]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/fs-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <linux/magic.h>
31 #include "alloc-util.h"
32 #include "dirent-util.h"
40 #include "parse-util.h"
41 #include "path-util.h"
42 #include "process-util.h"
43 #include "stat-util.h"
44 #include "stdio-util.h"
45 #include "string-util.h"
47 #include "time-util.h"
48 #include "user-util.h"
51 int unlink_noerrno ( const char * path
) {
62 int rmdir_parents ( const char * path
, const char * stop
) {
71 /* Skip trailing slashes */
72 while ( l
> 0 && path
[ l
- 1 ] == '/' )
78 /* Skip last component */
79 while ( l
> 0 && path
[ l
- 1 ] != '/' )
82 /* Skip trailing slashes */
83 while ( l
> 0 && path
[ l
- 1 ] == '/' )
93 if ( path_startswith ( stop
, t
)) {
109 int rename_noreplace ( int olddirfd
, const char * oldpath
, int newdirfd
, const char * newpath
) {
113 ret
= renameat2 ( olddirfd
, oldpath
, newdirfd
, newpath
, RENAME_NOREPLACE
);
117 /* renameat2() exists since Linux 3.15, btrfs added support for it later.
118 * If it is not implemented, fallback to another method. */
119 if (! IN_SET ( errno
, EINVAL
, ENOSYS
))
122 /* The link()/unlink() fallback does not work on directories. But
123 * renameat() without RENAME_NOREPLACE gives the same semantics on
124 * directories, except when newpath is an *empty* directory. This is
126 ret
= fstatat ( olddirfd
, oldpath
, & buf
, AT_SYMLINK_NOFOLLOW
);
127 if ( ret
>= 0 && S_ISDIR ( buf
. st_mode
)) {
128 ret
= renameat ( olddirfd
, oldpath
, newdirfd
, newpath
);
129 return ret
>= 0 ? 0 : - errno
;
132 /* If it is not a directory, use the link()/unlink() fallback. */
133 ret
= linkat ( olddirfd
, oldpath
, newdirfd
, newpath
, 0 );
137 ret
= unlinkat ( olddirfd
, oldpath
, 0 );
139 /* backup errno before the following unlinkat() alters it */
141 ( void ) unlinkat ( newdirfd
, newpath
, 0 );
149 int readlinkat_malloc ( int fd
, const char * p
, char ** ret
) {
164 n
= readlinkat ( fd
, p
, c
, l
- 1 );
171 if (( size_t ) n
< l
- 1 ) {
182 int readlink_malloc ( const char * p
, char ** ret
) {
183 return readlinkat_malloc ( AT_FDCWD
, p
, ret
);
186 int readlink_value ( const char * p
, char ** ret
) {
187 _cleanup_free_
char * link
= NULL
;
191 r
= readlink_malloc ( p
, & link
);
195 value
= basename ( link
);
199 value
= strdup ( value
);
208 int readlink_and_make_absolute ( const char * p
, char ** r
) {
209 _cleanup_free_
char * target
= NULL
;
216 j
= readlink_malloc ( p
, & target
);
220 k
= file_in_same_dir ( p
, target
);
228 int readlink_and_canonicalize ( const char * p
, const char * root
, char ** ret
) {
235 r
= readlink_and_make_absolute ( p
, & t
);
239 r
= chase_symlinks ( t
, root
, 0 , & s
);
241 /* If we can't follow up, then let's return the original string, slightly cleaned up. */
242 * ret
= path_kill_slashes ( t
);
251 int readlink_and_make_absolute_root ( const char * root
, const char * path
, char ** ret
) {
252 _cleanup_free_
char * target
= NULL
, * t
= NULL
;
256 full
= prefix_roota ( root
, path
);
257 r
= readlink_malloc ( full
, & target
);
261 t
= file_in_same_dir ( path
, target
);
271 int chmod_and_chown ( const char * path
, mode_t mode
, uid_t uid
, gid_t gid
) {
274 /* Under the assumption that we are running privileged we
275 * first change the access mode and only then hand out
276 * ownership to avoid a window where access is too open. */
278 if ( mode
!= MODE_INVALID
)
279 if ( chmod ( path
, mode
) < 0 )
282 if ( uid
!= UID_INVALID
|| gid
!= GID_INVALID
)
283 if ( chown ( path
, uid
, gid
) < 0 )
289 int fchmod_umask ( int fd
, mode_t m
) {
294 r
= fchmod ( fd
, m
& (~ u
)) < 0 ? - errno
: 0 ;
300 int fd_warn_permissions ( const char * path
, int fd
) {
303 if ( fstat ( fd
, & st
) < 0 )
306 if ( st
. st_mode
& 0111 )
307 log_warning ( "Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway." , path
);
309 if ( st
. st_mode
& 0002 )
310 log_warning ( "Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway." , path
);
312 if ( getpid_cached () == 1 && ( st
. st_mode
& 0044 ) != 0044 )
313 log_warning ( "Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway." , path
);
318 int touch_file ( const char * path
, bool parents
, usec_t stamp
, uid_t uid
, gid_t gid
, mode_t mode
) {
319 char fdpath
[ STRLEN ( "/proc/self/fd/" ) + DECIMAL_STR_MAX ( int )];
320 _cleanup_close_
int fd
= - 1 ;
325 /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink
326 * itself which is updated, not its target
328 * Returns the first error we encounter, but tries to apply as much as possible. */
331 ( void ) mkdir_parents ( path
, 0755 );
333 /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in
334 * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and
335 * won't trigger any driver magic or so. */
336 fd
= open ( path
, O_PATH
| O_CLOEXEC
| O_NOFOLLOW
);
341 /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file
342 * here, and nothing else */
343 fd
= open ( path
, O_WRONLY
| O_CREAT
| O_EXCL
| O_CLOEXEC
, IN_SET ( mode
, 0 , MODE_INVALID
) ? 0644 : mode
);
348 /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode,
349 * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is
350 * something fchown(), fchmod(), futimensat() don't allow. */
351 xsprintf ( fdpath
, "/proc/self/fd/%i" , fd
);
353 if ( mode
!= MODE_INVALID
)
354 if ( chmod ( fdpath
, mode
) < 0 )
357 if ( uid_is_valid ( uid
) || gid_is_valid ( gid
))
358 if ( chown ( fdpath
, uid
, gid
) < 0 && ret
>= 0 )
361 if ( stamp
!= USEC_INFINITY
) {
362 struct timespec ts
[ 2 ];
364 timespec_store (& ts
[ 0 ], stamp
);
366 r
= utimensat ( AT_FDCWD
, fdpath
, ts
, 0 );
368 r
= utimensat ( AT_FDCWD
, fdpath
, NULL
, 0 );
369 if ( r
< 0 && ret
>= 0 )
375 int touch ( const char * path
) {
376 return touch_file ( path
, false , USEC_INFINITY
, UID_INVALID
, GID_INVALID
, MODE_INVALID
);
379 int symlink_idempotent ( const char * from
, const char * to
) {
385 if ( symlink ( from
, to
) < 0 ) {
386 _cleanup_free_
char * p
= NULL
;
391 r
= readlink_malloc ( to
, & p
);
392 if ( r
== - EINVAL
) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
394 if ( r
< 0 ) /* Any other error? In that case propagate it as is */
397 if (! streq ( p
, from
)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
404 int symlink_atomic ( const char * from
, const char * to
) {
405 _cleanup_free_
char * t
= NULL
;
411 r
= tempfn_random ( to
, NULL
, & t
);
415 if ( symlink ( from
, t
) < 0 )
418 if ( rename ( t
, to
) < 0 ) {
426 int mknod_atomic ( const char * path
, mode_t mode
, dev_t dev
) {
427 _cleanup_free_
char * t
= NULL
;
432 r
= tempfn_random ( path
, NULL
, & t
);
436 if ( mknod ( t
, mode
, dev
) < 0 )
439 if ( rename ( t
, path
) < 0 ) {
447 int mkfifo_atomic ( const char * path
, mode_t mode
) {
448 _cleanup_free_
char * t
= NULL
;
453 r
= tempfn_random ( path
, NULL
, & t
);
457 if ( mkfifo ( t
, mode
) < 0 )
460 if ( rename ( t
, path
) < 0 ) {
468 int get_files_in_directory ( const char * path
, char *** list
) {
469 _cleanup_closedir_
DIR * d
= NULL
;
471 size_t bufsize
= 0 , n
= 0 ;
472 _cleanup_strv_free_
char ** l
= NULL
;
476 /* Returns all files in a directory in *list, and the number
477 * of files as return value. If list is NULL returns only the
484 FOREACH_DIRENT_ALL ( de
, d
, return - errno
) {
485 dirent_ensure_type ( d
, de
);
487 if (! dirent_is_file ( de
))
491 /* one extra slot is needed for the terminating NULL */
492 if (! GREEDY_REALLOC ( l
, bufsize
, n
+ 2 ))
495 l
[ n
] = strdup ( de
-> d_name
);
506 l
= NULL
; /* avoid freeing */
512 static int getenv_tmp_dir ( const char ** ret_path
) {
518 /* We use the same order of environment variables python uses in tempfile.gettempdir():
519 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
520 FOREACH_STRING ( n
, "TMPDIR" , "TEMP" , "TMP" ) {
523 e
= secure_getenv ( n
);
526 if (! path_is_absolute ( e
)) {
530 if (! path_is_normalized ( e
)) {
547 /* Remember first error, to make this more debuggable */
559 static int tmp_dir_internal ( const char * def
, const char ** ret
) {
566 r
= getenv_tmp_dir (& e
);
572 k
= is_dir ( def
, true );
576 return r
< 0 ? r
: k
;
582 int var_tmp_dir ( const char ** ret
) {
584 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
585 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
586 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
587 * making it a variable that overrides all temporary file storage locations. */
589 return tmp_dir_internal ( "/var/tmp" , ret
);
592 int tmp_dir ( const char ** ret
) {
594 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
595 * backed by an in-memory file system: /tmp. */
597 return tmp_dir_internal ( "/tmp" , ret
);
600 int inotify_add_watch_fd ( int fd
, int what
, uint32_t mask
) {
601 char path
[ STRLEN ( "/proc/self/fd/" ) + DECIMAL_STR_MAX ( int ) + 1 ];
604 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
605 xsprintf ( path
, "/proc/self/fd/%i" , what
);
607 r
= inotify_add_watch ( fd
, path
, mask
);
614 static bool safe_transition ( const struct stat
* a
, const struct stat
* b
) {
615 /* Returns true if the transition from a to b is safe, i.e. that we never transition from unprivileged to
616 * privileged files or directories. Why bother? So that unprivileged code can't symlink to privileged files
617 * making us believe we read something safe even though it isn't safe in the specific context we open it in. */
619 if ( a
-> st_uid
== 0 ) /* Transitioning from privileged to unprivileged is always fine */
622 return a
-> st_uid
== b
-> st_uid
; /* Otherwise we need to stay within the same UID */
625 int chase_symlinks ( const char * path
, const char * original_root
, unsigned flags
, char ** ret
) {
626 _cleanup_free_
char * buffer
= NULL
, * done
= NULL
, * root
= NULL
;
627 _cleanup_close_
int fd
= - 1 ;
628 unsigned max_follow
= 32 ; /* how many symlinks to follow before giving up and returning ELOOP */
629 struct stat previous_stat
;
636 /* Either the file may be missing, or we return an fd to the final object, but both make no sense */
637 if (( flags
& ( CHASE_NONEXISTENT
| CHASE_OPEN
)) == ( CHASE_NONEXISTENT
| CHASE_OPEN
))
643 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
644 * symlinks relative to a root directory, instead of the root of the host.
646 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
647 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
648 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
649 * prefixed accordingly.
651 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
652 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
653 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
654 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
655 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
658 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
659 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
660 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
663 /* A root directory of "/" or "" is identical to none */
664 if ( isempty ( original_root
) || path_equal ( original_root
, "/" ))
665 original_root
= NULL
;
668 r
= path_make_absolute_cwd ( original_root
, & root
);
672 if ( flags
& CHASE_PREFIX_ROOT
) {
674 /* We don't support relative paths in combination with a root directory */
675 if (! path_is_absolute ( path
))
678 path
= prefix_roota ( root
, path
);
682 r
= path_make_absolute_cwd ( path
, & buffer
);
686 fd
= open ( "/" , O_CLOEXEC
| O_NOFOLLOW
| O_PATH
);
690 if ( flags
& CHASE_SAFE
) {
691 if ( fstat ( fd
, & previous_stat
) < 0 )
697 _cleanup_free_
char * first
= NULL
;
698 _cleanup_close_
int child
= - 1 ;
702 /* Determine length of first component in the path */
703 n
= strspn ( todo
, "/" ); /* The slashes */
704 m
= n
+ strcspn ( todo
+ n
, "/" ); /* The entire length of the component */
706 /* Extract the first component. */
707 first
= strndup ( todo
, m
);
713 /* Empty? Then we reached the end. */
717 /* Just a single slash? Then we reached the end. */
718 if ( path_equal ( first
, "/" )) {
719 /* Preserve the trailing slash */
720 if (! strextend (& done
, "/" , NULL
))
726 /* Just a dot? Then let's eat this up. */
727 if ( path_equal ( first
, "/." ))
730 /* Two dots? Then chop off the last bit of what we already found out. */
731 if ( path_equal ( first
, "/.." )) {
732 _cleanup_free_
char * parent
= NULL
;
733 _cleanup_close_
int fd_parent
= - 1 ;
735 /* If we already are at the top, then going up will not change anything. This is in-line with
736 * how the kernel handles this. */
737 if ( isempty ( done
) || path_equal ( done
, "/" ))
740 parent
= dirname_malloc ( done
);
744 /* Don't allow this to leave the root dir. */
746 path_startswith ( done
, root
) &&
747 ! path_startswith ( parent
, root
))
750 free_and_replace ( done
, parent
);
752 fd_parent
= openat ( fd
, ".." , O_CLOEXEC
| O_NOFOLLOW
| O_PATH
);
756 if ( flags
& CHASE_SAFE
) {
757 if ( fstat ( fd_parent
, & st
) < 0 )
760 if (! safe_transition (& previous_stat
, & st
))
773 /* Otherwise let's see what this is. */
774 child
= openat ( fd
, first
+ n
, O_CLOEXEC
| O_NOFOLLOW
| O_PATH
);
777 if ( errno
== ENOENT
&&
778 ( flags
& CHASE_NONEXISTENT
) &&
779 ( isempty ( todo
) || path_is_normalized ( todo
))) {
781 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
782 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
783 * or something else weird. */
785 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
786 if ( streq_ptr ( done
, "/" ))
789 if (! strextend (& done
, first
, todo
, NULL
))
799 if ( fstat ( child
, & st
) < 0 )
801 if (( flags
& CHASE_SAFE
) &&
802 ! safe_transition (& previous_stat
, & st
))
807 if (( flags
& CHASE_NO_AUTOFS
) &&
808 fd_is_fs_type ( child
, AUTOFS_SUPER_MAGIC
) > 0 )
811 if ( S_ISLNK ( st
. st_mode
)) {
814 _cleanup_free_
char * destination
= NULL
;
816 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
817 * symlinks without bounds. */
818 if (-- max_follow
<= 0 )
821 r
= readlinkat_malloc ( fd
, first
+ n
, & destination
);
824 if ( isempty ( destination
))
827 if ( path_is_absolute ( destination
)) {
829 /* An absolute destination. Start the loop from the beginning, but use the root
830 * directory as base. */
833 fd
= open ( root
?: "/" , O_CLOEXEC
| O_NOFOLLOW
| O_PATH
);
837 if ( flags
& CHASE_SAFE
) {
838 if ( fstat ( fd
, & st
) < 0 )
841 if (! safe_transition (& previous_stat
, & st
))
849 /* Note that we do not revalidate the root, we take it as is. */
858 /* Prefix what's left to do with what we just read, and start the loop again, but
859 * remain in the current directory. */
860 joined
= strjoin ( destination
, todo
);
862 joined
= strjoin ( "/" , destination
, todo
);
867 todo
= buffer
= joined
;
872 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
877 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
878 if ( streq ( done
, "/" ))
881 if (! strextend (& done
, first
, NULL
))
885 /* And iterate again, but go one directory further down. */
892 /* Special case, turn the empty string into "/", to indicate the root directory. */
903 if ( flags
& CHASE_OPEN
) {
906 /* Return the O_PATH fd we currently are looking to the caller. It can translate it to a proper fd by
907 * opening /proc/self/fd/xyz. */
919 int access_fd ( int fd
, int mode
) {
920 char p
[ STRLEN ( "/proc/self/fd/" ) + DECIMAL_STR_MAX ( fd
) + 1 ];
923 /* Like access() but operates on an already open fd */
925 xsprintf ( p
, "/proc/self/fd/%i" , fd
);