4 * @brief The adacl (apply default acl) shared library.
8 /* Enables get_current_dir_name() in unistd.h */
11 #include <errno.h> /* ELOOP, EINVAL, etc. */
12 #include <fcntl.h> /* openat() */
13 #include <libgen.h> /* basename(), dirname() */
14 #include <limits.h> /* PATH_MAX */
15 #include <stdbool.h> /* the "bool" type */
16 #include <stdio.h> /* perror(), snprintf() */
17 #include <stdlib.h> /* free() */
18 #include <string.h> /* strdup() */
19 #include <sys/stat.h> /* fstat() */
20 #include <unistd.h> /* get_current_dir_name() */
23 #include <acl/libacl.h> /* acl_get_perm, not portable */
24 #include <sys/acl.h> /* all other acl_foo functions */
29 /* Even though most other library functions reliably return -1 for
30 * error, it feels a little wrong to re-use the ACL_ERROR constant.
32 #define CLOSE_ERROR -1
34 #define SNPRINTF_ERROR -1
39 * @brief The recursive portion of the @c safe_open function, used to
40 * open a file descriptor in a symlink-safe way when combined with
41 * the @c O_NOFOLLOW flag.
44 * A file descriptor relative to which @c pathname will be opened.
47 * The path to the file/directory/whatever whose descriptor you want.
50 * File status flags to be passed to @c openat.
52 * @return a file descriptor for @c pathname if everything goes well,
53 * and @c OPEN_ERROR if not.
55 int safe_open_ex(int at_fd
, char* pathname
, int flags
) {
56 if (pathname
!= NULL
&& strlen(pathname
) == 0) {
57 /* Oops, went one level to deep with nothing to do. */
61 char* firstslash
= strchr(pathname
, '/');
62 if (firstslash
== NULL
) {
63 /* No more slashes, this is the base case. */
64 int r
= openat(at_fd
, pathname
, flags
);
68 /* Temporarily disable the slash, so that the subsequent call to
69 openat() opens only the next directory (and doesn't recurse). */
71 int fd
= safe_open_ex(at_fd
, pathname
, flags
);
72 if (fd
== OPEN_ERROR
) {
74 /* Don't output anything if we ignore a symlink */
75 perror("safe_open_ex (safe_open_ex)");
80 /* The ++ is safe because there needs to be at least a null byte
81 after the first slash, even if it's the last real character in
83 int result
= safe_open_ex(fd
, firstslash
+1, flags
);
84 if (close(fd
) == CLOSE_ERROR
) {
85 perror("safe_open_ex (close)");
93 * @brief A version of @c open that is completely symlink-safe when
94 * used with the @c O_NOFOLLOW flag.
96 * The @c openat function exists to ensure that you can anchor one
97 * path to a particular directory while opening it; however, if you
98 * open "b/c/d" relative to "/a", then even the @c openat function will
99 * still follow symlinks in the "b" component. This can be exploited
100 * by an attacker to make you open the wrong path.
102 * To avoid that problem, this function uses a recursive
103 * implementation that opens every path from the root, one level at a
104 * time. So "a" is opened relative to "/", and then "b" is opened
105 * relative to "/a", and then "c" is opened relative to "/a/b",
106 * etc. When the @c O_NOFOLLOW flag is used, this approach ensures
107 * that no symlinks in any component are followed.
110 * The path to the file/directory/whatever whose descriptor you want.
113 * File status flags to be passed to @c openat.
115 * @return a file descriptor for @c pathname if everything goes well,
116 * and @c OPEN_ERROR if not.
118 int safe_open(const char* pathname
, int flags
) {
119 if (pathname
== NULL
|| strlen(pathname
) == 0 || pathname
[0] == '\0') {
121 perror("safe_open (args)");
125 char abspath
[PATH_MAX
];
126 int snprintf_result
= 0;
127 if (strchr(pathname
, '/') == pathname
) {
128 /* pathname is already absolute; just copy it. */
129 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s", pathname
);
132 /* Concatenate the current working directory and pathname into an
133 * absolute path. We use realpath() ONLY on the cwd part, and not
134 * on the pathname part, because realpath() resolves symlinks. And
135 * the whole point of all this crap is to avoid following symlinks
138 * Using realpath() on the cwd lets us operate on relative paths
139 * while we're sitting in a directory that happens to have a
140 * symlink in it; for example: cd /var/run && apply-default-acl foo.
142 char* cwd
= get_current_dir_name();
144 perror("safe_open (get_current_dir_name)");
148 char abs_cwd
[PATH_MAX
];
149 if (realpath(cwd
, abs_cwd
) == NULL
) {
150 perror("safe_open (realpath)");
154 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s/%s", abs_cwd
, pathname
);
157 if (snprintf_result
== SNPRINTF_ERROR
|| snprintf_result
> PATH_MAX
) {
158 perror("safe_open (snprintf)");
162 int fd
= open("/", flags
);
163 if (fd
== OPEN_ERROR
) {
164 perror("safe_open (open)");
168 if (strcmp(abspath
, "/") == 0) {
172 int result
= safe_open_ex(fd
, abspath
+1, flags
);
173 if (close(fd
) == CLOSE_ERROR
) {
174 perror("safe_open (close)");
184 * @brief Update (or create) an entry in an @b minimal ACL.
186 * This function will not work if @c aclp contains extended
187 * entries. This is fine for our purposes, since we call @c wipe_acls
188 * on each path before applying the default to it.
190 * The assumption that there are no extended entries makes things much
191 * simpler. For example, we only have to update the @c ACL_USER_OBJ,
192 * @c ACL_GROUP_OBJ, and @c ACL_OTHER entries -- all others can simply
193 * be created anew. This means we don't have to fool around comparing
194 * named-user/group entries.
197 * A pointer to the acl_t structure whose entry we want to modify.
200 * The new entry. If @c entry contains a user/group/other entry, we
201 * update the existing one. Otherwise we create a new entry.
203 * @return If there is an unexpected library error, @c ACL_ERROR is
204 * returned. Otherwise, @c ACL_SUCCESS.
207 int acl_set_entry(acl_t
* aclp
, acl_entry_t entry
) {
210 if (acl_get_tag_type(entry
, &entry_tag
) == ACL_ERROR
) {
211 perror("acl_set_entry (acl_get_tag_type)");
215 acl_permset_t entry_permset
;
216 if (acl_get_permset(entry
, &entry_permset
) == ACL_ERROR
) {
217 perror("acl_set_entry (acl_get_permset)");
221 acl_entry_t existing_entry
;
222 /* Loop through the given ACL looking for matching entries. */
223 int result
= acl_get_entry(*aclp
, ACL_FIRST_ENTRY
, &existing_entry
);
225 while (result
== ACL_SUCCESS
) {
226 acl_tag_t existing_tag
= ACL_UNDEFINED_TAG
;
228 if (acl_get_tag_type(existing_entry
, &existing_tag
) == ACL_ERROR
) {
229 perror("set_acl_tag_permset (acl_get_tag_type)");
233 if (existing_tag
== entry_tag
) {
234 if (entry_tag
== ACL_USER_OBJ
||
235 entry_tag
== ACL_GROUP_OBJ
||
236 entry_tag
== ACL_OTHER
) {
237 /* Only update for these three since all other tags will have
238 been wiped. These three are guaranteed to exist, so if we
239 match one of them, we're allowed to return ACL_SUCCESS
240 below and bypass the rest of the function. */
241 acl_permset_t existing_permset
;
242 if (acl_get_permset(existing_entry
, &existing_permset
) == ACL_ERROR
) {
243 perror("acl_set_entry (acl_get_permset)");
247 if (acl_set_permset(existing_entry
, entry_permset
) == ACL_ERROR
) {
248 perror("acl_set_entry (acl_set_permset)");
257 result
= acl_get_entry(*aclp
, ACL_NEXT_ENTRY
, &existing_entry
);
260 /* This catches both the initial acl_get_entry and the ones at the
262 if (result
== ACL_ERROR
) {
263 perror("acl_set_entry (acl_get_entry)");
267 /* If we've made it this far, we need to add a new entry to the
269 acl_entry_t new_entry
;
271 /* The acl_create_entry() function can allocate new memory and/or
272 * change the location of the ACL structure entirely. When that
273 * happens, the value pointed to by aclp is updated, which means
274 * that a new acl_t gets "passed out" to our caller, eventually to
275 * be fed to acl_free(). In other words, we should still be freeing
276 * the right thing, even if the value pointed to by aclp changes.
278 if (acl_create_entry(aclp
, &new_entry
) == ACL_ERROR
) {
279 perror("acl_set_entry (acl_create_entry)");
283 if (acl_set_tag_type(new_entry
, entry_tag
) == ACL_ERROR
) {
284 perror("acl_set_entry (acl_set_tag_type)");
288 if (acl_set_permset(new_entry
, entry_permset
) == ACL_ERROR
) {
289 perror("acl_set_entry (acl_set_permset)");
293 if (entry_tag
== ACL_USER
|| entry_tag
== ACL_GROUP
) {
294 /* We need to set the qualifier too. */
295 void* entry_qual
= acl_get_qualifier(entry
);
296 if (entry_qual
== (void*)NULL
) {
297 perror("acl_set_entry (acl_get_qualifier)");
301 if (acl_set_qualifier(new_entry
, entry_qual
) == ACL_ERROR
) {
302 perror("acl_set_entry (acl_set_qualifier)");
313 * @brief Determine the number of entries in the given ACL.
316 * The ACL to inspect.
318 * @return Either the non-negative number of entries in @c acl, or
319 * @c ACL_ERROR on error.
321 int acl_entry_count(acl_t acl
) {
325 int result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
327 while (result
== ACL_SUCCESS
) {
329 result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
332 if (result
== ACL_ERROR
) {
333 perror("acl_entry_count (acl_get_entry)");
343 * @brief Determine whether or not the given ACL is minimal.
345 * An ACL is minimal if it has fewer than four entries.
348 * The ACL whose minimality is in question.
351 * - @c ACL_SUCCESS - @c acl is minimal
352 * - @c ACL_FAILURE - @c acl is not minimal
353 * - @c ACL_ERROR - Unexpected library error
355 int acl_is_minimal(acl_t acl
) {
357 int ec
= acl_entry_count(acl
);
359 if (ec
== ACL_ERROR
) {
360 perror("acl_is_minimal (acl_entry_count)");
375 * @brief Determine whether the given ACL's mask denies execute.
378 * The ACL whose mask we want to check.
381 * - @c ACL_SUCCESS - The @c acl has a mask which denies execute.
382 * - @c ACL_FAILURE - The @c acl has a mask which does not deny execute.
383 * - @c ACL_ERROR - Unexpected library error.
385 int acl_execute_masked(acl_t acl
) {
388 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
390 while (ge_result
== ACL_SUCCESS
) {
391 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
393 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
394 perror("acl_execute_masked (acl_get_tag_type)");
398 if (tag
== ACL_MASK
) {
399 /* This is the mask entry, get its permissions, and see if
400 execute is specified. */
401 acl_permset_t permset
;
403 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
404 perror("acl_execute_masked (acl_get_permset)");
408 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
409 if (gp_result
== ACL_ERROR
) {
410 perror("acl_execute_masked (acl_get_perm)");
414 if (gp_result
== ACL_FAILURE
) {
415 /* No execute bit set in the mask; execute not allowed. */
420 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
429 * @brief Determine whether @c fd is executable by anyone.
432 * This is used as part of the heuristic to determine whether or not
433 * we should mask the execute bit when inheriting an ACL. If @c fd
434 * describes a file, we check the @a effective permissions, contrary
435 * to what setfacl does.
438 * The file descriptor to check.
441 * A pointer to a stat structure for @c fd.
444 * - @c ACL_SUCCESS - Someone has effective execute permissions on @c fd.
445 * - @c ACL_FAILURE - Nobody can execute @c fd.
446 * - @c ACL_ERROR - Unexpected library error.
448 int any_can_execute(int fd
, const struct stat
* sp
) {
449 acl_t acl
= acl_get_fd(fd
);
451 if (acl
== (acl_t
)NULL
) {
452 perror("any_can_execute (acl_get_file)");
456 /* Our return value. */
457 int result
= ACL_FAILURE
;
459 if (acl_is_minimal(acl
)) {
460 if (sp
->st_mode
& (S_IXUSR
| S_IXOTH
| S_IXGRP
)) {
461 result
= ACL_SUCCESS
;
465 result
= ACL_FAILURE
;
471 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
473 while (ge_result
== ACL_SUCCESS
) {
474 /* The first thing we do is check to see if this is a mask
475 entry. If it is, we skip it entirely. */
476 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
478 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
479 perror("any_can_execute_or (acl_get_tag_type)");
484 if (tag
== ACL_MASK
) {
485 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
489 /* Ok, so it's not a mask entry. Check the execute perms. */
490 acl_permset_t permset
;
492 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
493 perror("any_can_execute_or (acl_get_permset)");
498 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
499 if (gp_result
== ACL_ERROR
) {
500 perror("any_can_execute (acl_get_perm)");
505 if (gp_result
== ACL_SUCCESS
) {
506 /* Only return ACL_SUCCESS if this execute bit is not masked. */
507 if (acl_execute_masked(acl
) != ACL_SUCCESS
) {
508 result
= ACL_SUCCESS
;
513 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
516 if (ge_result
== ACL_ERROR
) {
517 perror("any_can_execute (acl_get_entry)");
530 * @brief Set @c acl as the default ACL on @c path.
532 * This overwrites any existing default ACL on @c path. If @c path is
533 * not a directory, we return ACL_ERROR and @c errno is set.
536 * The target directory whose ACL we wish to replace or create.
539 * The ACL to set as default on @c path.
542 * - @c ACL_SUCCESS - The default ACL was assigned successfully.
543 * - @c ACL_ERROR - Unexpected library error.
545 int assign_default_acl(const char* path
, acl_t acl
) {
549 perror("assign_default_acl (args)");
553 /* Our return value; success unless something bad happens. */
554 int result
= ACL_SUCCESS
;
555 acl_t path_acl
= acl_dup(acl
);
557 if (path_acl
== (acl_t
)NULL
) {
558 perror("assign_default_acl (acl_dup)");
559 return ACL_ERROR
; /* Nothing to clean up in this case. */
562 if (acl_set_file(path
, ACL_TYPE_DEFAULT
, path_acl
) == ACL_ERROR
) {
563 perror("assign_default_acl (acl_set_file)");
574 * @brief Remove all @c ACL_TYPE_ACCESS entries from the given file
575 * descriptor, leaving the UNIX permission bits.
578 * The file descriptor whose ACLs we want to wipe.
581 * - @c ACL_SUCCESS - The ACLs were wiped successfully, or none
582 * existed in the first place.
583 * - @c ACL_ERROR - Unexpected library error.
585 int wipe_acls(int fd
) {
586 /* Initialize an empty ACL, and then overwrite the one on "fd" with it. */
587 acl_t empty_acl
= acl_init(0);
589 if (empty_acl
== (acl_t
)NULL
) {
590 perror("wipe_acls (acl_init)");
594 if (acl_set_fd(fd
, empty_acl
) == ACL_ERROR
) {
595 perror("wipe_acls (acl_set_fd)");
607 * @brief Apply parent default ACL to a path.
609 * This overwrites any existing ACLs on @c path.
612 * The path whose ACL we would like to reset to its default.
615 * A pointer to a stat structure for @c path, or @c NULL if you don't
618 * @param no_exec_mask
619 * The value (either true or false) of the --no-exec-mask flag.
622 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
623 * - @c ACL_FAILURE - If symlinks or hard links are encountered.
624 * - @c ACL_ERROR - Unexpected library error.
626 int apply_default_acl_ex(const char* path
,
627 const struct stat
* sp
,
632 perror("apply_default_acl_ex (args)");
636 /* Define these next three variables here because we may have to
637 * jump to the cleanup routine which expects them to exist.
640 /* Our return value. */
641 int result
= ACL_SUCCESS
;
643 /* The default ACL on path's parent directory */
644 acl_t defacl
= (acl_t
)NULL
;
646 /* The file descriptor corresponding to "path" */
649 /* Get the parent directory of "path" with dirname(), which happens
650 * to murder its argument and necessitates a path_copy.
652 char* path_copy
= strdup(path
);
653 if (path_copy
== NULL
) {
654 perror("apply_default_acl_ex (strdup)");
657 char* parent
= dirname(path_copy
);
659 fd
= safe_open(path
, O_NOFOLLOW
);
660 if (fd
== OPEN_ERROR
) {
661 if (errno
== ELOOP
) {
662 result
= ACL_FAILURE
; /* hit a symlink */
666 perror("apply_default_acl_ex (open fd)");
673 /* Refuse to operate on hard links, which can be abused by an
674 * attacker to trick us into changing the ACL on a file we didn't
675 * intend to; namely the "target" of the hard link. There is TOCTOU
676 * race condition here, but the window is as small as possible
677 * between when we open the file descriptor (look above) and when we
680 * Note: we only need to call fstat ourselves if we weren't passed a
681 * valid pointer to a stat structure (nftw does that).
685 if (fstat(fd
, &s
) == STAT_ERROR
) {
686 perror("apply_default_acl_ex (fstat)");
693 if (!S_ISDIR(sp
->st_mode
)) {
694 /* If it's not a directory, make sure it's a regular,
695 non-hard-linked file. */
696 if (!S_ISREG(sp
->st_mode
) || sp
->st_nlink
!= 1) {
697 result
= ACL_FAILURE
;
703 /* Default to not masking the exec bit; i.e. applying the default
704 ACL literally. If --no-exec-mask was not specified, then we try
705 to "guess" whether or not to mask the exec bit. This behavior
706 is modeled after the capital 'X' perms of setfacl. */
707 bool allow_exec
= true;
710 /* Never mask the execute bit on directories. */
711 int ace_result
= any_can_execute(fd
,sp
) || S_ISDIR(sp
->st_mode
);
713 if (ace_result
== ACL_ERROR
) {
714 perror("apply_default_acl_ex (any_can_execute)");
719 allow_exec
= (bool)ace_result
;
722 defacl
= acl_get_file(parent
, ACL_TYPE_DEFAULT
);
724 if (defacl
== (acl_t
)NULL
) {
725 perror("apply_default_acl_ex (acl_get_file)");
730 if (wipe_acls(fd
) == ACL_ERROR
) {
731 perror("apply_default_acl_ex (wipe_acls)");
736 /* Do this after wipe_acls(), otherwise we'll overwrite the wiped
737 ACL with this one. */
738 acl_t acl
= acl_get_fd(fd
);
739 if (acl
== (acl_t
)NULL
) {
740 perror("apply_default_acl_ex (acl_get_fd)");
745 /* If it's a directory, inherit the parent's default. We sure hope
746 * that "path" still points to the same thing that "fd" and this
747 * "sp" describe. If not, we may wind up trying to set a default ACL
748 * on a file, and this will throw an error. I guess that's what we
751 if (S_ISDIR(sp
->st_mode
) && assign_default_acl(path
, defacl
) == ACL_ERROR
) {
752 perror("apply_default_acl_ex (assign_default_acl)");
758 int ge_result
= acl_get_entry(defacl
, ACL_FIRST_ENTRY
, &entry
);
760 while (ge_result
== ACL_SUCCESS
) {
761 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
763 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
764 perror("apply_default_acl_ex (acl_get_tag_type)");
770 /* We've got an entry/tag from the default ACL. Get its permset. */
771 acl_permset_t permset
;
772 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
773 perror("apply_default_acl_ex (acl_get_permset)");
778 /* If this is a default mask, fix it up. */
779 if (tag
== ACL_MASK
||
780 tag
== ACL_USER_OBJ
||
781 tag
== ACL_GROUP_OBJ
||
785 /* The mask doesn't affect acl_user_obj, acl_group_obj (in
786 minimal ACLs) or acl_other entries, so if execute should be
787 masked, we have to do it manually. */
788 if (acl_delete_perm(permset
, ACL_EXECUTE
) == ACL_ERROR
) {
789 perror("apply_default_acl_ex (acl_delete_perm)");
794 if (acl_set_permset(entry
, permset
) == ACL_ERROR
) {
795 perror("apply_default_acl_ex (acl_set_permset)");
802 /* Finally, add the permset to the access ACL. It's actually
803 * important that we pass in the address of "acl" here, and not
804 * "acl" itself. Why? The call to acl_create_entry() within
805 * acl_set_entry() can allocate new memory for the entry.
806 * Sometimes that can be done in-place, in which case everything
807 * is cool and the new memory gets released when we call
810 * But occasionally, the whole ACL structure will have to be moved
811 * in order to allocate the extra space. When that happens,
812 * acl_create_entry() modifies the pointer it was passed (in this
813 * case, &acl) to point to the new location. We want to call
814 * acl_free() on the new location, and since acl_free() gets
815 * called right here, we need acl_create_entry() to update the
816 * value of "acl". To do that, it needs the address of "acl".
818 if (acl_set_entry(&acl
, entry
) == ACL_ERROR
) {
819 perror("apply_default_acl_ex (acl_set_entry)");
824 ge_result
= acl_get_entry(defacl
, ACL_NEXT_ENTRY
, &entry
);
827 /* Catches the first acl_get_entry as well as the ones at the end of
829 if (ge_result
== ACL_ERROR
) {
830 perror("apply_default_acl_ex (acl_get_entry)");
835 if (acl_set_fd(fd
, acl
) == ACL_ERROR
) {
836 perror("apply_default_acl_ex (acl_set_fd)");
843 if (defacl
!= (acl_t
)NULL
) {
846 if (fd
>= 0 && close(fd
) == CLOSE_ERROR
) {
847 perror("apply_default_acl_ex (close)");
856 * @brief The friendly interface to @c apply_default_acl_ex.
858 * The @c apply_default_acl_ex function holds the real implementation
859 * of this function, but it takes a weird second argument that most
860 * people won't care about (a stat structure). But, we use that
861 * argument for the recursive mode of the CLI, so it's there.
863 * If you don't have a stat structure for your @c path, use this instead.
866 * The path whose ACL we would like to reset to its default.
868 * @param no_exec_mask
869 * The value (either true or false) of the --no-exec-mask flag.
872 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
873 * - @c ACL_FAILURE - If symlinks or hard links are encountered.
874 * or the parent of @c path is not a directory.
875 * - @c ACL_ERROR - Unexpected library error.
877 int apply_default_acl(const char* path
, bool no_exec_mask
) {
878 return apply_default_acl_ex(path
, NULL
, no_exec_mask
);