2 This file is part of systemd.
4 Copyright 2010 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
29 #include "alloc-util.h"
30 #include "dirent-util.h"
36 //#include "missing.h"
38 #include "parse-util.h"
39 #include "path-util.h"
40 #include "stat-util.h"
41 #include "string-util.h"
43 //#include "time-util.h"
44 #include "user-util.h"
47 int unlink_noerrno(const char *path) {
58 #if 0 /// UNNEEDED by elogind
59 int rmdir_parents(const char *path, const char *stop) {
68 /* Skip trailing slashes */
69 while (l > 0 && path[l-1] == '/')
75 /* Skip last component */
76 while (l > 0 && path[l-1] != '/')
79 /* Skip trailing slashes */
80 while (l > 0 && path[l-1] == '/')
90 if (path_startswith(stop, t)) {
107 int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
111 ret = renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE);
115 /* renameat2() exists since Linux 3.15, btrfs added support for it later.
116 * If it is not implemented, fallback to another method. */
117 if (!IN_SET(errno, EINVAL, ENOSYS))
120 /* The link()/unlink() fallback does not work on directories. But
121 * renameat() without RENAME_NOREPLACE gives the same semantics on
122 * directories, except when newpath is an *empty* directory. This is
124 ret = fstatat(olddirfd, oldpath, &buf, AT_SYMLINK_NOFOLLOW);
125 if (ret >= 0 && S_ISDIR(buf.st_mode)) {
126 ret = renameat(olddirfd, oldpath, newdirfd, newpath);
127 return ret >= 0 ? 0 : -errno;
130 /* If it is not a directory, use the link()/unlink() fallback. */
131 ret = linkat(olddirfd, oldpath, newdirfd, newpath, 0);
135 ret = unlinkat(olddirfd, oldpath, 0);
137 /* backup errno before the following unlinkat() alters it */
139 (void) unlinkat(newdirfd, newpath, 0);
148 int readlinkat_malloc(int fd, const char *p, char **ret) {
163 n = readlinkat(fd, p, c, l-1);
170 if ((size_t) n < l-1) {
181 int readlink_malloc(const char *p, char **ret) {
182 return readlinkat_malloc(AT_FDCWD, p, ret);
185 #if 0 /// UNNEEDED by elogind
186 int readlink_value(const char *p, char **ret) {
187 _cleanup_free_ char *link = NULL;
191 r = readlink_malloc(p, &link);
195 value = basename(link);
199 value = strdup(value);
208 int readlink_and_make_absolute(const char *p, char **r) {
209 _cleanup_free_ char *target = NULL;
216 j = readlink_malloc(p, &target);
220 k = file_in_same_dir(p, target);
228 int readlink_and_canonicalize(const char *p, const char *root, char **ret) {
235 r = readlink_and_make_absolute(p, &t);
239 r = chase_symlinks(t, root, 0, &s);
241 /* If we can't follow up, then let's return the original string, slightly cleaned up. */
242 *ret = path_kill_slashes(t);
251 int readlink_and_make_absolute_root(const char *root, const char *path, char **ret) {
252 _cleanup_free_ char *target = NULL, *t = NULL;
256 full = prefix_roota(root, path);
257 r = readlink_malloc(full, &target);
261 t = file_in_same_dir(path, target);
272 int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
275 /* Under the assumption that we are running privileged we
276 * first change the access mode and only then hand out
277 * ownership to avoid a window where access is too open. */
279 if (mode != MODE_INVALID)
280 if (chmod(path, mode) < 0)
283 if (uid != UID_INVALID || gid != GID_INVALID)
284 if (chown(path, uid, gid) < 0)
290 int fchmod_umask(int fd, mode_t m) {
295 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
301 int fd_warn_permissions(const char *path, int fd) {
304 if (fstat(fd, &st) < 0)
307 if (st.st_mode & 0111)
308 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
310 if (st.st_mode & 0002)
311 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
313 if (getpid() == 1 && (st.st_mode & 0044) != 0044)
314 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
319 int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
320 _cleanup_close_ int fd;
326 mkdir_parents(path, 0755);
328 fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY,
329 (mode == 0 || mode == MODE_INVALID) ? 0644 : mode);
333 if (mode != MODE_INVALID) {
334 r = fchmod(fd, mode);
339 if (uid != UID_INVALID || gid != GID_INVALID) {
340 r = fchown(fd, uid, gid);
345 if (stamp != USEC_INFINITY) {
346 struct timespec ts[2];
348 timespec_store(&ts[0], stamp);
350 r = futimens(fd, ts);
352 r = futimens(fd, NULL);
359 int touch(const char *path) {
360 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
363 #if 0 /// UNNEEDED by elogind
364 int symlink_idempotent(const char *from, const char *to) {
365 _cleanup_free_ char *p = NULL;
371 if (symlink(from, to) < 0) {
375 r = readlink_malloc(to, &p);
386 int symlink_atomic(const char *from, const char *to) {
387 _cleanup_free_ char *t = NULL;
393 r = tempfn_random(to, NULL, &t);
397 if (symlink(from, t) < 0)
400 if (rename(t, to) < 0) {
408 int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
409 _cleanup_free_ char *t = NULL;
414 r = tempfn_random(path, NULL, &t);
418 if (mknod(t, mode, dev) < 0)
421 if (rename(t, path) < 0) {
429 int mkfifo_atomic(const char *path, mode_t mode) {
430 _cleanup_free_ char *t = NULL;
435 r = tempfn_random(path, NULL, &t);
439 if (mkfifo(t, mode) < 0)
442 if (rename(t, path) < 0) {
451 int get_files_in_directory(const char *path, char ***list) {
452 _cleanup_closedir_ DIR *d = NULL;
454 size_t bufsize = 0, n = 0;
455 _cleanup_strv_free_ char **l = NULL;
459 /* Returns all files in a directory in *list, and the number
460 * of files as return value. If list is NULL returns only the
467 FOREACH_DIRENT_ALL(de, d, return -errno) {
468 dirent_ensure_type(d, de);
470 if (!dirent_is_file(de))
474 /* one extra slot is needed for the terminating NULL */
475 if (!GREEDY_REALLOC(l, bufsize, n + 2))
478 l[n] = strdup(de->d_name);
489 l = NULL; /* avoid freeing */
495 static int getenv_tmp_dir(const char **ret_path) {
501 /* We use the same order of environment variables python uses in tempfile.gettempdir():
502 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
503 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
506 e = secure_getenv(n);
509 if (!path_is_absolute(e)) {
513 if (!path_is_safe(e)) {
530 /* Remember first error, to make this more debuggable */
542 static int tmp_dir_internal(const char *def, const char **ret) {
549 r = getenv_tmp_dir(&e);
555 k = is_dir(def, true);
559 return r < 0 ? r : k;
565 #if 0 /// UNNEEDED by elogind
566 int var_tmp_dir(const char **ret) {
568 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
569 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
570 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
571 * making it a variable that overrides all temporary file storage locations. */
573 return tmp_dir_internal("/var/tmp", ret);
577 int tmp_dir(const char **ret) {
579 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
580 * backed by an in-memory file system: /tmp. */
582 return tmp_dir_internal("/tmp", ret);
585 #if 0 /// UNNEEDED by elogind
586 int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
587 char path[strlen("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
590 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
591 xsprintf(path, "/proc/self/fd/%i", what);
593 r = inotify_add_watch(fd, path, mask);
601 int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret) {
602 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
603 _cleanup_close_ int fd = -1;
604 unsigned max_follow = 32; /* how many symlinks to follow before giving up and returning ELOOP */
611 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
612 * symlinks relative to a root directory, instead of the root of the host.
614 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
615 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
616 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
617 * prefixed accordingly.
619 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
620 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
621 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
622 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
623 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
626 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
627 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
628 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
631 * Note: there's also chase_symlinks_prefix() (see below), which as first step prefixes the passed path by the
635 r = path_make_absolute_cwd(original_root, &root);
639 if (flags & CHASE_PREFIX_ROOT)
640 path = prefix_roota(root, path);
643 r = path_make_absolute_cwd(path, &buffer);
647 fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
653 _cleanup_free_ char *first = NULL;
654 _cleanup_close_ int child = -1;
658 /* Determine length of first component in the path */
659 n = strspn(todo, "/"); /* The slashes */
660 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
662 /* Extract the first component. */
663 first = strndup(todo, m);
669 /* Just a single slash? Then we reached the end. */
670 if (isempty(first) || path_equal(first, "/"))
673 /* Just a dot? Then let's eat this up. */
674 if (path_equal(first, "/."))
677 /* Two dots? Then chop off the last bit of what we already found out. */
678 if (path_equal(first, "/..")) {
679 _cleanup_free_ char *parent = NULL;
682 /* If we already are at the top, then going up will not change anything. This is in-line with
683 * how the kernel handles this. */
684 if (isempty(done) || path_equal(done, "/"))
687 parent = dirname_malloc(done);
691 /* Don't allow this to leave the root dir. */
693 path_startswith(done, root) &&
694 !path_startswith(parent, root))
697 free_and_replace(done, parent);
699 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
709 /* Otherwise let's see what this is. */
710 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
713 if (errno == ENOENT &&
714 (flags & CHASE_NONEXISTENT) &&
715 (isempty(todo) || path_is_safe(todo))) {
717 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
718 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
719 * or something else weird. */
721 if (!strextend(&done, first, todo, NULL))
731 if (fstat(child, &st) < 0)
734 if (S_ISLNK(st.st_mode)) {
737 _cleanup_free_ char *destination = NULL;
739 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
740 * symlinks without bounds. */
741 if (--max_follow <= 0)
744 r = readlinkat_malloc(fd, first + n, &destination);
747 if (isempty(destination))
750 if (path_is_absolute(destination)) {
752 /* An absolute destination. Start the loop from the beginning, but use the root
753 * directory as base. */
756 fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
762 /* Note that we do not revalidate the root, we take it as is. */
773 /* Prefix what's left to do with what we just read, and start the loop again,
774 * but remain in the current directory. */
776 joined = strjoin("/", destination, todo);
781 todo = buffer = joined;
786 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
791 if (!strextend(&done, first, NULL))
795 /* And iterate again, but go one directory further down. */
802 /* Special case, turn the empty string into "/", to indicate the root directory. */