1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <linux/magic.h>
31 #include "alloc-util.h"
32 #include "dirent-util.h"
38 //#include "missing.h"
40 #include "parse-util.h"
41 #include "path-util.h"
42 #include "stat-util.h"
43 #include "stdio-util.h"
44 #include "string-util.h"
46 //#include "time-util.h"
47 #include "user-util.h"
50 /// Additional includes needed by elogind
51 #include "process-util.h"
53 int unlink_noerrno(const char *path) {
64 #if 0 /// UNNEEDED by elogind
65 int rmdir_parents(const char *path, const char *stop) {
74 /* Skip trailing slashes */
75 while (l > 0 && path[l-1] == '/')
81 /* Skip last component */
82 while (l > 0 && path[l-1] != '/')
85 /* Skip trailing slashes */
86 while (l > 0 && path[l-1] == '/')
96 if (path_startswith(stop, t)) {
112 int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
116 ret = renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE);
120 /* renameat2() exists since Linux 3.15, btrfs added support for it later.
121 * If it is not implemented, fallback to another method. */
122 if (!IN_SET(errno, EINVAL, ENOSYS))
125 /* The link()/unlink() fallback does not work on directories. But
126 * renameat() without RENAME_NOREPLACE gives the same semantics on
127 * directories, except when newpath is an *empty* directory. This is
129 ret = fstatat(olddirfd, oldpath, &buf, AT_SYMLINK_NOFOLLOW);
130 if (ret >= 0 && S_ISDIR(buf.st_mode)) {
131 ret = renameat(olddirfd, oldpath, newdirfd, newpath);
132 return ret >= 0 ? 0 : -errno;
135 /* If it is not a directory, use the link()/unlink() fallback. */
136 ret = linkat(olddirfd, oldpath, newdirfd, newpath, 0);
140 ret = unlinkat(olddirfd, oldpath, 0);
142 /* backup errno before the following unlinkat() alters it */
144 (void) unlinkat(newdirfd, newpath, 0);
153 int readlinkat_malloc(int fd, const char *p, char **ret) {
168 n = readlinkat(fd, p, c, l-1);
175 if ((size_t) n < l-1) {
186 int readlink_malloc(const char *p, char **ret) {
187 return readlinkat_malloc(AT_FDCWD, p, ret);
190 #if 0 /// UNNEEDED by elogind
191 int readlink_value(const char *p, char **ret) {
192 _cleanup_free_ char *link = NULL;
196 r = readlink_malloc(p, &link);
200 value = basename(link);
204 value = strdup(value);
214 int readlink_and_make_absolute(const char *p, char **r) {
215 _cleanup_free_ char *target = NULL;
222 j = readlink_malloc(p, &target);
226 k = file_in_same_dir(p, target);
234 #if 0 /// UNNEEDED by elogind
235 int readlink_and_canonicalize(const char *p, const char *root, char **ret) {
242 r = readlink_and_make_absolute(p, &t);
246 r = chase_symlinks(t, root, 0, &s);
248 /* If we can't follow up, then let's return the original string, slightly cleaned up. */
249 *ret = path_kill_slashes(t);
258 int readlink_and_make_absolute_root(const char *root, const char *path, char **ret) {
259 _cleanup_free_ char *target = NULL, *t = NULL;
263 full = prefix_roota(root, path);
264 r = readlink_malloc(full, &target);
268 t = file_in_same_dir(path, target);
279 int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
282 /* Under the assumption that we are running privileged we
283 * first change the access mode and only then hand out
284 * ownership to avoid a window where access is too open. */
286 if (mode != MODE_INVALID)
287 if (chmod(path, mode) < 0)
290 if (uid != UID_INVALID || gid != GID_INVALID)
291 if (chown(path, uid, gid) < 0)
297 int fchmod_umask(int fd, mode_t m) {
302 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
308 int fd_warn_permissions(const char *path, int fd) {
311 if (fstat(fd, &st) < 0)
314 if (st.st_mode & 0111)
315 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
317 if (st.st_mode & 0002)
318 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
320 if (getpid_cached() == 1 && (st.st_mode & 0044) != 0044)
321 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
326 int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
327 char fdpath[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
328 _cleanup_close_ int fd = -1;
333 /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink
334 * itself which is updated, not its target
336 * Returns the first error we encounter, but tries to apply as much as possible. */
339 (void) mkdir_parents(path, 0755);
341 /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in
342 * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and
343 * won't trigger any driver magic or so. */
344 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
349 /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file
350 * here, and nothing else */
351 fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode);
356 /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode,
357 * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is
358 * something fchown(), fchmod(), futimensat() don't allow. */
359 xsprintf(fdpath, "/proc/self/fd/%i", fd);
361 if (mode != MODE_INVALID)
362 if (chmod(fdpath, mode) < 0)
365 if (uid_is_valid(uid) || gid_is_valid(gid))
366 if (chown(fdpath, uid, gid) < 0 && ret >= 0)
369 if (stamp != USEC_INFINITY) {
370 struct timespec ts[2];
372 timespec_store(&ts[0], stamp);
374 r = utimensat(AT_FDCWD, fdpath, ts, 0);
376 r = utimensat(AT_FDCWD, fdpath, NULL, 0);
377 if (r < 0 && ret >= 0)
383 int touch(const char *path) {
384 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
387 #if 0 /// UNNEEDED by elogind
388 int symlink_idempotent(const char *from, const char *to) {
394 if (symlink(from, to) < 0) {
395 _cleanup_free_ char *p = NULL;
400 r = readlink_malloc(to, &p);
401 if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
403 if (r < 0) /* Any other error? In that case propagate it as is */
406 if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
413 int symlink_atomic(const char *from, const char *to) {
414 _cleanup_free_ char *t = NULL;
420 r = tempfn_random(to, NULL, &t);
424 if (symlink(from, t) < 0)
427 if (rename(t, to) < 0) {
435 int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
436 _cleanup_free_ char *t = NULL;
441 r = tempfn_random(path, NULL, &t);
445 if (mknod(t, mode, dev) < 0)
448 if (rename(t, path) < 0) {
456 int mkfifo_atomic(const char *path, mode_t mode) {
457 _cleanup_free_ char *t = NULL;
462 r = tempfn_random(path, NULL, &t);
466 if (mkfifo(t, mode) < 0)
469 if (rename(t, path) < 0) {
478 int get_files_in_directory(const char *path, char ***list) {
479 _cleanup_closedir_ DIR *d = NULL;
481 size_t bufsize = 0, n = 0;
482 _cleanup_strv_free_ char **l = NULL;
486 /* Returns all files in a directory in *list, and the number
487 * of files as return value. If list is NULL returns only the
494 FOREACH_DIRENT_ALL(de, d, return -errno) {
495 dirent_ensure_type(d, de);
497 if (!dirent_is_file(de))
501 /* one extra slot is needed for the terminating NULL */
502 if (!GREEDY_REALLOC(l, bufsize, n + 2))
505 l[n] = strdup(de->d_name);
516 l = NULL; /* avoid freeing */
522 static int getenv_tmp_dir(const char **ret_path) {
528 /* We use the same order of environment variables python uses in tempfile.gettempdir():
529 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
530 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
533 e = secure_getenv(n);
536 if (!path_is_absolute(e)) {
540 if (!path_is_normalized(e)) {
557 /* Remember first error, to make this more debuggable */
569 static int tmp_dir_internal(const char *def, const char **ret) {
576 r = getenv_tmp_dir(&e);
582 k = is_dir(def, true);
586 return r < 0 ? r : k;
592 #if 0 /// UNNEEDED by elogind
593 int var_tmp_dir(const char **ret) {
595 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
596 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
597 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
598 * making it a variable that overrides all temporary file storage locations. */
600 return tmp_dir_internal("/var/tmp", ret);
604 int tmp_dir(const char **ret) {
606 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
607 * backed by an in-memory file system: /tmp. */
609 return tmp_dir_internal("/tmp", ret);
612 #if 0 /// UNNEEDED by elogind
613 int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
614 char path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
617 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
618 xsprintf(path, "/proc/self/fd/%i", what);
620 r = inotify_add_watch(fd, path, mask);
628 static bool safe_transition(const struct stat *a, const struct stat *b) {
629 /* Returns true if the transition from a to b is safe, i.e. that we never transition from unprivileged to
630 * privileged files or directories. Why bother? So that unprivileged code can't symlink to privileged files
631 * making us believe we read something safe even though it isn't safe in the specific context we open it in. */
633 if (a->st_uid == 0) /* Transitioning from privileged to unprivileged is always fine */
636 return a->st_uid == b->st_uid; /* Otherwise we need to stay within the same UID */
639 int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret) {
640 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
641 _cleanup_close_ int fd = -1;
642 unsigned max_follow = 32; /* how many symlinks to follow before giving up and returning ELOOP */
643 struct stat previous_stat;
650 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
651 * symlinks relative to a root directory, instead of the root of the host.
653 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
654 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
655 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
656 * prefixed accordingly.
658 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
659 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
660 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
661 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
662 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
665 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
666 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
667 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
671 r = path_make_absolute_cwd(original_root, &root);
675 if (flags & CHASE_PREFIX_ROOT)
676 path = prefix_roota(root, path);
679 r = path_make_absolute_cwd(path, &buffer);
683 fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
687 if (flags & CHASE_SAFE) {
688 if (fstat(fd, &previous_stat) < 0)
694 _cleanup_free_ char *first = NULL;
695 _cleanup_close_ int child = -1;
699 /* Determine length of first component in the path */
700 n = strspn(todo, "/"); /* The slashes */
701 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
703 /* Extract the first component. */
704 first = strndup(todo, m);
710 /* Empty? Then we reached the end. */
714 /* Just a single slash? Then we reached the end. */
715 if (path_equal(first, "/")) {
716 /* Preserve the trailing slash */
717 if (!strextend(&done, "/", NULL))
723 /* Just a dot? Then let's eat this up. */
724 if (path_equal(first, "/."))
727 /* Two dots? Then chop off the last bit of what we already found out. */
728 if (path_equal(first, "/..")) {
729 _cleanup_free_ char *parent = NULL;
732 /* If we already are at the top, then going up will not change anything. This is in-line with
733 * how the kernel handles this. */
734 if (isempty(done) || path_equal(done, "/"))
737 parent = dirname_malloc(done);
741 /* Don't allow this to leave the root dir. */
743 path_startswith(done, root) &&
744 !path_startswith(parent, root))
747 free_and_replace(done, parent);
749 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
753 if (flags & CHASE_SAFE) {
754 if (fstat(fd_parent, &st) < 0)
757 if (!safe_transition(&previous_stat, &st))
769 /* Otherwise let's see what this is. */
770 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
773 if (errno == ENOENT &&
774 (flags & CHASE_NONEXISTENT) &&
775 (isempty(todo) || path_is_normalized(todo))) {
777 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
778 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
779 * or something else weird. */
781 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
782 if (streq_ptr(done, "/"))
785 if (!strextend(&done, first, todo, NULL))
795 if (fstat(child, &st) < 0)
797 if ((flags & CHASE_SAFE) &&
798 !safe_transition(&previous_stat, &st))
803 if ((flags & CHASE_NO_AUTOFS) &&
804 fd_is_fs_type(child, AUTOFS_SUPER_MAGIC) > 0)
807 if (S_ISLNK(st.st_mode)) {
810 _cleanup_free_ char *destination = NULL;
812 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
813 * symlinks without bounds. */
814 if (--max_follow <= 0)
817 r = readlinkat_malloc(fd, first + n, &destination);
820 if (isempty(destination))
823 if (path_is_absolute(destination)) {
825 /* An absolute destination. Start the loop from the beginning, but use the root
826 * directory as base. */
829 fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
835 if (flags & CHASE_SAFE) {
836 if (fstat(fd, &st) < 0)
839 if (!safe_transition(&previous_stat, &st))
845 /* Note that we do not revalidate the root, we take it as is. */
854 /* Prefix what's left to do with what we just read, and start the loop again, but
855 * remain in the current directory. */
856 joined = strjoin(destination, todo);
858 joined = strjoin("/", destination, todo);
863 todo = buffer = joined;
868 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
873 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
874 if (streq(done, "/"))
877 if (!strextend(&done, first, NULL))
881 /* And iterate again, but go one directory further down. */
888 /* Special case, turn the empty string into "/", to indicate the root directory. */
902 int access_fd(int fd, int mode) {
903 char p[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(fd) + 1];
906 /* Like access() but operates on an already open fd */
908 xsprintf(p, "/proc/self/fd/%i", fd);