]> gitweb.michael.orlitzky.com - apply-default-acl.git/log
apply-default-acl.git
7 years agosrc/libadacl.c: remove newline from function arguments.
Michael Orlitzky [Wed, 28 Mar 2018 20:54:48 +0000 (16:54 -0400)]
src/libadacl.c: remove newline from function arguments.

7 years agosrc: add prototypes for all functions.
Michael Orlitzky [Wed, 28 Mar 2018 20:54:32 +0000 (16:54 -0400)]
src: add prototypes for all functions.

7 years agodoc: add a RATIONALE section to the man page.
Michael Orlitzky [Wed, 28 Mar 2018 14:35:00 +0000 (10:35 -0400)]
doc: add a RATIONALE section to the man page.

7 years agodoc: use bold face for "mkdir" and "touch".
Michael Orlitzky [Wed, 28 Mar 2018 14:34:35 +0000 (10:34 -0400)]
doc: use bold face for "mkdir" and "touch".

7 years agoDrop the "--no-exec-mask" flag and function parameters.
Michael Orlitzky [Wed, 28 Mar 2018 03:50:41 +0000 (23:50 -0400)]
Drop the "--no-exec-mask" flag and function parameters.

Nobody needs the "--no-exec-mask" flag, and it's uglying up the
library's API. Sayonara:

  * Update the man page:
    * Remove all mentions of the flag.
    * Update the algorithm description.
    * Reword the general description.
  * Remove all --no-exec-mask tests.
  * Bump the program version in configure.ac.
  * Make apply_default_acl() work as if no_exec_mask == false.
  * Remove all no_exec_mask function parameters.
  * Bump the soname major version in src/Makefile.am.

7 years agorun-tests.sh: use auto-incrementing test numbers.
Michael Orlitzky [Wed, 28 Mar 2018 03:55:33 +0000 (23:55 -0400)]
run-tests.sh: use auto-incrementing test numbers.

7 years agosrc/libadacl.c: use asprintf() instead of snprintf() for paths.
Michael Orlitzky [Wed, 28 Mar 2018 01:03:01 +0000 (21:03 -0400)]
src/libadacl.c: use asprintf() instead of snprintf() for paths.

When constructing a path, there is an ancient problem: how do you
ensure that your path-name buffer is large enough, and what do you do
if it isn't? The existing solution was to use the PATH_MAX constant
from limits.h, which is often a big number, but need not actually be
defined. If a path exceeded PATH_MAX bytes, we would fail.

Now the GNU/BSD extension asprintf() is used instead. The path-name
buffer is constructed on-the-fly to be as large as necessary, and if
allocation fails, an error is returned. This solution is a little
cleaner, and is not too much less portable considering that we only
work on Linux anyway.

7 years agosrc/libadacl.c: add a comment about how we might agree with the kernel.
Michael Orlitzky [Wed, 28 Mar 2018 00:25:46 +0000 (20:25 -0400)]
src/libadacl.c: add a comment about how we might agree with the kernel.

7 years agodoc: document the apply-default-acl algorithm.
Michael Orlitzky [Wed, 28 Mar 2018 00:23:16 +0000 (20:23 -0400)]
doc: document the apply-default-acl algorithm.

It's nice to have a high-level overview of what the ACL application
actually does, so I have added one to the man page in a new section
titled "ALGORITHM". The manual now also explains how apply-default-acl
differs from the kernel when, for example, you "touch" a file in a
directory with a default ACL.

7 years agorun-tests.sh: simplify the EXPECTED output in test 29.
Michael Orlitzky [Sat, 24 Mar 2018 23:43:51 +0000 (19:43 -0400)]
run-tests.sh: simplify the EXPECTED output in test 29.

7 years agorun-tests.sh: simplify the EXPECTED output in test 32.
Michael Orlitzky [Sat, 24 Mar 2018 23:39:41 +0000 (19:39 -0400)]
run-tests.sh: simplify the EXPECTED output in test 32.

7 years agoconfigure.ac: bump to version 0.3.1. v0.3.1
Michael Orlitzky [Fri, 2 Mar 2018 23:04:18 +0000 (18:04 -0500)]
configure.ac: bump to version 0.3.1.

7 years agoAdd a missing "break" statement in a switch, and test for that bug.
Michael Orlitzky [Fri, 2 Mar 2018 23:03:41 +0000 (18:03 -0500)]
Add a missing "break" statement in a switch, and test for that bug.

7 years agoautotools: replace my busted header checks with something that works. v0.3.0
Michael Orlitzky [Fri, 2 Mar 2018 22:07:10 +0000 (17:07 -0500)]
autotools: replace my busted header checks with something that works.

My existing AC_CHECK_HEADERS checks were failing silently. Oops. I've
now defined my own macro in m4/ac_header_required.m4 that successfully
fails when a required header is missing.

7 years agoconfigure.ac: fix header name sys/libacl.h -> acl/libacl.h.
Michael Orlitzky [Fri, 2 Mar 2018 21:05:44 +0000 (16:05 -0500)]
configure.ac: fix header name sys/libacl.h -> acl/libacl.h.

7 years agoconfigure.ac: use AC_HEADER_DIRENT to check for dirent.h.
Michael Orlitzky [Fri, 2 Mar 2018 21:03:13 +0000 (16:03 -0500)]
configure.ac: use AC_HEADER_DIRENT to check for dirent.h.

7 years agoconfigure.ac: remove check for the (not used) sys/types.h header.
Michael Orlitzky [Fri, 2 Mar 2018 21:01:30 +0000 (16:01 -0500)]
configure.ac: remove check for the (not used) sys/types.h header.

7 years agoconfigure.ac: remove the check for the (not used) ftw.h header.
Michael Orlitzky [Fri, 2 Mar 2018 20:58:56 +0000 (15:58 -0500)]
configure.ac: remove the check for the (not used) ftw.h header.

7 years agoconfigure.ac: drop AC_TYPE_MODE_T since we don't use mode_t anywhere.
Michael Orlitzky [Fri, 2 Mar 2018 20:58:16 +0000 (15:58 -0500)]
configure.ac: drop AC_TYPE_MODE_T since we don't use mode_t anywhere.

7 years agoautotools: bump the package and library versions to v0.3.0 and v2.0.0.
Michael Orlitzky [Fri, 2 Mar 2018 20:20:27 +0000 (15:20 -0500)]
autotools: bump the package and library versions to v0.3.0 and v2.0.0.

The apply_default_acl() function now takes a third "recursive"
parameter, so the library gets a new version.

7 years agoReplace nftw() with manual recursion in apply_default_acl().
Michael Orlitzky [Fri, 2 Mar 2018 20:19:13 +0000 (15:19 -0500)]
Replace nftw() with manual recursion in apply_default_acl().

The nftw() tree walk worked well for a while; in particular, before we
handled symlinks safely, it was empirically faster than a hand-written
recursive descent. But recently, the very slow safe_open() function
was being called on the path that was passed to apply_default_acl(),
and nftw() fed that function a whole bunch of paths.

The apply_default_acl() function now takes a third "recusive"
parameter, and implements the recursion on its own. This lets us pass
down the old child file descriptor as the new parent file descriptor,
and avoid calling safe_open() more than once when we're operating
recursively. The result is a big speed improvement with --recursive,
tested for example on the Linux kernel source tree.

The hand-written recursion also allows us to fix a lingering exit code
bug. Now --recursive acts as if all of the targets were passed (in the
right order) on the command-line.

The new parameter affects the public API, so in the next release the
library will get a new version. The upside to this is that now it's
easy for other programs to operate recursively, simply by passing
"true" as the third parameter to apply_default_acl().

7 years agoUpdate docs and tests for the --recursive exit code.
Michael Orlitzky [Fri, 2 Mar 2018 19:59:10 +0000 (14:59 -0500)]
Update docs and tests for the --recursive exit code.

With the nftw() implementation, there was some bugginess in our exit
code that was both documented and tested. Well now I plan on fixing
that, so the documentation has been updated to state what the exit
code _should_ be, and the tests now check for the correct behavior
(meaning that they fail, for the moment).

7 years agorun-tests.sh: ensure that we descend into directories with no ACLs.
Michael Orlitzky [Fri, 2 Mar 2018 19:57:50 +0000 (14:57 -0500)]
run-tests.sh: ensure that we descend into directories with no ACLs.

7 years agosrc/libadacl.c: delete an outdated comment.
Michael Orlitzky [Fri, 2 Mar 2018 16:51:53 +0000 (11:51 -0500)]
src/libadacl.c: delete an outdated comment.

7 years agoautotools: bump the package and library versions to v0.2.0 and v1.0.0. v0.2.0
Michael Orlitzky [Fri, 2 Mar 2018 14:14:35 +0000 (09:14 -0500)]
autotools: bump the package and library versions to v0.2.0 and v1.0.0.

Since the apply_default_acl_ex() function has been removed from the
public API, a new libadacl.so.1 is needed.

7 years agoEliminate the apply_default_acl_ex() function.
Michael Orlitzky [Fri, 2 Mar 2018 14:11:40 +0000 (09:11 -0500)]
Eliminate the apply_default_acl_ex() function.

The apply_default_acl_ex() function was an "extended" version of the
apply_default_acl() function that, in addition, took a stat structure
pointer to the target path. The extended function was used by nftw(),
which usually has such a stat structure handy. However, the provenance
of that stat structure is not clear: does nftw() obtain it in a safe
way?

Since I don't know the answer to that question, I would rather stat()
the descriptor that I know was obtained safely. Thus there's no reason
to take the pointer as an argument, and then no reason to keep the
extended function around at all.

7 years agosrc/libadacl.c: remove two NULL checks around acl_free() calls.
Michael Orlitzky [Fri, 2 Mar 2018 13:52:19 +0000 (08:52 -0500)]
src/libadacl.c: remove two NULL checks around acl_free() calls.

The acl_free() function will return ACL_ERROR and set errno to EINVAL
if we pass it a null pointer; but aside from that, nothing bad
happens, and removing the checks makes the code marginally cleaner.

7 years agosrc/libadacl.c: fix two comment typos.
Michael Orlitzky [Fri, 2 Mar 2018 13:47:56 +0000 (08:47 -0500)]
src/libadacl.c: fix two comment typos.

7 years agoapply_default_acl_ex: avoid second call to safe_open() to speed things up.
Michael Orlitzky [Fri, 2 Mar 2018 02:08:51 +0000 (21:08 -0500)]
apply_default_acl_ex: avoid second call to safe_open() to speed things up.

7 years agosrc/libadacl.c: minor code simplification in safe_open().
Michael Orlitzky [Fri, 2 Mar 2018 01:57:50 +0000 (20:57 -0500)]
src/libadacl.c: minor code simplification in safe_open().

7 years agosrc/libadacl.c: fix return type of fgetxattr in acl_copy_xattr().
Michael Orlitzky [Fri, 2 Mar 2018 00:29:55 +0000 (19:29 -0500)]
src/libadacl.c: fix return type of fgetxattr in acl_copy_xattr().

7 years agorun-tests.sh: add two tests to ensure a no-op without default ACLs.
Michael Orlitzky [Fri, 2 Mar 2018 00:25:31 +0000 (19:25 -0500)]
run-tests.sh: add two tests to ensure a no-op without default ACLs.

7 years agorun-tests.sh: add a test for the "Not a directory" error message.
Michael Orlitzky [Fri, 2 Mar 2018 00:21:16 +0000 (19:21 -0500)]
run-tests.sh: add a test for the "Not a directory" error message.

7 years agorun-tests.sh: whitespace cleanup.
Michael Orlitzky [Fri, 2 Mar 2018 00:16:05 +0000 (19:16 -0500)]
run-tests.sh: whitespace cleanup.

7 years agosrc/libadacl.c: rewrite acl_set_entry() as acl_update_entry().
Michael Orlitzky [Thu, 1 Mar 2018 23:51:58 +0000 (18:51 -0500)]
src/libadacl.c: rewrite acl_set_entry() as acl_update_entry().

It turns out we only need to update existing entries in our ACLs, to
mask the execute permissions. Since we never need to create new
entries, the name "acl_set_entry" was not quite right. The
new-entry-creation code has been removed from the bottom half of the
function, and it has been renamed to "acl_update_entry".

7 years agoEliminate the wipe_acls() function that is apparently not needed.
Michael Orlitzky [Thu, 1 Mar 2018 23:38:59 +0000 (18:38 -0500)]
Eliminate the wipe_acls() function that is apparently not needed.

7 years agosrc/libadacl.c: remove redundant empty pathname checks from safe_open().
Michael Orlitzky [Thu, 1 Mar 2018 23:20:09 +0000 (18:20 -0500)]
src/libadacl.c: remove redundant empty pathname checks from safe_open().

7 years agosrc/libadacl.c: kill a pointless "else if" after an "if" that returns.
Michael Orlitzky [Thu, 1 Mar 2018 23:19:24 +0000 (18:19 -0500)]
src/libadacl.c: kill a pointless "else if" after an "if" that returns.

7 years agoapply_default_acl_ex: don't loop through the ACL unless we're masking exec.
Michael Orlitzky [Thu, 1 Mar 2018 22:25:05 +0000 (17:25 -0500)]
apply_default_acl_ex: don't loop through the ACL unless we're masking exec.

7 years agoImprove the error message for most types of inaccessible paths.
Michael Orlitzky [Thu, 1 Mar 2018 22:15:07 +0000 (17:15 -0500)]
Improve the error message for most types of inaccessible paths.

7 years agoBail out of apply_default_acl_ex() early if the parent has no default ACL.
Michael Orlitzky [Thu, 1 Mar 2018 21:20:15 +0000 (16:20 -0500)]
Bail out of apply_default_acl_ex() early if the parent has no default ACL.

7 years agosrc/libadacl.c: don't try to close file descriptor zero.
Michael Orlitzky [Thu, 1 Mar 2018 21:12:41 +0000 (16:12 -0500)]
src/libadacl.c: don't try to close file descriptor zero.

7 years agoconfigure.ac: bump to version 0.1.5. v0.1.5
Michael Orlitzky [Thu, 1 Mar 2018 13:31:52 +0000 (08:31 -0500)]
configure.ac: bump to version 0.1.5.

7 years agoReplace all tabs with spaces. We're not animals.
Michael Orlitzky [Thu, 1 Mar 2018 13:24:38 +0000 (08:24 -0500)]
Replace all tabs with spaces. We're not animals.

7 years agoEliminate the last bit of pathname usage.
Michael Orlitzky [Wed, 28 Feb 2018 22:33:17 +0000 (17:33 -0500)]
Eliminate the last bit of pathname usage.

A lot of work has been done recently to make apply-default-acl safe
from symlink and hardlink attacks. A big part of that work was the
recent switch to using file descriptors instead of pathnames; but,
pathnames still lingered in a few places due to a shortcoming in
libacl. Through the use of a new function, acl_copy_xattr(), I've
finally eliminated those last few bits.

The apply_default_acl_ex() function now uses path names only as
arguments to safe_open(), which hopefully is safe. Afterwards, the
file descriptors obtained from safe_open() are used. Thus the hard and
symlink attacks should finally be fixed, modulo a tiny race condition
between safe_open() and fstat() that has no known solution.

These changes rely on the Linux xattr implementation and kill our
portability, but I don't think we ever had any to begin with.

7 years agosrc/libadacl.c: fix a function name inside perror output.
Michael Orlitzky [Wed, 28 Feb 2018 22:23:41 +0000 (17:23 -0500)]
src/libadacl.c: fix a function name inside perror output.

7 years agolibadacl.c: remove unused acl_get_permset() call in acl_set_entry().
Michael Orlitzky [Wed, 28 Feb 2018 22:17:59 +0000 (17:17 -0500)]
libadacl.c: remove unused acl_get_permset() call in acl_set_entry().

7 years agoconfigure.ac: bump to version 0.1.4. v0.1.4
Michael Orlitzky [Wed, 28 Feb 2018 15:07:26 +0000 (10:07 -0500)]
configure.ac: bump to version 0.1.4.

7 years agoconfigure.ac: check for the O_PATH flag in fcntl.h.
Michael Orlitzky [Wed, 28 Feb 2018 15:06:59 +0000 (10:06 -0500)]
configure.ac: check for the O_PATH flag in fcntl.h.

7 years agosrc/libadacl.c: mention the O_PATH flag in a comment.
Michael Orlitzky [Wed, 28 Feb 2018 15:06:39 +0000 (10:06 -0500)]
src/libadacl.c: mention the O_PATH flag in a comment.

7 years agoconfigure.ac: check for the O_DIRECTORY flag in fcntl.h.
Michael Orlitzky [Wed, 28 Feb 2018 14:56:59 +0000 (09:56 -0500)]
configure.ac: check for the O_DIRECTORY flag in fcntl.h.

7 years agolibadacl.c: use O_PATH in safe_open() for added safety.
Michael Orlitzky [Wed, 28 Feb 2018 14:55:25 +0000 (09:55 -0500)]
libadacl.c: use O_PATH in safe_open() for added safety.

7 years agoconfigure.ac: bump to version 0.1.3. v0.1.3
Michael Orlitzky [Tue, 27 Feb 2018 23:02:59 +0000 (18:02 -0500)]
configure.ac: bump to version 0.1.3.

7 years agoAdd various NULL pointer checks for good measure.
Michael Orlitzky [Tue, 27 Feb 2018 23:02:21 +0000 (18:02 -0500)]
Add various NULL pointer checks for good measure.

7 years agosafe_open_ex: remove redundant (pathname == NULL) check.
Michael Orlitzky [Tue, 27 Feb 2018 19:21:11 +0000 (14:21 -0500)]
safe_open_ex: remove redundant (pathname == NULL) check.

7 years agosafe_open_ex: add a comment about why O_PATH doesn't work.
Michael Orlitzky [Tue, 27 Feb 2018 19:20:33 +0000 (14:20 -0500)]
safe_open_ex: add a comment about why O_PATH doesn't work.

7 years agorun-tests.sh: add more tests for exit codes.
Michael Orlitzky [Tue, 27 Feb 2018 18:48:18 +0000 (13:48 -0500)]
run-tests.sh: add more tests for exit codes.

7 years agosrc/apply-default-acl.c: update the CLI to match documented exit codes.
Michael Orlitzky [Tue, 27 Feb 2018 18:38:23 +0000 (13:38 -0500)]
src/apply-default-acl.c: update the CLI to match documented exit codes.

7 years agoman/apply-default-acl.1: add a note about the --recursive exit codes.
Michael Orlitzky [Tue, 27 Feb 2018 18:22:51 +0000 (13:22 -0500)]
man/apply-default-acl.1: add a note about the --recursive exit codes.

7 years agorun-tests.sh: add two tests for regular file and symlink exit codes.
Michael Orlitzky [Tue, 27 Feb 2018 18:00:06 +0000 (13:00 -0500)]
run-tests.sh: add two tests for regular file and symlink exit codes.

7 years agoman/apply-default-acl.1: document the way exit codes are SUPPOSED to work.
Michael Orlitzky [Tue, 27 Feb 2018 17:59:14 +0000 (12:59 -0500)]
man/apply-default-acl.1: document the way exit codes are SUPPOSED to work.

7 years agodoc/man/apply-default-acl.1: remove superfluous line breaks.
Michael Orlitzky [Tue, 27 Feb 2018 14:52:40 +0000 (09:52 -0500)]
doc/man/apply-default-acl.1: remove superfluous line breaks.

7 years agoconfigure.ac: bump to version 0.1.2. v0.1.2
Michael Orlitzky [Tue, 27 Feb 2018 00:17:02 +0000 (19:17 -0500)]
configure.ac: bump to version 0.1.2.

7 years agosrc/libadacl.h: add missing includes for "bool" and "struct stat" types.
Michael Orlitzky [Tue, 27 Feb 2018 00:08:38 +0000 (19:08 -0500)]
src/libadacl.h: add missing includes for "bool" and "struct stat" types.

7 years agoconfigure.ac: use xz for distfiles.
Michael Orlitzky [Mon, 26 Feb 2018 22:41:42 +0000 (17:41 -0500)]
configure.ac: use xz for distfiles.

7 years agoconfigure.ac: bump to version 0.1.1. v0.1.1
Michael Orlitzky [Mon, 26 Feb 2018 22:38:05 +0000 (17:38 -0500)]
configure.ac: bump to version 0.1.1.

7 years agolibadacl: add error checking when we open() the filesystem root.
Michael Orlitzky [Mon, 26 Feb 2018 22:36:24 +0000 (17:36 -0500)]
libadacl: add error checking when we open() the filesystem root.

7 years agoconfigure.ac: bump to version 0.1.0. v0.1.0
Michael Orlitzky [Mon, 26 Feb 2018 20:00:47 +0000 (15:00 -0500)]
configure.ac: bump to version 0.1.0.

7 years agoconfigure.ac: remove pointless comment at the top of the file.
Michael Orlitzky [Mon, 26 Feb 2018 20:00:18 +0000 (15:00 -0500)]
configure.ac: remove pointless comment at the top of the file.

7 years agoconfigure.ac: add checks for openat() and O_NOFOLLOW.
Michael Orlitzky [Mon, 26 Feb 2018 19:56:00 +0000 (14:56 -0500)]
configure.ac: add checks for openat() and O_NOFOLLOW.

7 years agoconfigure.ac: add limits.h to the AC_CHECK_HEADERS list.
Michael Orlitzky [Mon, 26 Feb 2018 19:28:17 +0000 (14:28 -0500)]
configure.ac: add limits.h to the AC_CHECK_HEADERS list.

7 years agoAdd missing "flags" parameter documentation to the safe_open() functions.
Michael Orlitzky [Mon, 26 Feb 2018 18:56:36 +0000 (13:56 -0500)]
Add missing "flags" parameter documentation to the safe_open() functions.

7 years agoUpgrade our Doxyfile automatically with doxygen -u.
Michael Orlitzky [Mon, 26 Feb 2018 18:53:46 +0000 (13:53 -0500)]
Upgrade our Doxyfile automatically with doxygen -u.

7 years agoMove a few constants out of the libadacl.h header to where they are used.
Michael Orlitzky [Mon, 26 Feb 2018 18:52:27 +0000 (13:52 -0500)]
Move a few constants out of the libadacl.h header to where they are used.

7 years agolibadacl: update failure return value docs for apply_default_acl().
Michael Orlitzky [Mon, 26 Feb 2018 18:30:20 +0000 (13:30 -0500)]
libadacl: update failure return value docs for apply_default_acl().

7 years agoRename apply_default_acl() to apply_default_acl_ex() and add a wrapper.
Michael Orlitzky [Mon, 26 Feb 2018 18:27:18 +0000 (13:27 -0500)]
Rename apply_default_acl() to apply_default_acl_ex() and add a wrapper.

The old apply_default_acl() function has a weird second argument that
will usually be NULL for other users of the library. Instead of making
them deal with that design choice, the old apply_default_acl()
function was renamed t apply_default_acl_ex(), and a new
apply_default_acl() was added with no second argument to wrap the
former.

7 years agolibadacl: improve safe_open() error message when given bad args.
Michael Orlitzky [Mon, 26 Feb 2018 18:13:56 +0000 (13:13 -0500)]
libadacl: improve safe_open() error message when given bad args.

7 years agoClean up a few "include" statements, and document them.
Michael Orlitzky [Mon, 26 Feb 2018 14:59:48 +0000 (09:59 -0500)]
Clean up a few "include" statements, and document them.

7 years agoSplit most functions off into a separate shared library.
Michael Orlitzky [Mon, 26 Feb 2018 14:40:18 +0000 (09:40 -0500)]
Split most functions off into a separate shared library.

7 years agoUpdate the man page to say that symlinks are ignored in all path components.
Michael Orlitzky [Mon, 26 Feb 2018 13:41:16 +0000 (08:41 -0500)]
Update the man page to say that symlinks are ignored in all path components.

7 years agoAdd documentation for the safe_open() and safe_open_ex() functions.
Michael Orlitzky [Mon, 26 Feb 2018 13:38:14 +0000 (08:38 -0500)]
Add documentation for the safe_open() and safe_open_ex() functions.

7 years agoDefine a few more error constants to make the code more readable.
Michael Orlitzky [Mon, 26 Feb 2018 13:27:13 +0000 (08:27 -0500)]
Define a few more error constants to make the code more readable.

7 years agoDon't output anything in safe_open_ex when we ignore a symlink.
Michael Orlitzky [Mon, 26 Feb 2018 12:50:18 +0000 (07:50 -0500)]
Don't output anything in safe_open_ex when we ignore a symlink.

7 years agoAdd a test to ensure that non-terminal symlinks are not followed.
Michael Orlitzky [Mon, 26 Feb 2018 12:45:55 +0000 (07:45 -0500)]
Add a test to ensure that non-terminal symlinks are not followed.

7 years agoAdd a test to ensure that symlinks in the CWD don't cause problems.
Michael Orlitzky [Mon, 26 Feb 2018 12:39:55 +0000 (07:39 -0500)]
Add a test to ensure that symlinks in the CWD don't cause problems.

7 years agoAdd safe_open() function to fix symlink traversal in non-terminal components.
Michael Orlitzky [Mon, 26 Feb 2018 03:11:47 +0000 (22:11 -0500)]
Add safe_open() function to fix symlink traversal in non-terminal components.

The standard library provides lots of ways to avoid symlinks in the
"baz" component of "foo/bar/baz", but very few (i.e. zero) ways to
avoid them in the "bar" component. Of course, they're just as
dangerous in either place, so it would be cool if we could ignore
symlinks entirely.

This commit adds a safe_open() function, which looks just like open()
to the caller, but which starts at the root and calls openat() one
component at-a-time. Thus if you use O_NOFOLLOW, nobody can trick you
with an intermediate component: there are no intermediate components;
it works one at-a-time. This slows things down a bit, but not fatally.

7 years agoFix an old comment about dirname/basename handling in apply_default_acl().
Michael Orlitzky [Mon, 26 Feb 2018 03:11:10 +0000 (22:11 -0500)]
Fix an old comment about dirname/basename handling in apply_default_acl().

7 years agoEliminate the is_path_directory() function.
Michael Orlitzky [Mon, 26 Feb 2018 02:47:25 +0000 (21:47 -0500)]
Eliminate the is_path_directory() function.

The is_path_directory() function was only used in two places:

  1. To avoid involving nftw when the target is a file.
  2. To avoid setting (or trying to) a default ACL on a file.

The first one doesn't really matter, and the correct behavior is
tested, so the additional "is it a directory?" check has been
dropped. In the second case, we still don't want to try to set default
ACLs on files, but now the "is it a directory?" check is done at the
call site, where a stat structure is already available.

With those two uses gone, the function has been removed.

7 years agoPass a stat structure pointer to any_can_execute() to avoid a re-stat.
Michael Orlitzky [Mon, 26 Feb 2018 02:40:11 +0000 (21:40 -0500)]
Pass a stat structure pointer to any_can_execute() to avoid a re-stat.

7 years agoAllow apply_default_acl() to take a stat pointer for its path argument.
Michael Orlitzky [Mon, 26 Feb 2018 02:35:02 +0000 (21:35 -0500)]
Allow apply_default_acl() to take a stat pointer for its path argument.

When operating recursively, nftw has already called stat() on the path
that it feeds to apply_default_acl(). Rather than re-stat it, we can
now pass a stat struct pointer in as the second argument to
apply_default_acl(). When not operating recursively, you just pass it
NULL instead, and apply_default_acl() will do the fstat as before.

7 years agoImprove the error message when assign_default_acl() is fed a NULL path.
Michael Orlitzky [Mon, 26 Feb 2018 01:19:17 +0000 (20:19 -0500)]
Improve the error message when assign_default_acl() is fed a NULL path.

7 years agoEliminate the one remaining use of is_directory().
Michael Orlitzky [Mon, 26 Feb 2018 01:11:54 +0000 (20:11 -0500)]
Eliminate the one remaining use of is_directory().

The is_directory() function was called once, in a place where we
already had access to its argument's stat structure. Instead, we now
just use S_ISDIR, and the is_directory() function has met its end.

7 years agoMove the "or_dir" out of any_can_execute_or_dir().
Michael Orlitzky [Mon, 26 Feb 2018 01:10:04 +0000 (20:10 -0500)]
Move the "or_dir" out of any_can_execute_or_dir().

The any_can_execute_or_dir() function checked two things; whether or
not anyone could execute something, and whether or not that thing was
a directory. It's cleaner to have the "is it directory?" check outside
these days, so this commit renames that function to any_can_execute()
and the one place it's used now checks whether or not the argument is
a directory itself.

7 years agoInline the is_hardlink_safe() and is_regular_file() functions.
Michael Orlitzky [Mon, 26 Feb 2018 01:03:44 +0000 (20:03 -0500)]
Inline the is_hardlink_safe() and is_regular_file() functions.

These two functions were only called in one place, and they were
called right after one another. Both functions merely peek the stat
structure for a file descriptor, so it's easier to stat the thing once
and then just inline the two checks rather than setup/teardown
everything twice.

7 years agoImprove the error message when apply_default_acl() is fed a NULL path.
Michael Orlitzky [Mon, 26 Feb 2018 00:59:52 +0000 (19:59 -0500)]
Improve the error message when apply_default_acl() is fed a NULL path.

7 years agoEliminate pointless newline in the signature of acl_set_entry().
Michael Orlitzky [Mon, 26 Feb 2018 00:58:18 +0000 (19:58 -0500)]
Eliminate pointless newline in the signature of acl_set_entry().

7 years agoInline the one call to the get_mode() function.
Michael Orlitzky [Mon, 26 Feb 2018 00:55:34 +0000 (19:55 -0500)]
Inline the one call to the get_mode() function.

The get_mode() function was only called in one place, and its
implementation was about three lines. The overhead of checking its
arguments and figuring out its return value was not worth the
absolutely tiny improvement in readability that the function afforded,
so the whole thing has been inlined at its one call site.

7 years agoEliminate unnecessary intermediate result variables.
Michael Orlitzky [Mon, 26 Feb 2018 00:50:42 +0000 (19:50 -0500)]
Eliminate unnecessary intermediate result variables.

Before this commit, most library calls looked something like...

  int result = foo(x,y);
  if (result == whatever) {
    ...
  }

and then the "result" variable was never used again. There's no need
to introduce the new name, and it probably only increases
confusion. So, this commit eliminates them all.

7 years agoSimplify wipe_acls() by having it unconditionally write a new, empty ACL.
Michael Orlitzky [Mon, 26 Feb 2018 00:39:16 +0000 (19:39 -0500)]
Simplify wipe_acls() by having it unconditionally write a new, empty ACL.

7 years agoReplace most path usage with file descriptors.
Michael Orlitzky [Fri, 23 Feb 2018 21:11:08 +0000 (16:11 -0500)]
Replace most path usage with file descriptors.

Before this commit, we were passing around paths everywhere to specify
the targets of operations. This is not optimal from a security
standpoint: the best we can do to avoid following hard links is to
check whether or not a given file has more than one name. There is a
race condition inherent in that approach -- between when you stat the
file and when you use it, the number of names may change -- but using
paths makes that window larger than it has to be. There's no guarantee
that a path used at the bottom of apply_default_acl() will refer to
the same file that we called stat() on at the top of the function.

To work around that, most of the path handling functions have been
replaced with versions that use file descriptors. Now we are able to
stat() our file descriptor immediately after opening it, and the
descriptor itself will always refer to the same file. There's still
the smallest of windows for an exploit, but this makes it much safer
to call apply_default_acl() when there may be hard links present.