_noerrno(t);
422 return -errno;
423 }
424
425 return 0;
426 }
427
428 int mkfifo_atomic(const char *path, mode_t mode) {
429 _cleanup_free_ char *t = NULL;
430 int r;
431
432 assert(path);
433
434 r = tempfn_random(path, NULL, &t);
435 if (r < 0)
436 return r;
437
438 if (mkfifo(t, mode) < 0)
439 return -errno;
440
441 if (rename(t, path) < 0) {
442 unlink_noerrno(t);
443 return -errno;
444 }
445
446 return 0;
447 }
448
449 int get_files_in_directory(const char *path, char ***list) {
450 _cleanup_closedir_ DIR *d = NULL;
451 struct dirent *de;
452 size_t bufsize = 0, n = 0;
453 _cleanup_strv_free_ char **l = NULL;
454
455 assert(path);
456
457 /* Returns all files in a directory in *list, and the number
458 * of files as return value. If list is NULL returns only the
459 * number. */
460
461 d = opendir(path);
462 if (!d)
463 return -errno;
464
465 FOREACH_DIRENT_ALL(de, d, return -errno) {
466 dirent_ensure_type(d, de);
467
468 if (!dirent_is_file(de))
469 continue;
470
471 if (list) {
472 /* one extra slot is needed for the terminating NULL */
473 if (!GREEDY_REALLOC(l, bufsize, n + 2))
474 return -ENOMEM;
475
476 l[n] = strdup(de->d_name);
477 if (!l[n])
478 return -ENOMEM;
479
480 l[++n] = NULL;
481 } else
482 n++;
483 }
484
485 if (list) {
486 *list = l;
487 l = NULL; /* avoid freeing */
488 }
489
490 return n;
491 }
492
493 static int getenv_tmp_dir(const char **ret_path) {
494 const char *n;
495 int r, ret = 0;
496
497 assert(ret_path);
498
499 /* We use the same order of environment variables python uses in tempfile.gettempdir():
500 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
501 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
502 const char *e;
503
504 e = secure_getenv(n);
505 if (!e)
506 continue;
507 if (!path_is_absolute(e)) {
508 r = -ENOTDIR;
509 goto next;
510 }
511 if (!path_is_safe(e)) {
512 r = -EPERM;
513 goto next;
514 }
515
516 r = is_dir(e, true);
517 if (r < 0)
518 goto next;
519 if (r == 0) {
520 r = -ENOTDIR;
521 goto next;
522 }
523
524 *ret_path = e;
525 return 1;
526
527 next:
528 /* Remember first error, to make this more debuggable */
529 if (ret >= 0)
530 ret = r;
531 }
532
533 if (ret < 0)
534 return ret;
535
536 *ret_path = NULL;
537 return ret;
538 }
539
540 static int tmp_dir_internal(const char *def, const char **ret) {
541 const char *e;
542 int r, k;
543
544 assert(def);
545 assert(ret);
546
547 r = getenv_tmp_dir(&e);
548 if (r > 0) {
549 *ret = e;
550 return 0;
551 }
552
553 k = is_dir(def, true);
554 if (k == 0)
555 k = -ENOTDIR;
556 if (k < 0)
557 return r < 0 ? r : k;
558
559 *ret = def;
560 return 0;
561 }
562
563 int var_tmp_dir(const char **ret) {
564
565 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
566 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
567 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
568 * making it a variable that overrides all temporary file storage locations. */
569
570 return tmp_dir_internal("/var/tmp", ret);
571 }
572
573 int tmp_dir(const char **ret) {
574
575 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
576 * backed by an in-memory file system: /tmp. */
577
578 return tmp_dir_internal("/tmp", ret);
579 }
580
581 int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
582 char path[strlen("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
583 int r;
584
585 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
586 xsprintf(path, "/proc/self/fd/%i", what);
587
588 r = inotify_add_watch(fd, path, mask);
589 if (r < 0)
590 return -errno;
591
592 return r;
593 }
594
595 int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret) {
596 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
597 _cleanup_close_ int fd = -1;
598 unsigned max_follow = 32; /* how many symlinks to follow before giving up and returning ELOOP */
599 bool exists = true;
600 char *todo;
601 int r;
602
603 assert(path);
604
605 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
606 * symlinks relative to a root directory, instead of the root of the host.
607 *
608 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
609 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
610 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
611 * prefixed accordingly.
612 *
613 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
614 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
615 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
616 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
617 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
618 * at a minimum.
619 *
620 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
621 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
622 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
623 * specified path.
624 *
625 * Note: there's also chase_symlinks_prefix() (see below), which as first step prefixes the passed path by the
626 * passed root. */
627
628 if (original_root) {
629 r = path_make_absolute_cwd(original_root, &root);
630 if (r < 0)
631 return r;
632
633 if (flags & CHASE_PREFIX_ROOT)
634 path = prefix_roota(root, path);
635 }
636
637 r = path_make_absolute_cwd(path, &buffer);
638 if (r < 0)
639 return r;
640
641 fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
642 if (fd < 0)
643 return -errno;
644
645 todo = buffer;
646 for (;;) {
647 _cleanup_free_ char *first = NULL;
648 _cleanup_close_ int child = -1;
649 struct stat st;
650 size_t n, m;
651
652 /* Determine length of first component in the path */
653 n = strspn(todo, "/"); /* The slashes */
654 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
655
656 /* Extract the first component. */
657 first = strndup(todo, m);
658 if (!first)
659 return -ENOMEM;
660
661 todo += m;
662
663 /* Just a single slash? Then we reached the end. */
664 if (isempty(first) || path_equal(first, "/"))
665 break;
666
667 /* Just a dot? Then let's eat this up. */
668 if (path_equal(first, "/."))
669 continue;
670
671 /* Two dots? Then chop off the last bit of what we already found out. */
672 if (path_equal(first, "/..")) {
673 _cleanup_free_ char *parent = NULL;
674 int fd_parent = -1;
675
676 /* If we already are at the top, then going up will not change anything. This is in-line with
677 * how the kernel handles this. */
678 if (isempty(done) || path_equal(done, "/"))
679 continue;
680
681 parent = dirname_malloc(done);
682 if (!parent)
683 return -ENOMEM;
684
685 /* Don't allow this to leave the root dir. */
686 if (root &&
687 path_startswith(done, root) &&
688 !path_startswith(parent, root))
689 continue;
690
691 free_and_replace(done, parent);
692
693 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
694 if (fd_parent < 0)
695 return -errno;
696
697 safe_close(fd);
698 fd = fd_parent;
699
700 continue;
701 }
702
703 /* Otherwise let's see what this is. */
704 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
705 if (child < 0) {
706
707 if (errno == ENOENT &&
708 (flags & CHASE_NONEXISTENT) &&
709 (isempty(todo) || path_is_safe(todo))) {
710
711 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
712 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
713 * or something else weird. */
714
715 if (!strextend(&done, first, todo, NULL))
716 return -ENOMEM;
717
718 exists = false;
719 break;
720 }
721
722 return -errno;
723 }
724
725 if (fstat(child, &st) < 0)
726 return -errno;
727 if ((flags & CHASE_NO_AUTOFS) &&
728 fd_check_fstype(child, AUTOFS_SUPER_MAGIC) > 0)
729 return -EREMOTE;
730
731 if (S_ISLNK(st.st_mode)) {
732 char *joined;
733
734 _cleanup_free_ char *destination = NULL;
735
736 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
737 * symlinks without bounds. */
738 if (--max_follow <= 0)
739 return -ELOOP;
740
741 r = readlinkat_malloc(fd, first + n, &destination);
742 if (r < 0)
743 return r;
744 if (isempty(destination))
745 return -EINVAL;
746
747 if (path_is_absolute(destination)) {
748
749 /* An absolute destination. Start the loop from the beginning, but use the root
750 * directory as base. */
751
752 safe_close(fd);
753 fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
754 if (fd < 0)
755 return -errno;
756
757 free(done);
758
759 /* Note that we do not revalidate the root, we take it as is. */
760 if (isempty(root))
761 done = NULL;
762 else {
763 done = strdup(root);
764 if (!done)
765 return -ENOMEM;
766 }
767
768 /* Prefix what's left to do with what we just read, and start the loop again, but
769 * remain in the current directory. */
770 joined = strjoin(destination, todo);
771 } else
772 joined = strjoin("/", destination, todo);
773 if (!joined)
774 return -ENOMEM;
775
776 free(buffer);
777 todo = buffer = joined;
778
779 continue;
780 }
781
782 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
783 if (!done) {
784 done = first;
785 first = NULL;
786 } else {
787 if (!strextend(&done, first, NULL))
788 return -ENOMEM;
789 }
790
791 /* And iterate again, but go one directory further down. */
792 safe_close(fd);
793 fd = child;
794 child = -1;
795 }
796
797 if (!done) {
798 /* Special case, turn the empty string into "/", to indicate the root directory. */
799 done = strdup("/");
800 if (!done)
801 return -ENOMEM;
802 }
803
804 if (ret) {
805 *ret = done;
806 done = NULL;
807 }
808
809 return exists;
810 }
811
812 int access_fd(int fd, int mode) {
813 char p[strlen("/proc/self/fd/") + DECIMAL_STR_MAX(fd) + 1];
814 int r;
815
816 /* Like access() but operates on an already open fd */
817
818 xsprintf(p, "/proc/self/fd/%i", fd);
819
820 r = access(p, mode);
821 if (r < 0)
822 r = -errno;
823
824 return r;
825 }
Unnamed repository; edit this file 'description' to name the repository.