2 This file is part of systemd.
4 Copyright 2010 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
29 #include "alloc-util.h"
30 #include "dirent-util.h"
36 //#include "missing.h"
38 #include "parse-util.h"
39 #include "path-util.h"
40 #include "stat-util.h"
41 #include "string-util.h"
43 //#include "time-util.h"
44 #include "user-util.h"
47 int unlink_noerrno(const char *path) {
58 #if 0 /// UNNEEDED by elogind
59 int rmdir_parents(const char *path, const char *stop) {
68 /* Skip trailing slashes */
69 while (l > 0 && path[l-1] == '/')
75 /* Skip last component */
76 while (l > 0 && path[l-1] != '/')
79 /* Skip trailing slashes */
80 while (l > 0 && path[l-1] == '/')
90 if (path_startswith(stop, t)) {
107 int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
111 ret = renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE);
115 /* renameat2() exists since Linux 3.15, btrfs added support for it later.
116 * If it is not implemented, fallback to another method. */
117 if (!IN_SET(errno, EINVAL, ENOSYS))
120 /* The link()/unlink() fallback does not work on directories. But
121 * renameat() without RENAME_NOREPLACE gives the same semantics on
122 * directories, except when newpath is an *empty* directory. This is
124 ret = fstatat(olddirfd, oldpath, &buf, AT_SYMLINK_NOFOLLOW);
125 if (ret >= 0 && S_ISDIR(buf.st_mode)) {
126 ret = renameat(olddirfd, oldpath, newdirfd, newpath);
127 return ret >= 0 ? 0 : -errno;
130 /* If it is not a directory, use the link()/unlink() fallback. */
131 ret = linkat(olddirfd, oldpath, newdirfd, newpath, 0);
135 ret = unlinkat(olddirfd, oldpath, 0);
137 /* backup errno before the following unlinkat() alters it */
139 (void) unlinkat(newdirfd, newpath, 0);
148 int readlinkat_malloc(int fd, const char *p, char **ret) {
163 n = readlinkat(fd, p, c, l-1);
170 if ((size_t) n < l-1) {
181 int readlink_malloc(const char *p, char **ret) {
182 return readlinkat_malloc(AT_FDCWD, p, ret);
185 #if 0 /// UNNEEDED by elogind
186 int readlink_value(const char *p, char **ret) {
187 _cleanup_free_ char *link = NULL;
191 r = readlink_malloc(p, &link);
195 value = basename(link);
199 value = strdup(value);
209 int readlink_and_make_absolute(const char *p, char **r) {
210 _cleanup_free_ char *target = NULL;
217 j = readlink_malloc(p, &target);
221 k = file_in_same_dir(p, target);
229 #if 0 /// UNNEEDED by elogind
230 int readlink_and_canonicalize(const char *p, const char *root, char **ret) {
237 r = readlink_and_make_absolute(p, &t);
241 r = chase_symlinks(t, root, 0, &s);
243 /* If we can't follow up, then let's return the original string, slightly cleaned up. */
244 *ret = path_kill_slashes(t);
253 int readlink_and_make_absolute_root(const char *root, const char *path, char **ret) {
254 _cleanup_free_ char *target = NULL, *t = NULL;
258 full = prefix_roota(root, path);
259 r = readlink_malloc(full, &target);
263 t = file_in_same_dir(path, target);
274 int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
277 /* Under the assumption that we are running privileged we
278 * first change the access mode and only then hand out
279 * ownership to avoid a window where access is too open. */
281 if (mode != MODE_INVALID)
282 if (chmod(path, mode) < 0)
285 if (uid != UID_INVALID || gid != GID_INVALID)
286 if (chown(path, uid, gid) < 0)
292 int fchmod_umask(int fd, mode_t m) {
297 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
303 int fd_warn_permissions(const char *path, int fd) {
306 if (fstat(fd, &st) < 0)
309 if (st.st_mode & 0111)
310 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
312 if (st.st_mode & 0002)
313 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
315 if (getpid() == 1 && (st.st_mode & 0044) != 0044)
316 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
321 int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
322 _cleanup_close_ int fd;
328 mkdir_parents(path, 0755);
330 fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY,
331 (mode == 0 || mode == MODE_INVALID) ? 0644 : mode);
335 if (mode != MODE_INVALID) {
336 r = fchmod(fd, mode);
341 if (uid != UID_INVALID || gid != GID_INVALID) {
342 r = fchown(fd, uid, gid);
347 if (stamp != USEC_INFINITY) {
348 struct timespec ts[2];
350 timespec_store(&ts[0], stamp);
352 r = futimens(fd, ts);
354 r = futimens(fd, NULL);
361 int touch(const char *path) {
362 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
365 #if 0 /// UNNEEDED by elogind
366 int symlink_idempotent(const char *from, const char *to) {
367 _cleanup_free_ char *p = NULL;
373 if (symlink(from, to) < 0) {
377 r = readlink_malloc(to, &p);
388 int symlink_atomic(const char *from, const char *to) {
389 _cleanup_free_ char *t = NULL;
395 r = tempfn_random(to, NULL, &t);
399 if (symlink(from, t) < 0)
402 if (rename(t, to) < 0) {
410 int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
411 _cleanup_free_ char *t = NULL;
416 r = tempfn_random(path, NULL, &t);
420 if (mknod(t, mode, dev) < 0)
423 if (rename(t, path) < 0) {
431 int mkfifo_atomic(const char *path, mode_t mode) {
432 _cleanup_free_ char *t = NULL;
437 r = tempfn_random(path, NULL, &t);
441 if (mkfifo(t, mode) < 0)
444 if (rename(t, path) < 0) {
453 int get_files_in_directory(const char *path, char ***list) {
454 _cleanup_closedir_ DIR *d = NULL;
456 size_t bufsize = 0, n = 0;
457 _cleanup_strv_free_ char **l = NULL;
461 /* Returns all files in a directory in *list, and the number
462 * of files as return value. If list is NULL returns only the
469 FOREACH_DIRENT_ALL(de, d, return -errno) {
470 dirent_ensure_type(d, de);
472 if (!dirent_is_file(de))
476 /* one extra slot is needed for the terminating NULL */
477 if (!GREEDY_REALLOC(l, bufsize, n + 2))
480 l[n] = strdup(de->d_name);
491 l = NULL; /* avoid freeing */
497 static int getenv_tmp_dir(const char **ret_path) {
503 /* We use the same order of environment variables python uses in tempfile.gettempdir():
504 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
505 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
508 e = secure_getenv(n);
511 if (!path_is_absolute(e)) {
515 if (!path_is_safe(e)) {
532 /* Remember first error, to make this more debuggable */
544 static int tmp_dir_internal(const char *def, const char **ret) {
551 r = getenv_tmp_dir(&e);
557 k = is_dir(def, true);
561 return r < 0 ? r : k;
567 #if 0 /// UNNEEDED by elogind
568 int var_tmp_dir(const char **ret) {
570 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
571 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
572 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
573 * making it a variable that overrides all temporary file storage locations. */
575 return tmp_dir_internal("/var/tmp", ret);
579 int tmp_dir(const char **ret) {
581 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
582 * backed by an in-memory file system: /tmp. */
584 return tmp_dir_internal("/tmp", ret);
587 #if 0 /// UNNEEDED by elogind
588 int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
589 char path[strlen("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
592 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
593 xsprintf(path, "/proc/self/fd/%i", what);
595 r = inotify_add_watch(fd, path, mask);
603 int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret) {
604 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
605 _cleanup_close_ int fd = -1;
606 unsigned max_follow = 32; /* how many symlinks to follow before giving up and returning ELOOP */
613 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
614 * symlinks relative to a root directory, instead of the root of the host.
616 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
617 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
618 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
619 * prefixed accordingly.
621 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
622 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
623 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
624 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
625 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
628 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
629 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
630 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
633 * Note: there's also chase_symlinks_prefix() (see below), which as first step prefixes the passed path by the
637 r = path_make_absolute_cwd(original_root, &root);
641 if (flags & CHASE_PREFIX_ROOT)
642 path = prefix_roota(root, path);
645 r = path_make_absolute_cwd(path, &buffer);
649 fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
655 _cleanup_free_ char *first = NULL;
656 _cleanup_close_ int child = -1;
660 /* Determine length of first component in the path */
661 n = strspn(todo, "/"); /* The slashes */
662 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
664 /* Extract the first component. */
665 first = strndup(todo, m);
671 /* Just a single slash? Then we reached the end. */
672 if (isempty(first) || path_equal(first, "/"))
675 /* Just a dot? Then let's eat this up. */
676 if (path_equal(first, "/."))
679 /* Two dots? Then chop off the last bit of what we already found out. */
680 if (path_equal(first, "/..")) {
681 _cleanup_free_ char *parent = NULL;
684 /* If we already are at the top, then going up will not change anything. This is in-line with
685 * how the kernel handles this. */
686 if (isempty(done) || path_equal(done, "/"))
689 parent = dirname_malloc(done);
693 /* Don't allow this to leave the root dir. */
695 path_startswith(done, root) &&
696 !path_startswith(parent, root))
699 free_and_replace(done, parent);
701 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
711 /* Otherwise let's see what this is. */
712 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
715 if (errno == ENOENT &&
716 (flags & CHASE_NONEXISTENT) &&
717 (isempty(todo) || path_is_safe(todo))) {
719 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
720 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
721 * or something else weird. */
723 if (!strextend(&done, first, todo, NULL))
733 if (fstat(child, &st) < 0)
736 if (S_ISLNK(st.st_mode)) {
739 _cleanup_free_ char *destination = NULL;
741 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
742 * symlinks without bounds. */
743 if (--max_follow <= 0)
746 r = readlinkat_malloc(fd, first + n, &destination);
749 if (isempty(destination))
752 if (path_is_absolute(destination)) {
754 /* An absolute destination. Start the loop from the beginning, but use the root
755 * directory as base. */
758 fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
764 /* Note that we do not revalidate the root, we take it as is. */
775 /* Prefix what's left to do with what we just read, and start the loop again,
776 * but remain in the current directory. */
778 joined = strjoin("/", destination, todo);
783 todo = buffer = joined;
788 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
793 if (!strextend(&done, first, NULL))
797 /* And iterate again, but go one directory further down. */
804 /* Special case, turn the empty string into "/", to indicate the root directory. */