2 This file is part of systemd.
4 Copyright 2010 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
29 #include "alloc-util.h"
30 #include "dirent-util.h"
36 //#include "missing.h"
38 #include "parse-util.h"
39 #include "path-util.h"
40 #include "string-util.h"
42 //#include "time-util.h"
43 #include "user-util.h"
46 int unlink_noerrno(const char *path) {
57 #if 0 /// UNNEEDED by elogind
58 int rmdir_parents(const char *path, const char *stop) {
67 /* Skip trailing slashes */
68 while (l > 0 && path[l-1] == '/')
74 /* Skip last component */
75 while (l > 0 && path[l-1] != '/')
78 /* Skip trailing slashes */
79 while (l > 0 && path[l-1] == '/')
89 if (path_startswith(stop, t)) {
106 int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
110 ret = renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE);
114 /* renameat2() exists since Linux 3.15, btrfs added support for it later.
115 * If it is not implemented, fallback to another method. */
116 if (!IN_SET(errno, EINVAL, ENOSYS))
119 /* The link()/unlink() fallback does not work on directories. But
120 * renameat() without RENAME_NOREPLACE gives the same semantics on
121 * directories, except when newpath is an *empty* directory. This is
123 ret = fstatat(olddirfd, oldpath, &buf, AT_SYMLINK_NOFOLLOW);
124 if (ret >= 0 && S_ISDIR(buf.st_mode)) {
125 ret = renameat(olddirfd, oldpath, newdirfd, newpath);
126 return ret >= 0 ? 0 : -errno;
129 /* If it is not a directory, use the link()/unlink() fallback. */
130 ret = linkat(olddirfd, oldpath, newdirfd, newpath, 0);
134 ret = unlinkat(olddirfd, oldpath, 0);
136 /* backup errno before the following unlinkat() alters it */
138 (void) unlinkat(newdirfd, newpath, 0);
147 int readlinkat_malloc(int fd, const char *p, char **ret) {
162 n = readlinkat(fd, p, c, l-1);
169 if ((size_t) n < l-1) {
180 int readlink_malloc(const char *p, char **ret) {
181 return readlinkat_malloc(AT_FDCWD, p, ret);
184 #if 0 /// UNNEEDED by elogind
185 int readlink_value(const char *p, char **ret) {
186 _cleanup_free_ char *link = NULL;
190 r = readlink_malloc(p, &link);
194 value = basename(link);
198 value = strdup(value);
207 int readlink_and_make_absolute(const char *p, char **r) {
208 _cleanup_free_ char *target = NULL;
215 j = readlink_malloc(p, &target);
219 k = file_in_same_dir(p, target);
227 int readlink_and_canonicalize(const char *p, const char *root, char **ret) {
234 r = readlink_and_make_absolute(p, &t);
238 r = chase_symlinks(t, root, 0, &s);
240 /* If we can't follow up, then let's return the original string, slightly cleaned up. */
241 *ret = path_kill_slashes(t);
250 int readlink_and_make_absolute_root(const char *root, const char *path, char **ret) {
251 _cleanup_free_ char *target = NULL, *t = NULL;
255 full = prefix_roota(root, path);
256 r = readlink_malloc(full, &target);
260 t = file_in_same_dir(path, target);
271 int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
274 /* Under the assumption that we are running privileged we
275 * first change the access mode and only then hand out
276 * ownership to avoid a window where access is too open. */
278 if (mode != MODE_INVALID)
279 if (chmod(path, mode) < 0)
282 if (uid != UID_INVALID || gid != GID_INVALID)
283 if (chown(path, uid, gid) < 0)
289 int fchmod_umask(int fd, mode_t m) {
294 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
300 int fd_warn_permissions(const char *path, int fd) {
303 if (fstat(fd, &st) < 0)
306 if (st.st_mode & 0111)
307 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
309 if (st.st_mode & 0002)
310 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
312 if (getpid() == 1 && (st.st_mode & 0044) != 0044)
313 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
318 int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
319 _cleanup_close_ int fd;
325 mkdir_parents(path, 0755);
327 fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY,
328 (mode == 0 || mode == MODE_INVALID) ? 0644 : mode);
332 if (mode != MODE_INVALID) {
333 r = fchmod(fd, mode);
338 if (uid != UID_INVALID || gid != GID_INVALID) {
339 r = fchown(fd, uid, gid);
344 if (stamp != USEC_INFINITY) {
345 struct timespec ts[2];
347 timespec_store(&ts[0], stamp);
349 r = futimens(fd, ts);
351 r = futimens(fd, NULL);
358 int touch(const char *path) {
359 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
362 #if 0 /// UNNEEDED by elogind
363 int symlink_idempotent(const char *from, const char *to) {
364 _cleanup_free_ char *p = NULL;
370 if (symlink(from, to) < 0) {
374 r = readlink_malloc(to, &p);
385 int symlink_atomic(const char *from, const char *to) {
386 _cleanup_free_ char *t = NULL;
392 r = tempfn_random(to, NULL, &t);
396 if (symlink(from, t) < 0)
399 if (rename(t, to) < 0) {
407 int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
408 _cleanup_free_ char *t = NULL;
413 r = tempfn_random(path, NULL, &t);
417 if (mknod(t, mode, dev) < 0)
420 if (rename(t, path) < 0) {
428 int mkfifo_atomic(const char *path, mode_t mode) {
429 _cleanup_free_ char *t = NULL;
434 r = tempfn_random(path, NULL, &t);
438 if (mkfifo(t, mode) < 0)
441 if (rename(t, path) < 0) {
450 int get_files_in_directory(const char *path, char ***list) {
451 _cleanup_closedir_ DIR *d = NULL;
453 size_t bufsize = 0, n = 0;
454 _cleanup_strv_free_ char **l = NULL;
458 /* Returns all files in a directory in *list, and the number
459 * of files as return value. If list is NULL returns only the
466 FOREACH_DIRENT_ALL(de, d, return -errno) {
467 dirent_ensure_type(d, de);
469 if (!dirent_is_file(de))
473 /* one extra slot is needed for the terminating NULL */
474 if (!GREEDY_REALLOC(l, bufsize, n + 2))
477 l[n] = strdup(de->d_name);
488 l = NULL; /* avoid freeing */
494 #if 0 /// UNNEEDED by elogind
495 static int getenv_tmp_dir(const char **ret_path) {
501 /* We use the same order of environment variables python uses in tempfile.gettempdir():
502 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
503 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
506 e = secure_getenv(n);
509 if (!path_is_absolute(e)) {
513 if (!path_is_safe(e)) {
530 /* Remember first error, to make this more debuggable */
542 static int tmp_dir_internal(const char *def, const char **ret) {
549 r = getenv_tmp_dir(&e);
555 k = is_dir(def, true);
559 return r < 0 ? r : k;
565 int var_tmp_dir(const char **ret) {
567 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
568 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
569 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
570 * making it a variable that overrides all temporary file storage locations. */
572 return tmp_dir_internal("/var/tmp", ret);
575 int tmp_dir(const char **ret) {
577 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
578 * backed by an in-memory file system: /tmp. */
580 return tmp_dir_internal("/tmp", ret);
583 int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
584 char path[strlen("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
587 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
588 xsprintf(path, "/proc/self/fd/%i", what);
590 r = inotify_add_watch(fd, path, mask);
597 int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret) {
598 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
599 _cleanup_close_ int fd = -1;
600 unsigned max_follow = 32; /* how many symlinks to follow before giving up and returning ELOOP */
607 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
608 * symlinks relative to a root directory, instead of the root of the host.
610 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
611 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
612 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
613 * prefixed accordingly.
615 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
616 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
617 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
618 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
619 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
622 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
623 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
624 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
627 * Note: there's also chase_symlinks_prefix() (see below), which as first step prefixes the passed path by the
631 r = path_make_absolute_cwd(original_root, &root);
635 if (flags & CHASE_PREFIX_ROOT)
636 path = prefix_roota(root, path);
639 r = path_make_absolute_cwd(path, &buffer);
643 fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
649 _cleanup_free_ char *first = NULL;
650 _cleanup_close_ int child = -1;
654 /* Determine length of first component in the path */
655 n = strspn(todo, "/"); /* The slashes */
656 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
658 /* Extract the first component. */
659 first = strndup(todo, m);
665 /* Just a single slash? Then we reached the end. */
666 if (isempty(first) || path_equal(first, "/"))
669 /* Just a dot? Then let's eat this up. */
670 if (path_equal(first, "/."))
673 /* Two dots? Then chop off the last bit of what we already found out. */
674 if (path_equal(first, "/..")) {
675 _cleanup_free_ char *parent = NULL;
678 /* If we already are at the top, then going up will not change anything. This is in-line with
679 * how the kernel handles this. */
680 if (isempty(done) || path_equal(done, "/"))
683 parent = dirname_malloc(done);
687 /* Don't allow this to leave the root dir. */
689 path_startswith(done, root) &&
690 !path_startswith(parent, root))
693 free_and_replace(done, parent);
695 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
705 /* Otherwise let's see what this is. */
706 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
709 if (errno == ENOENT &&
710 (flags & CHASE_NONEXISTENT) &&
711 (isempty(todo) || path_is_safe(todo))) {
713 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
714 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
715 * or something else weird. */
717 if (!strextend(&done, first, todo, NULL))
727 if (fstat(child, &st) < 0)
730 if (S_ISLNK(st.st_mode)) {
733 _cleanup_free_ char *destination = NULL;
735 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
736 * symlinks without bounds. */
737 if (--max_follow <= 0)
740 r = readlinkat_malloc(fd, first + n, &destination);
743 if (isempty(destination))
746 if (path_is_absolute(destination)) {
748 /* An absolute destination. Start the loop from the beginning, but use the root
749 * directory as base. */
752 fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
758 /* Note that we do not revalidate the root, we take it as is. */
769 /* Prefix what's left to do with what we just read, and start the loop again,
770 * but remain in the current directory. */
772 joined = strjoin("/", destination, todo);
777 todo = buffer = joined;
782 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
787 if (!strextend(&done, first, NULL))
791 /* And iterate again, but go one directory further down. */
798 /* Special case, turn the empty string into "/", to indicate the root directory. */