4 * @brief The adacl (apply default acl) shared library.
8 /* Enables get_current_dir_name() in unistd.h */
11 #include <errno.h> /* ELOOP, EINVAL, etc. */
12 #include <fcntl.h> /* openat() */
13 #include <libgen.h> /* basename(), dirname() */
14 #include <limits.h> /* PATH_MAX */
15 #include <stdbool.h> /* the "bool" type */
16 #include <stdio.h> /* perror(), snprintf() */
17 #include <stdlib.h> /* free() */
18 #include <string.h> /* strdup() */
19 #include <sys/stat.h> /* fstat() */
20 #include <unistd.h> /* get_current_dir_name() */
23 #include <acl/libacl.h> /* acl_get_perm, not portable */
24 #include <sys/acl.h> /* all other acl_foo functions */
30 * @brief The recursive portion of the @c safe_open function, used to
31 * open a file descriptor in a symlink-safe way when combined with
32 * the @c O_NOFOLLOW flag.
35 * A file descriptor relative to which @c pathname will be opened.
38 * The path to the file/directory/whatever whose descriptor you want.
40 * @return a file descriptor for @c pathname if everything goes well,
41 * and @c OPEN_ERROR if not.
43 int safe_open_ex(int at_fd
, char* pathname
, int flags
) {
44 if (pathname
!= NULL
&& strlen(pathname
) == 0) {
45 /* Oops, went one level to deep with nothing to do. */
49 char* firstslash
= strchr(pathname
, '/');
50 if (firstslash
== NULL
) {
51 /* No more slashes, this is the base case. */
52 int r
= openat(at_fd
, pathname
, flags
);
56 /* Temporarily disable the slash, so that the subsequent call to
57 openat() opens only the next directory (and doesn't recurse). */
59 int fd
= safe_open_ex(at_fd
, pathname
, flags
);
60 if (fd
== OPEN_ERROR
) {
62 /* Don't output anything if we ignore a symlink */
63 perror("safe_open_ex (safe_open_ex)");
68 /* The ++ is safe because there needs to be at least a null byte
69 after the first slash, even if it's the last real character in
71 int result
= safe_open_ex(fd
, firstslash
+1, flags
);
72 if (close(fd
) == CLOSE_ERROR
) {
73 perror("safe_open_ex (close)");
81 * @brief A version of @c open that is completely symlink-safe when
82 * used with the @c O_NOFOLLOW flag.
84 * The @c openat function exists to ensure that you can anchor one
85 * path to a particular directory while opening it; however, if you
86 * open "b/c/d" relative to "/a", then even the @c openat function will
87 * still follow symlinks in the "b" component. This can be exploited
88 * by an attacker to make you open the wrong path.
90 * To avoid that problem, this function uses a recursive
91 * implementation that opens every path from the root, one level at a
92 * time. So "a" is opened relative to "/", and then "b" is opened
93 * relative to "/a", and then "c" is opened relative to "/a/b",
94 * etc. When the @c O_NOFOLLOW flag is used, this approach ensures
95 * that no symlinks in any component are followed.
98 * The path to the file/directory/whatever whose descriptor you want.
100 * @return a file descriptor for @c pathname if everything goes well,
101 * and @c OPEN_ERROR if not.
103 int safe_open(const char* pathname
, int flags
) {
104 if (pathname
== NULL
|| strlen(pathname
) == 0 || pathname
[0] == '\0') {
106 perror("safe_open (args)");
110 char abspath
[PATH_MAX
];
111 int snprintf_result
= 0;
112 if (strchr(pathname
, '/') == pathname
) {
113 /* pathname is already absolute; just copy it. */
114 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s", pathname
);
117 /* Concatenate the current working directory and pathname into an
118 * absolute path. We use realpath() ONLY on the cwd part, and not
119 * on the pathname part, because realpath() resolves symlinks. And
120 * the whole point of all this crap is to avoid following symlinks
123 * Using realpath() on the cwd lets us operate on relative paths
124 * while we're sitting in a directory that happens to have a
125 * symlink in it; for example: cd /var/run && apply-default-acl foo.
127 char* cwd
= get_current_dir_name();
129 perror("safe_open (get_current_dir_name)");
133 char abs_cwd
[PATH_MAX
];
134 if (realpath(cwd
, abs_cwd
) == NULL
) {
135 perror("safe_open (realpath)");
139 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s/%s", abs_cwd
, pathname
);
142 if (snprintf_result
== SNPRINTF_ERROR
|| snprintf_result
> PATH_MAX
) {
143 perror("safe_open (snprintf)");
147 int fd
= open("/", flags
);
148 if (strcmp(abspath
, "/") == 0) {
152 int result
= safe_open_ex(fd
, abspath
+1, flags
);
153 if (close(fd
) == CLOSE_ERROR
) {
154 perror("safe_open (close)");
164 * @brief Update (or create) an entry in an @b minimal ACL.
166 * This function will not work if @c aclp contains extended
167 * entries. This is fine for our purposes, since we call @c wipe_acls
168 * on each path before applying the default to it.
170 * The assumption that there are no extended entries makes things much
171 * simpler. For example, we only have to update the @c ACL_USER_OBJ,
172 * @c ACL_GROUP_OBJ, and @c ACL_OTHER entries -- all others can simply
173 * be created anew. This means we don't have to fool around comparing
174 * named-user/group entries.
177 * A pointer to the acl_t structure whose entry we want to modify.
180 * The new entry. If @c entry contains a user/group/other entry, we
181 * update the existing one. Otherwise we create a new entry.
183 * @return If there is an unexpected library error, @c ACL_ERROR is
184 * returned. Otherwise, @c ACL_SUCCESS.
187 int acl_set_entry(acl_t
* aclp
, acl_entry_t entry
) {
190 if (acl_get_tag_type(entry
, &entry_tag
) == ACL_ERROR
) {
191 perror("acl_set_entry (acl_get_tag_type)");
195 acl_permset_t entry_permset
;
196 if (acl_get_permset(entry
, &entry_permset
) == ACL_ERROR
) {
197 perror("acl_set_entry (acl_get_permset)");
201 acl_entry_t existing_entry
;
202 /* Loop through the given ACL looking for matching entries. */
203 int result
= acl_get_entry(*aclp
, ACL_FIRST_ENTRY
, &existing_entry
);
205 while (result
== ACL_SUCCESS
) {
206 acl_tag_t existing_tag
= ACL_UNDEFINED_TAG
;
208 if (acl_get_tag_type(existing_entry
, &existing_tag
) == ACL_ERROR
) {
209 perror("set_acl_tag_permset (acl_get_tag_type)");
213 if (existing_tag
== entry_tag
) {
214 if (entry_tag
== ACL_USER_OBJ
||
215 entry_tag
== ACL_GROUP_OBJ
||
216 entry_tag
== ACL_OTHER
) {
217 /* Only update for these three since all other tags will have
218 been wiped. These three are guaranteed to exist, so if we
219 match one of them, we're allowed to return ACL_SUCCESS
220 below and bypass the rest of the function. */
221 acl_permset_t existing_permset
;
222 if (acl_get_permset(existing_entry
, &existing_permset
) == ACL_ERROR
) {
223 perror("acl_set_entry (acl_get_permset)");
227 if (acl_set_permset(existing_entry
, entry_permset
) == ACL_ERROR
) {
228 perror("acl_set_entry (acl_set_permset)");
237 result
= acl_get_entry(*aclp
, ACL_NEXT_ENTRY
, &existing_entry
);
240 /* This catches both the initial acl_get_entry and the ones at the
242 if (result
== ACL_ERROR
) {
243 perror("acl_set_entry (acl_get_entry)");
247 /* If we've made it this far, we need to add a new entry to the
249 acl_entry_t new_entry
;
251 /* The acl_create_entry() function can allocate new memory and/or
252 * change the location of the ACL structure entirely. When that
253 * happens, the value pointed to by aclp is updated, which means
254 * that a new acl_t gets "passed out" to our caller, eventually to
255 * be fed to acl_free(). In other words, we should still be freeing
256 * the right thing, even if the value pointed to by aclp changes.
258 if (acl_create_entry(aclp
, &new_entry
) == ACL_ERROR
) {
259 perror("acl_set_entry (acl_create_entry)");
263 if (acl_set_tag_type(new_entry
, entry_tag
) == ACL_ERROR
) {
264 perror("acl_set_entry (acl_set_tag_type)");
268 if (acl_set_permset(new_entry
, entry_permset
) == ACL_ERROR
) {
269 perror("acl_set_entry (acl_set_permset)");
273 if (entry_tag
== ACL_USER
|| entry_tag
== ACL_GROUP
) {
274 /* We need to set the qualifier too. */
275 void* entry_qual
= acl_get_qualifier(entry
);
276 if (entry_qual
== (void*)NULL
) {
277 perror("acl_set_entry (acl_get_qualifier)");
281 if (acl_set_qualifier(new_entry
, entry_qual
) == ACL_ERROR
) {
282 perror("acl_set_entry (acl_set_qualifier)");
293 * @brief Determine the number of entries in the given ACL.
296 * The ACL to inspect.
298 * @return Either the non-negative number of entries in @c acl, or
299 * @c ACL_ERROR on error.
301 int acl_entry_count(acl_t acl
) {
305 int result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
307 while (result
== ACL_SUCCESS
) {
309 result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
312 if (result
== ACL_ERROR
) {
313 perror("acl_entry_count (acl_get_entry)");
323 * @brief Determine whether or not the given ACL is minimal.
325 * An ACL is minimal if it has fewer than four entries.
328 * The ACL whose minimality is in question.
331 * - @c ACL_SUCCESS - @c acl is minimal
332 * - @c ACL_FAILURE - @c acl is not minimal
333 * - @c ACL_ERROR - Unexpected library error
335 int acl_is_minimal(acl_t acl
) {
337 int ec
= acl_entry_count(acl
);
339 if (ec
== ACL_ERROR
) {
340 perror("acl_is_minimal (acl_entry_count)");
355 * @brief Determine whether the given ACL's mask denies execute.
358 * The ACL whose mask we want to check.
361 * - @c ACL_SUCCESS - The @c acl has a mask which denies execute.
362 * - @c ACL_FAILURE - The @c acl has a mask which does not deny execute.
363 * - @c ACL_ERROR - Unexpected library error.
365 int acl_execute_masked(acl_t acl
) {
368 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
370 while (ge_result
== ACL_SUCCESS
) {
371 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
373 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
374 perror("acl_execute_masked (acl_get_tag_type)");
378 if (tag
== ACL_MASK
) {
379 /* This is the mask entry, get its permissions, and see if
380 execute is specified. */
381 acl_permset_t permset
;
383 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
384 perror("acl_execute_masked (acl_get_permset)");
388 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
389 if (gp_result
== ACL_ERROR
) {
390 perror("acl_execute_masked (acl_get_perm)");
394 if (gp_result
== ACL_FAILURE
) {
395 /* No execute bit set in the mask; execute not allowed. */
400 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
409 * @brief Determine whether @c fd is executable by anyone.
412 * This is used as part of the heuristic to determine whether or not
413 * we should mask the execute bit when inheriting an ACL. If @c fd
414 * describes a file, we check the @a effective permissions, contrary
415 * to what setfacl does.
418 * The file descriptor to check.
421 * A pointer to a stat structure for @c fd.
424 * - @c ACL_SUCCESS - Someone has effective execute permissions on @c fd.
425 * - @c ACL_FAILURE - Nobody can execute @c fd.
426 * - @c ACL_ERROR - Unexpected library error.
428 int any_can_execute(int fd
, const struct stat
* sp
) {
429 acl_t acl
= acl_get_fd(fd
);
431 if (acl
== (acl_t
)NULL
) {
432 perror("any_can_execute (acl_get_file)");
436 /* Our return value. */
437 int result
= ACL_FAILURE
;
439 if (acl_is_minimal(acl
)) {
440 if (sp
->st_mode
& (S_IXUSR
| S_IXOTH
| S_IXGRP
)) {
441 result
= ACL_SUCCESS
;
445 result
= ACL_FAILURE
;
451 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
453 while (ge_result
== ACL_SUCCESS
) {
454 /* The first thing we do is check to see if this is a mask
455 entry. If it is, we skip it entirely. */
456 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
458 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
459 perror("any_can_execute_or (acl_get_tag_type)");
464 if (tag
== ACL_MASK
) {
465 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
469 /* Ok, so it's not a mask entry. Check the execute perms. */
470 acl_permset_t permset
;
472 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
473 perror("any_can_execute_or (acl_get_permset)");
478 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
479 if (gp_result
== ACL_ERROR
) {
480 perror("any_can_execute (acl_get_perm)");
485 if (gp_result
== ACL_SUCCESS
) {
486 /* Only return ACL_SUCCESS if this execute bit is not masked. */
487 if (acl_execute_masked(acl
) != ACL_SUCCESS
) {
488 result
= ACL_SUCCESS
;
493 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
496 if (ge_result
== ACL_ERROR
) {
497 perror("any_can_execute (acl_get_entry)");
510 * @brief Set @c acl as the default ACL on @c path.
512 * This overwrites any existing default ACL on @c path. If @c path is
513 * not a directory, we return ACL_ERROR and @c errno is set.
516 * The target directory whose ACL we wish to replace or create.
519 * The ACL to set as default on @c path.
522 * - @c ACL_SUCCESS - The default ACL was assigned successfully.
523 * - @c ACL_ERROR - Unexpected library error.
525 int assign_default_acl(const char* path
, acl_t acl
) {
529 perror("assign_default_acl (args)");
533 /* Our return value; success unless something bad happens. */
534 int result
= ACL_SUCCESS
;
535 acl_t path_acl
= acl_dup(acl
);
537 if (path_acl
== (acl_t
)NULL
) {
538 perror("assign_default_acl (acl_dup)");
539 return ACL_ERROR
; /* Nothing to clean up in this case. */
542 if (acl_set_file(path
, ACL_TYPE_DEFAULT
, path_acl
) == ACL_ERROR
) {
543 perror("assign_default_acl (acl_set_file)");
554 * @brief Remove all @c ACL_TYPE_ACCESS entries from the given file
555 * descriptor, leaving the UNIX permission bits.
558 * The file descriptor whose ACLs we want to wipe.
561 * - @c ACL_SUCCESS - The ACLs were wiped successfully, or none
562 * existed in the first place.
563 * - @c ACL_ERROR - Unexpected library error.
565 int wipe_acls(int fd
) {
566 /* Initialize an empty ACL, and then overwrite the one on "fd" with it. */
567 acl_t empty_acl
= acl_init(0);
569 if (empty_acl
== (acl_t
)NULL
) {
570 perror("wipe_acls (acl_init)");
574 if (acl_set_fd(fd
, empty_acl
) == ACL_ERROR
) {
575 perror("wipe_acls (acl_set_fd)");
587 * @brief Apply parent default ACL to a path.
589 * This overwrites any existing ACLs on @c path.
592 * The path whose ACL we would like to reset to its default.
595 * A pointer to a stat structure for @c path, or @c NULL if you don't
598 * @param no_exec_mask
599 * The value (either true or false) of the --no-exec-mask flag.
602 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
603 * - @c ACL_FAILURE - The target path is not a regular file/directory,
604 * or the parent of @c path is not a directory.
605 * - @c ACL_ERROR - Unexpected library error.
607 int apply_default_acl_ex(const char* path
,
608 const struct stat
* sp
,
613 perror("apply_default_acl_ex (args)");
617 /* Define these next three variables here because we may have to
618 * jump to the cleanup routine which expects them to exist.
621 /* Our return value. */
622 int result
= ACL_SUCCESS
;
624 /* The default ACL on path's parent directory */
625 acl_t defacl
= (acl_t
)NULL
;
627 /* The file descriptor corresponding to "path" */
630 /* Get the parent directory of "path" with dirname(), which happens
631 * to murder its argument and necessitates a path_copy.
633 char* path_copy
= strdup(path
);
634 if (path_copy
== NULL
) {
635 perror("apply_default_acl_ex (strdup)");
638 char* parent
= dirname(path_copy
);
640 fd
= safe_open(path
, O_NOFOLLOW
);
641 if (fd
== OPEN_ERROR
) {
642 if (errno
== ELOOP
) {
643 result
= ACL_FAILURE
; /* hit a symlink */
647 perror("apply_default_acl_ex (open fd)");
654 /* Refuse to operate on hard links, which can be abused by an
655 * attacker to trick us into changing the ACL on a file we didn't
656 * intend to; namely the "target" of the hard link. There is TOCTOU
657 * race condition here, but the window is as small as possible
658 * between when we open the file descriptor (look above) and when we
661 * Note: we only need to call fstat ourselves if we weren't passed a
662 * valid pointer to a stat structure (nftw does that).
666 if (fstat(fd
, &s
) == STAT_ERROR
) {
667 perror("apply_default_acl_ex (fstat)");
674 if (!S_ISDIR(sp
->st_mode
)) {
675 /* If it's not a directory, make sure it's a regular,
676 non-hard-linked file. */
677 if (!S_ISREG(sp
->st_mode
) || sp
->st_nlink
!= 1) {
678 result
= ACL_FAILURE
;
684 /* Default to not masking the exec bit; i.e. applying the default
685 ACL literally. If --no-exec-mask was not specified, then we try
686 to "guess" whether or not to mask the exec bit. This behavior
687 is modeled after the capital 'X' perms of setfacl. */
688 bool allow_exec
= true;
691 /* Never mask the execute bit on directories. */
692 int ace_result
= any_can_execute(fd
,sp
) || S_ISDIR(sp
->st_mode
);
694 if (ace_result
== ACL_ERROR
) {
695 perror("apply_default_acl_ex (any_can_execute)");
700 allow_exec
= (bool)ace_result
;
703 defacl
= acl_get_file(parent
, ACL_TYPE_DEFAULT
);
705 if (defacl
== (acl_t
)NULL
) {
706 perror("apply_default_acl_ex (acl_get_file)");
711 if (wipe_acls(fd
) == ACL_ERROR
) {
712 perror("apply_default_acl_ex (wipe_acls)");
717 /* Do this after wipe_acls(), otherwise we'll overwrite the wiped
718 ACL with this one. */
719 acl_t acl
= acl_get_fd(fd
);
720 if (acl
== (acl_t
)NULL
) {
721 perror("apply_default_acl_ex (acl_get_fd)");
726 /* If it's a directory, inherit the parent's default. We sure hope
727 * that "path" still points to the same thing that "fd" and this
728 * "sp" describe. If not, we may wind up trying to set a default ACL
729 * on a file, and this will throw an error. I guess that's what we
732 if (S_ISDIR(sp
->st_mode
) && assign_default_acl(path
, defacl
) == ACL_ERROR
) {
733 perror("apply_default_acl_ex (assign_default_acl)");
739 int ge_result
= acl_get_entry(defacl
, ACL_FIRST_ENTRY
, &entry
);
741 while (ge_result
== ACL_SUCCESS
) {
742 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
744 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
745 perror("apply_default_acl_ex (acl_get_tag_type)");
751 /* We've got an entry/tag from the default ACL. Get its permset. */
752 acl_permset_t permset
;
753 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
754 perror("apply_default_acl_ex (acl_get_permset)");
759 /* If this is a default mask, fix it up. */
760 if (tag
== ACL_MASK
||
761 tag
== ACL_USER_OBJ
||
762 tag
== ACL_GROUP_OBJ
||
766 /* The mask doesn't affect acl_user_obj, acl_group_obj (in
767 minimal ACLs) or acl_other entries, so if execute should be
768 masked, we have to do it manually. */
769 if (acl_delete_perm(permset
, ACL_EXECUTE
) == ACL_ERROR
) {
770 perror("apply_default_acl_ex (acl_delete_perm)");
775 if (acl_set_permset(entry
, permset
) == ACL_ERROR
) {
776 perror("apply_default_acl_ex (acl_set_permset)");
783 /* Finally, add the permset to the access ACL. It's actually
784 * important that we pass in the address of "acl" here, and not
785 * "acl" itself. Why? The call to acl_create_entry() within
786 * acl_set_entry() can allocate new memory for the entry.
787 * Sometimes that can be done in-place, in which case everything
788 * is cool and the new memory gets released when we call
791 * But occasionally, the whole ACL structure will have to be moved
792 * in order to allocate the extra space. When that happens,
793 * acl_create_entry() modifies the pointer it was passed (in this
794 * case, &acl) to point to the new location. We want to call
795 * acl_free() on the new location, and since acl_free() gets
796 * called right here, we need acl_create_entry() to update the
797 * value of "acl". To do that, it needs the address of "acl".
799 if (acl_set_entry(&acl
, entry
) == ACL_ERROR
) {
800 perror("apply_default_acl_ex (acl_set_entry)");
805 ge_result
= acl_get_entry(defacl
, ACL_NEXT_ENTRY
, &entry
);
808 /* Catches the first acl_get_entry as well as the ones at the end of
810 if (ge_result
== ACL_ERROR
) {
811 perror("apply_default_acl_ex (acl_get_entry)");
816 if (acl_set_fd(fd
, acl
) == ACL_ERROR
) {
817 perror("apply_default_acl_ex (acl_set_fd)");
824 if (defacl
!= (acl_t
)NULL
) {
827 if (fd
>= 0 && close(fd
) == CLOSE_ERROR
) {
828 perror("apply_default_acl_ex (close)");
837 * @brief The friendly interface to @c apply_default_acl_ex.
839 * The @c apply_default_acl_ex function holds the real implementation
840 * of this function, but it takes a weird second argument that most
841 * people won't care about (a stat structure). But, we use that
842 * argument for the recursive mode of the CLI, so it's there.
844 * If you don't have a stat structure for your @c path, use this instead.
847 * The path whose ACL we would like to reset to its default.
849 * @param no_exec_mask
850 * The value (either true or false) of the --no-exec-mask flag.
853 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
854 * - @c ACL_FAILURE - The target path is not a regular file/directory,
855 * or the parent of @c path is not a directory.
856 * - @c ACL_ERROR - Unexpected library error.
858 int apply_default_acl(const char* path
, bool no_exec_mask
) {
859 return apply_default_acl_ex(path
, NULL
, no_exec_mask
);