1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
14 #include <linux/magic.h>
18 #include "alloc-util.h"
19 #include "dirent-util.h"
25 //#include "missing.h"
27 #include "parse-util.h"
28 #include "path-util.h"
29 //#include "process-util.h"
30 #include "stat-util.h"
31 #include "stdio-util.h"
32 #include "string-util.h"
34 //#include "time-util.h"
35 #include "user-util.h"
38 /// Additional includes needed by elogind
39 #include "process-util.h"
41 int unlink_noerrno(const char *path) {
52 #if 0 /// UNNEEDED by elogind
53 int rmdir_parents(const char *path, const char *stop) {
62 /* Skip trailing slashes */
63 while (l > 0 && path[l-1] == '/')
69 /* Skip last component */
70 while (l > 0 && path[l-1] != '/')
73 /* Skip trailing slashes */
74 while (l > 0 && path[l-1] == '/')
84 if (path_startswith(stop, t)) {
100 int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
104 ret = renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE);
108 /* renameat2() exists since Linux 3.15, btrfs added support for it later.
109 * If it is not implemented, fallback to another method. */
110 if (!IN_SET(errno, EINVAL, ENOSYS))
113 /* The link()/unlink() fallback does not work on directories. But
114 * renameat() without RENAME_NOREPLACE gives the same semantics on
115 * directories, except when newpath is an *empty* directory. This is
117 ret = fstatat(olddirfd, oldpath, &buf, AT_SYMLINK_NOFOLLOW);
118 if (ret >= 0 && S_ISDIR(buf.st_mode)) {
119 ret = renameat(olddirfd, oldpath, newdirfd, newpath);
120 return ret >= 0 ? 0 : -errno;
123 /* If it is not a directory, use the link()/unlink() fallback. */
124 ret = linkat(olddirfd, oldpath, newdirfd, newpath, 0);
128 ret = unlinkat(olddirfd, oldpath, 0);
130 /* backup errno before the following unlinkat() alters it */
132 (void) unlinkat(newdirfd, newpath, 0);
141 int readlinkat_malloc(int fd, const char *p, char **ret) {
156 n = readlinkat(fd, p, c, l-1);
163 if ((size_t) n < l-1) {
174 int readlink_malloc(const char *p, char **ret) {
175 return readlinkat_malloc(AT_FDCWD, p, ret);
178 #if 0 /// UNNEEDED by elogind
179 int readlink_value(const char *p, char **ret) {
180 _cleanup_free_ char *link = NULL;
184 r = readlink_malloc(p, &link);
188 value = basename(link);
192 value = strdup(value);
202 int readlink_and_make_absolute(const char *p, char **r) {
203 _cleanup_free_ char *target = NULL;
210 j = readlink_malloc(p, &target);
214 k = file_in_same_dir(p, target);
222 #if 0 /// UNNEEDED by elogind
224 int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
227 /* Under the assumption that we are running privileged we
228 * first change the access mode and only then hand out
229 * ownership to avoid a window where access is too open. */
231 if (mode != MODE_INVALID)
232 if (chmod(path, mode) < 0)
235 if (uid != UID_INVALID || gid != GID_INVALID)
236 if (chown(path, uid, gid) < 0)
242 int fchmod_umask(int fd, mode_t m) {
247 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
253 int fd_warn_permissions(const char *path, int fd) {
256 if (fstat(fd, &st) < 0)
259 if (st.st_mode & 0111)
260 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
262 if (st.st_mode & 0002)
263 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
265 if (getpid_cached() == 1 && (st.st_mode & 0044) != 0044)
266 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
271 int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
272 char fdpath[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
273 _cleanup_close_ int fd = -1;
278 /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink
279 * itself which is updated, not its target
281 * Returns the first error we encounter, but tries to apply as much as possible. */
284 (void) mkdir_parents(path, 0755);
286 /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in
287 * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and
288 * won't trigger any driver magic or so. */
289 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
294 /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file
295 * here, and nothing else */
296 fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode);
301 /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode,
302 * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object â which is
303 * something fchown(), fchmod(), futimensat() don't allow. */
304 xsprintf(fdpath, "/proc/self/fd/%i", fd);
306 if (mode != MODE_INVALID)
307 if (chmod(fdpath, mode) < 0)
310 if (uid_is_valid(uid) || gid_is_valid(gid))
311 if (chown(fdpath, uid, gid) < 0 && ret >= 0)
314 if (stamp != USEC_INFINITY) {
315 struct timespec ts[2];
317 timespec_store(&ts[0], stamp);
319 r = utimensat(AT_FDCWD, fdpath, ts, 0);
321 r = utimensat(AT_FDCWD, fdpath, NULL, 0);
322 if (r < 0 && ret >= 0)
328 int touch(const char *path) {
329 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
332 #if 0 /// UNNEEDED by elogind
333 int symlink_idempotent(const char *from, const char *to) {
339 if (symlink(from, to) < 0) {
340 _cleanup_free_ char *p = NULL;
345 r = readlink_malloc(to, &p);
346 if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
348 if (r < 0) /* Any other error? In that case propagate it as is */
351 if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
358 int symlink_atomic(const char *from, const char *to) {
359 _cleanup_free_ char *t = NULL;
365 r = tempfn_random(to, NULL, &t);
369 if (symlink(from, t) < 0)
372 if (rename(t, to) < 0) {
380 int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
381 _cleanup_free_ char *t = NULL;
386 r = tempfn_random(path, NULL, &t);
390 if (mknod(t, mode, dev) < 0)
393 if (rename(t, path) < 0) {
401 int mkfifo_atomic(const char *path, mode_t mode) {
402 _cleanup_free_ char *t = NULL;
407 r = tempfn_random(path, NULL, &t);
411 if (mkfifo(t, mode) < 0)
414 if (rename(t, path) < 0) {
423 int get_files_in_directory(const char *path, char ***list) {
424 _cleanup_closedir_ DIR *d = NULL;
426 size_t bufsize = 0, n = 0;
427 _cleanup_strv_free_ char **l = NULL;
431 /* Returns all files in a directory in *list, and the number
432 * of files as return value. If list is NULL returns only the
439 FOREACH_DIRENT_ALL(de, d, return -errno) {
440 dirent_ensure_type(d, de);
442 if (!dirent_is_file(de))
446 /* one extra slot is needed for the terminating NULL */
447 if (!GREEDY_REALLOC(l, bufsize, n + 2))
450 l[n] = strdup(de->d_name);
465 static int getenv_tmp_dir(const char **ret_path) {
471 /* We use the same order of environment variables python uses in tempfile.gettempdir():
472 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
473 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
476 e = secure_getenv(n);
479 if (!path_is_absolute(e)) {
483 if (!path_is_normalized(e)) {
500 /* Remember first error, to make this more debuggable */
512 static int tmp_dir_internal(const char *def, const char **ret) {
519 r = getenv_tmp_dir(&e);
525 k = is_dir(def, true);
529 return r < 0 ? r : k;
535 #if 0 /// UNNEEDED by elogind
536 int var_tmp_dir(const char **ret) {
538 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
539 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
540 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
541 * making it a variable that overrides all temporary file storage locations. */
543 return tmp_dir_internal("/var/tmp", ret);
547 int tmp_dir(const char **ret) {
549 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
550 * backed by an in-memory file system: /tmp. */
552 return tmp_dir_internal("/tmp", ret);
555 int unlink_or_warn(const char *filename) {
556 if (unlink(filename) < 0 && errno != ENOENT)
557 /* If the file doesn't exist and the fs simply was read-only (in which
558 * case unlink() returns EROFS even if the file doesn't exist), don't
560 if (errno != EROFS || access(filename, F_OK) >= 0)
561 return log_error_errno(errno, "Failed to remove \"%s\": %m", filename);
566 #if 0 /// UNNEEDED by elogind
567 int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
568 char path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
571 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
572 xsprintf(path, "/proc/self/fd/%i", what);
574 r = inotify_add_watch(fd, path, mask);
582 static bool noop_root(const char *root) {
583 return isempty(root) || path_equal(root, "/");
586 static bool safe_transition(const struct stat *a, const struct stat *b) {
587 /* Returns true if the transition from a to b is safe, i.e. that we never transition from unprivileged to
588 * privileged files or directories. Why bother? So that unprivileged code can't symlink to privileged files
589 * making us believe we read something safe even though it isn't safe in the specific context we open it in. */
591 if (a->st_uid == 0) /* Transitioning from privileged to unprivileged is always fine */
594 return a->st_uid == b->st_uid; /* Otherwise we need to stay within the same UID */
597 int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret) {
598 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
599 _cleanup_close_ int fd = -1;
600 unsigned max_follow = 32; /* how many symlinks to follow before giving up and returning ELOOP */
601 struct stat previous_stat;
608 /* Either the file may be missing, or we return an fd to the final object, but both make no sense */
609 if ((flags & (CHASE_NONEXISTENT|CHASE_OPEN)) == (CHASE_NONEXISTENT|CHASE_OPEN))
615 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
616 * symlinks relative to a root directory, instead of the root of the host.
618 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
619 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
620 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
621 * prefixed accordingly.
623 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
624 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
625 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
626 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
627 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
630 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
631 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
632 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
635 /* A root directory of "/" or "" is identical to none */
636 if (noop_root(original_root))
637 original_root = NULL;
639 if (!original_root && !ret && (flags & (CHASE_NONEXISTENT|CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_OPEN)) == CHASE_OPEN) {
640 /* Shortcut the CHASE_OPEN case if the caller isn't interested in the actual path and has no root set
641 * and doesn't care about any of the other special features we provide either. */
642 r = open(path, O_PATH|O_CLOEXEC);
650 r = path_make_absolute_cwd(original_root, &root);
654 if (flags & CHASE_PREFIX_ROOT) {
656 /* We don't support relative paths in combination with a root directory */
657 if (!path_is_absolute(path))
660 path = prefix_roota(root, path);
664 r = path_make_absolute_cwd(path, &buffer);
668 fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
672 if (flags & CHASE_SAFE) {
673 if (fstat(fd, &previous_stat) < 0)
679 _cleanup_free_ char *first = NULL;
680 _cleanup_close_ int child = -1;
684 /* Determine length of first component in the path */
685 n = strspn(todo, "/"); /* The slashes */
686 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
688 /* Extract the first component. */
689 first = strndup(todo, m);
695 /* Empty? Then we reached the end. */
699 /* Just a single slash? Then we reached the end. */
700 if (path_equal(first, "/")) {
701 /* Preserve the trailing slash */
703 if (flags & CHASE_TRAIL_SLASH)
704 if (!strextend(&done, "/", NULL))
710 /* Just a dot? Then let's eat this up. */
711 if (path_equal(first, "/."))
714 /* Two dots? Then chop off the last bit of what we already found out. */
715 if (path_equal(first, "/..")) {
716 _cleanup_free_ char *parent = NULL;
717 _cleanup_close_ int fd_parent = -1;
719 /* If we already are at the top, then going up will not change anything. This is in-line with
720 * how the kernel handles this. */
721 if (isempty(done) || path_equal(done, "/"))
724 parent = dirname_malloc(done);
728 /* Don't allow this to leave the root dir. */
730 path_startswith(done, root) &&
731 !path_startswith(parent, root))
734 free_and_replace(done, parent);
736 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
740 if (flags & CHASE_SAFE) {
741 if (fstat(fd_parent, &st) < 0)
744 if (!safe_transition(&previous_stat, &st))
751 fd = TAKE_FD(fd_parent);
756 /* Otherwise let's see what this is. */
757 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
760 if (errno == ENOENT &&
761 (flags & CHASE_NONEXISTENT) &&
762 (isempty(todo) || path_is_normalized(todo))) {
764 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
765 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
766 * or something else weird. */
768 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
769 if (streq_ptr(done, "/"))
772 if (!strextend(&done, first, todo, NULL))
782 if (fstat(child, &st) < 0)
784 if ((flags & CHASE_SAFE) &&
785 !safe_transition(&previous_stat, &st))
790 if ((flags & CHASE_NO_AUTOFS) &&
791 fd_is_fs_type(child, AUTOFS_SUPER_MAGIC) > 0)
794 if (S_ISLNK(st.st_mode)) {
797 _cleanup_free_ char *destination = NULL;
799 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
800 * symlinks without bounds. */
801 if (--max_follow <= 0)
804 r = readlinkat_malloc(fd, first + n, &destination);
807 if (isempty(destination))
810 if (path_is_absolute(destination)) {
812 /* An absolute destination. Start the loop from the beginning, but use the root
813 * directory as base. */
816 fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
820 if (flags & CHASE_SAFE) {
821 if (fstat(fd, &st) < 0)
824 if (!safe_transition(&previous_stat, &st))
832 /* Note that we do not revalidate the root, we take it as is. */
841 /* Prefix what's left to do with what we just read, and start the loop again, but
842 * remain in the current directory. */
843 joined = strjoin(destination, todo);
845 joined = strjoin("/", destination, todo);
850 todo = buffer = joined;
855 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
857 done = TAKE_PTR(first);
859 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
860 if (streq(done, "/"))
863 if (!strextend(&done, first, NULL))
867 /* And iterate again, but go one directory further down. */
873 /* Special case, turn the empty string into "/", to indicate the root directory. */
880 *ret = TAKE_PTR(done);
882 if (flags & CHASE_OPEN) {
883 /* Return the O_PATH fd we currently are looking to the caller. It can translate it to a proper fd by
884 * opening /proc/self/fd/xyz. */
893 int chase_symlinks_and_open(
896 unsigned chase_flags,
900 _cleanup_close_ int path_fd = -1;
901 _cleanup_free_ char *p = NULL;
904 if (chase_flags & CHASE_NONEXISTENT)
907 if (noop_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
908 /* Shortcut this call if none of the special features of this call are requested */
909 r = open(path, open_flags);
916 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
920 r = fd_reopen(path_fd, open_flags);
925 *ret_path = TAKE_PTR(p);
930 int chase_symlinks_and_opendir(
933 unsigned chase_flags,
937 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
938 _cleanup_close_ int path_fd = -1;
939 _cleanup_free_ char *p = NULL;
944 if (chase_flags & CHASE_NONEXISTENT)
947 if (noop_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
948 /* Shortcut this call if none of the special features of this call are requested */
957 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
961 xsprintf(procfs_path, "/proc/self/fd/%i", path_fd);
962 d = opendir(procfs_path);
967 *ret_path = TAKE_PTR(p);
973 int access_fd(int fd, int mode) {
974 char p[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(fd) + 1];
977 /* Like access() but operates on an already open fd */
979 xsprintf(p, "/proc/self/fd/%i", fd);
987 int unlinkat_deallocate(int fd, const char *name, int flags) {
988 _cleanup_close_ int truncate_fd = -1;
992 /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other
993 * link to it. This is useful to ensure that other processes that might have the file open for reading won't be
994 * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up
995 * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and
996 * returned to the free pool.
998 * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (đ) if supported, which means
999 * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other
1000 * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes
1001 * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.)
1002 * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file
1003 * truncation (đĒ), as our goal of deallocating the data space trumps our goal of being nice to readers (đ).
1005 * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the
1006 * primary job â to delete the file â is accomplished. */
1008 if ((flags & AT_REMOVEDIR) == 0) {
1009 truncate_fd = openat(fd, name, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK);
1010 if (truncate_fd < 0) {
1012 /* If this failed because the file doesn't exist propagate the error right-away. Also,
1013 * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is
1014 * returned when this is a directory but we are not supposed to delete those, hence propagate
1015 * the error right-away too. */
1016 if (IN_SET(errno, ENOENT, EISDIR))
1019 if (errno != ELOOP) /* don't complain if this is a symlink */
1020 log_debug_errno(errno, "Failed to open file '%s' for deallocation, ignoring: %m", name);
1024 if (unlinkat(fd, name, flags) < 0)
1027 if (truncate_fd < 0) /* Don't have a file handle, can't do more âšī¸ */
1030 if (fstat(truncate_fd, &st) < 0) {
1031 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring.", name);
1035 if (!S_ISREG(st.st_mode) || st.st_blocks == 0 || st.st_nlink > 0)
1038 /* If this is a regular file, it actually took up space on disk and there are no other links it's time to
1039 * punch-hole/truncate this to release the disk space. */
1041 bs = MAX(st.st_blksize, 512);
1042 l = DIV_ROUND_UP(st.st_size, bs) * bs; /* Round up to next block size */
1044 if (fallocate(truncate_fd, FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE, 0, l) >= 0)
1045 return 0; /* Successfully punched a hole! đ */
1047 /* Fall back to truncation */
1048 if (ftruncate(truncate_fd, 0) < 0) {
1049 log_debug_errno(errno, "Failed to truncate file to 0, ignoring: %m");
1056 int fsync_directory_of_file(int fd) {
1057 _cleanup_free_ char *path = NULL, *dn = NULL;
1058 _cleanup_close_ int dfd = -1;
1061 r = fd_verify_regular(fd);
1065 r = fd_get_path(fd, &path);
1067 log_debug("Failed to query /proc/self/fd/%d%s: %m",
1069 r == -EOPNOTSUPP ? ", ignoring" : "");
1071 if (r == -EOPNOTSUPP)
1072 /* If /proc is not available, we're most likely running in some
1073 * chroot environment, and syncing the directory is not very
1074 * important in that case. Let's just silently do nothing. */
1080 if (!path_is_absolute(path))
1083 dn = dirname_malloc(path);
1087 dfd = open(dn, O_RDONLY|O_CLOEXEC|O_DIRECTORY);