4 * @brief The adacl (apply default acl) shared library.
8 /* Enables get_current_dir_name() in unistd.h */
11 #include <errno.h> /* ELOOP, EINVAL, etc. */
12 #include <fcntl.h> /* openat() */
13 #include <libgen.h> /* basename(), dirname() */
14 #include <limits.h> /* PATH_MAX */
15 #include <stdbool.h> /* the "bool" type */
16 #include <stdio.h> /* perror(), snprintf() */
17 #include <stdlib.h> /* free() */
18 #include <string.h> /* strdup() */
19 #include <sys/stat.h> /* fstat() */
20 #include <unistd.h> /* get_current_dir_name() */
23 #include <acl/libacl.h> /* acl_get_perm, not portable */
24 #include <sys/acl.h> /* all other acl_foo functions */
29 /* Even though most other library functions reliably return -1 for
30 * error, it feels a little wrong to re-use the ACL_ERROR constant.
32 #define CLOSE_ERROR -1
34 #define SNPRINTF_ERROR -1
39 * @brief The recursive portion of the @c safe_open function, used to
40 * open a file descriptor in a symlink-safe way when combined with
41 * the @c O_NOFOLLOW flag.
43 * The @c O_PATH flag is not used because we want to fail upon
44 * encountering any symlinks.
47 * A file descriptor relative to which @c pathname will be opened.
50 * The path to the file/directory/whatever whose descriptor you want.
53 * File status flags to be passed to @c openat.
55 * @return a file descriptor for @c pathname if everything goes well,
56 * and @c OPEN_ERROR if not.
58 int safe_open_ex(int at_fd
, char* pathname
, int flags
) {
59 if (pathname
!= NULL
&& strlen(pathname
) == 0) {
60 /* Oops, went one level to deep with nothing to do. */
64 char* firstslash
= strchr(pathname
, '/');
65 if (firstslash
== NULL
) {
66 /* No more slashes, this is the base case. */
67 int r
= openat(at_fd
, pathname
, flags
);
71 /* Temporarily disable the slash, so that the subsequent call to
72 openat() opens only the next directory (and doesn't recurse). */
74 int fd
= safe_open_ex(at_fd
, pathname
, flags
);
75 if (fd
== OPEN_ERROR
) {
77 /* Don't output anything if we ignore a symlink */
78 perror("safe_open_ex (safe_open_ex)");
83 /* The ++ is safe because there needs to be at least a null byte
84 after the first slash, even if it's the last real character in
86 int result
= safe_open_ex(fd
, firstslash
+1, flags
);
87 if (close(fd
) == CLOSE_ERROR
) {
88 perror("safe_open_ex (close)");
96 * @brief A version of @c open that is completely symlink-safe when
97 * used with the @c O_NOFOLLOW flag.
99 * The @c openat function exists to ensure that you can anchor one
100 * path to a particular directory while opening it; however, if you
101 * open "b/c/d" relative to "/a", then even the @c openat function will
102 * still follow symlinks in the "b" component. This can be exploited
103 * by an attacker to make you open the wrong path.
105 * To avoid that problem, this function uses a recursive
106 * implementation that opens every path from the root, one level at a
107 * time. So "a" is opened relative to "/", and then "b" is opened
108 * relative to "/a", and then "c" is opened relative to "/a/b",
109 * etc. When the @c O_NOFOLLOW flag is used, this approach ensures
110 * that no symlinks in any component are followed.
113 * The path to the file/directory/whatever whose descriptor you want.
116 * File status flags to be passed to @c openat.
118 * @return a file descriptor for @c pathname if everything goes well,
119 * and @c OPEN_ERROR if not.
121 int safe_open(const char* pathname
, int flags
) {
122 if (pathname
== NULL
|| strlen(pathname
) == 0 || pathname
[0] == '\0') {
124 perror("safe_open (args)");
128 char abspath
[PATH_MAX
];
129 int snprintf_result
= 0;
130 if (strchr(pathname
, '/') == pathname
) {
131 /* pathname is already absolute; just copy it. */
132 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s", pathname
);
135 /* Concatenate the current working directory and pathname into an
136 * absolute path. We use realpath() ONLY on the cwd part, and not
137 * on the pathname part, because realpath() resolves symlinks. And
138 * the whole point of all this crap is to avoid following symlinks
141 * Using realpath() on the cwd lets us operate on relative paths
142 * while we're sitting in a directory that happens to have a
143 * symlink in it; for example: cd /var/run && apply-default-acl foo.
145 char* cwd
= get_current_dir_name();
147 perror("safe_open (get_current_dir_name)");
151 char abs_cwd
[PATH_MAX
];
152 if (realpath(cwd
, abs_cwd
) == NULL
) {
153 perror("safe_open (realpath)");
157 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s/%s", abs_cwd
, pathname
);
160 if (snprintf_result
== SNPRINTF_ERROR
|| snprintf_result
> PATH_MAX
) {
161 perror("safe_open (snprintf)");
165 int fd
= open("/", flags
);
166 if (fd
== OPEN_ERROR
) {
167 perror("safe_open (open)");
171 if (strcmp(abspath
, "/") == 0) {
175 int result
= safe_open_ex(fd
, abspath
+1, flags
);
176 if (close(fd
) == CLOSE_ERROR
) {
177 perror("safe_open (close)");
187 * @brief Update (or create) an entry in an @b minimal ACL.
189 * This function will not work if @c aclp contains extended
190 * entries. This is fine for our purposes, since we call @c wipe_acls
191 * on each path before applying the default to it.
193 * The assumption that there are no extended entries makes things much
194 * simpler. For example, we only have to update the @c ACL_USER_OBJ,
195 * @c ACL_GROUP_OBJ, and @c ACL_OTHER entries -- all others can simply
196 * be created anew. This means we don't have to fool around comparing
197 * named-user/group entries.
200 * A pointer to the acl_t structure whose entry we want to modify.
203 * The new entry. If @c entry contains a user/group/other entry, we
204 * update the existing one. Otherwise we create a new entry.
206 * @return If there is an unexpected library error, @c ACL_ERROR is
207 * returned. Otherwise, @c ACL_SUCCESS.
210 int acl_set_entry(acl_t
* aclp
, acl_entry_t entry
) {
213 if (acl_get_tag_type(entry
, &entry_tag
) == ACL_ERROR
) {
214 perror("acl_set_entry (acl_get_tag_type)");
218 acl_permset_t entry_permset
;
219 if (acl_get_permset(entry
, &entry_permset
) == ACL_ERROR
) {
220 perror("acl_set_entry (acl_get_permset)");
224 acl_entry_t existing_entry
;
225 /* Loop through the given ACL looking for matching entries. */
226 int result
= acl_get_entry(*aclp
, ACL_FIRST_ENTRY
, &existing_entry
);
228 while (result
== ACL_SUCCESS
) {
229 acl_tag_t existing_tag
= ACL_UNDEFINED_TAG
;
231 if (acl_get_tag_type(existing_entry
, &existing_tag
) == ACL_ERROR
) {
232 perror("set_acl_tag_permset (acl_get_tag_type)");
236 if (existing_tag
== entry_tag
) {
237 if (entry_tag
== ACL_USER_OBJ
||
238 entry_tag
== ACL_GROUP_OBJ
||
239 entry_tag
== ACL_OTHER
) {
240 /* Only update for these three since all other tags will have
241 been wiped. These three are guaranteed to exist, so if we
242 match one of them, we're allowed to return ACL_SUCCESS
243 below and bypass the rest of the function. */
244 acl_permset_t existing_permset
;
245 if (acl_get_permset(existing_entry
, &existing_permset
) == ACL_ERROR
) {
246 perror("acl_set_entry (acl_get_permset)");
250 if (acl_set_permset(existing_entry
, entry_permset
) == ACL_ERROR
) {
251 perror("acl_set_entry (acl_set_permset)");
260 result
= acl_get_entry(*aclp
, ACL_NEXT_ENTRY
, &existing_entry
);
263 /* This catches both the initial acl_get_entry and the ones at the
265 if (result
== ACL_ERROR
) {
266 perror("acl_set_entry (acl_get_entry)");
270 /* If we've made it this far, we need to add a new entry to the
272 acl_entry_t new_entry
;
274 /* The acl_create_entry() function can allocate new memory and/or
275 * change the location of the ACL structure entirely. When that
276 * happens, the value pointed to by aclp is updated, which means
277 * that a new acl_t gets "passed out" to our caller, eventually to
278 * be fed to acl_free(). In other words, we should still be freeing
279 * the right thing, even if the value pointed to by aclp changes.
281 if (acl_create_entry(aclp
, &new_entry
) == ACL_ERROR
) {
282 perror("acl_set_entry (acl_create_entry)");
286 if (acl_set_tag_type(new_entry
, entry_tag
) == ACL_ERROR
) {
287 perror("acl_set_entry (acl_set_tag_type)");
291 if (acl_set_permset(new_entry
, entry_permset
) == ACL_ERROR
) {
292 perror("acl_set_entry (acl_set_permset)");
296 if (entry_tag
== ACL_USER
|| entry_tag
== ACL_GROUP
) {
297 /* We need to set the qualifier too. */
298 void* entry_qual
= acl_get_qualifier(entry
);
299 if (entry_qual
== (void*)NULL
) {
300 perror("acl_set_entry (acl_get_qualifier)");
304 if (acl_set_qualifier(new_entry
, entry_qual
) == ACL_ERROR
) {
305 perror("acl_set_entry (acl_set_qualifier)");
316 * @brief Determine the number of entries in the given ACL.
319 * The ACL to inspect.
321 * @return Either the non-negative number of entries in @c acl, or
322 * @c ACL_ERROR on error.
324 int acl_entry_count(acl_t acl
) {
328 int result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
330 while (result
== ACL_SUCCESS
) {
332 result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
335 if (result
== ACL_ERROR
) {
336 perror("acl_entry_count (acl_get_entry)");
346 * @brief Determine whether or not the given ACL is minimal.
348 * An ACL is minimal if it has fewer than four entries.
351 * The ACL whose minimality is in question.
354 * - @c ACL_SUCCESS - @c acl is minimal
355 * - @c ACL_FAILURE - @c acl is not minimal
356 * - @c ACL_ERROR - Unexpected library error
358 int acl_is_minimal(acl_t acl
) {
360 int ec
= acl_entry_count(acl
);
362 if (ec
== ACL_ERROR
) {
363 perror("acl_is_minimal (acl_entry_count)");
378 * @brief Determine whether the given ACL's mask denies execute.
381 * The ACL whose mask we want to check.
384 * - @c ACL_SUCCESS - The @c acl has a mask which denies execute.
385 * - @c ACL_FAILURE - The @c acl has a mask which does not deny execute.
386 * - @c ACL_ERROR - Unexpected library error.
388 int acl_execute_masked(acl_t acl
) {
391 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
393 while (ge_result
== ACL_SUCCESS
) {
394 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
396 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
397 perror("acl_execute_masked (acl_get_tag_type)");
401 if (tag
== ACL_MASK
) {
402 /* This is the mask entry, get its permissions, and see if
403 execute is specified. */
404 acl_permset_t permset
;
406 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
407 perror("acl_execute_masked (acl_get_permset)");
411 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
412 if (gp_result
== ACL_ERROR
) {
413 perror("acl_execute_masked (acl_get_perm)");
417 if (gp_result
== ACL_FAILURE
) {
418 /* No execute bit set in the mask; execute not allowed. */
423 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
432 * @brief Determine whether @c fd is executable by anyone.
435 * This is used as part of the heuristic to determine whether or not
436 * we should mask the execute bit when inheriting an ACL. If @c fd
437 * describes a file, we check the @a effective permissions, contrary
438 * to what setfacl does.
441 * The file descriptor to check.
444 * A pointer to a stat structure for @c fd.
447 * - @c ACL_SUCCESS - Someone has effective execute permissions on @c fd.
448 * - @c ACL_FAILURE - Nobody can execute @c fd.
449 * - @c ACL_ERROR - Unexpected library error.
451 int any_can_execute(int fd
, const struct stat
* sp
) {
452 acl_t acl
= acl_get_fd(fd
);
454 if (acl
== (acl_t
)NULL
) {
455 perror("any_can_execute (acl_get_file)");
459 /* Our return value. */
460 int result
= ACL_FAILURE
;
462 if (acl_is_minimal(acl
)) {
463 if (sp
->st_mode
& (S_IXUSR
| S_IXOTH
| S_IXGRP
)) {
464 result
= ACL_SUCCESS
;
468 result
= ACL_FAILURE
;
474 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
476 while (ge_result
== ACL_SUCCESS
) {
477 /* The first thing we do is check to see if this is a mask
478 entry. If it is, we skip it entirely. */
479 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
481 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
482 perror("any_can_execute_or (acl_get_tag_type)");
487 if (tag
== ACL_MASK
) {
488 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
492 /* Ok, so it's not a mask entry. Check the execute perms. */
493 acl_permset_t permset
;
495 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
496 perror("any_can_execute_or (acl_get_permset)");
501 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
502 if (gp_result
== ACL_ERROR
) {
503 perror("any_can_execute (acl_get_perm)");
508 if (gp_result
== ACL_SUCCESS
) {
509 /* Only return ACL_SUCCESS if this execute bit is not masked. */
510 if (acl_execute_masked(acl
) != ACL_SUCCESS
) {
511 result
= ACL_SUCCESS
;
516 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
519 if (ge_result
== ACL_ERROR
) {
520 perror("any_can_execute (acl_get_entry)");
533 * @brief Set @c acl as the default ACL on @c path.
535 * This overwrites any existing default ACL on @c path. If @c path is
536 * not a directory, we return ACL_ERROR and @c errno is set.
539 * The target directory whose ACL we wish to replace or create.
542 * The ACL to set as default on @c path.
545 * - @c ACL_SUCCESS - The default ACL was assigned successfully.
546 * - @c ACL_ERROR - Unexpected library error.
548 int assign_default_acl(const char* path
, acl_t acl
) {
552 perror("assign_default_acl (args)");
556 /* Our return value; success unless something bad happens. */
557 int result
= ACL_SUCCESS
;
558 acl_t path_acl
= acl_dup(acl
);
560 if (path_acl
== (acl_t
)NULL
) {
561 perror("assign_default_acl (acl_dup)");
562 return ACL_ERROR
; /* Nothing to clean up in this case. */
565 if (acl_set_file(path
, ACL_TYPE_DEFAULT
, path_acl
) == ACL_ERROR
) {
566 perror("assign_default_acl (acl_set_file)");
577 * @brief Remove all @c ACL_TYPE_ACCESS entries from the given file
578 * descriptor, leaving the UNIX permission bits.
581 * The file descriptor whose ACLs we want to wipe.
584 * - @c ACL_SUCCESS - The ACLs were wiped successfully, or none
585 * existed in the first place.
586 * - @c ACL_ERROR - Unexpected library error.
588 int wipe_acls(int fd
) {
589 /* Initialize an empty ACL, and then overwrite the one on "fd" with it. */
590 acl_t empty_acl
= acl_init(0);
592 if (empty_acl
== (acl_t
)NULL
) {
593 perror("wipe_acls (acl_init)");
597 if (acl_set_fd(fd
, empty_acl
) == ACL_ERROR
) {
598 perror("wipe_acls (acl_set_fd)");
610 * @brief Apply parent default ACL to a path.
612 * This overwrites any existing ACLs on @c path.
615 * The path whose ACL we would like to reset to its default.
618 * A pointer to a stat structure for @c path, or @c NULL if you don't
621 * @param no_exec_mask
622 * The value (either true or false) of the --no-exec-mask flag.
625 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
626 * - @c ACL_FAILURE - If symlinks or hard links are encountered.
627 * - @c ACL_ERROR - Unexpected library error.
629 int apply_default_acl_ex(const char* path
,
630 const struct stat
* sp
,
635 perror("apply_default_acl_ex (args)");
639 /* Define these next three variables here because we may have to
640 * jump to the cleanup routine which expects them to exist.
643 /* Our return value. */
644 int result
= ACL_SUCCESS
;
646 /* The default ACL on path's parent directory */
647 acl_t defacl
= (acl_t
)NULL
;
649 /* The file descriptor corresponding to "path" */
652 /* Get the parent directory of "path" with dirname(), which happens
653 * to murder its argument and necessitates a path_copy.
655 char* path_copy
= strdup(path
);
656 if (path_copy
== NULL
) {
657 perror("apply_default_acl_ex (strdup)");
660 char* parent
= dirname(path_copy
);
662 fd
= safe_open(path
, O_NOFOLLOW
);
663 if (fd
== OPEN_ERROR
) {
664 if (errno
== ELOOP
) {
665 result
= ACL_FAILURE
; /* hit a symlink */
669 perror("apply_default_acl_ex (open fd)");
676 /* Refuse to operate on hard links, which can be abused by an
677 * attacker to trick us into changing the ACL on a file we didn't
678 * intend to; namely the "target" of the hard link. There is TOCTOU
679 * race condition here, but the window is as small as possible
680 * between when we open the file descriptor (look above) and when we
683 * Note: we only need to call fstat ourselves if we weren't passed a
684 * valid pointer to a stat structure (nftw does that).
688 if (fstat(fd
, &s
) == STAT_ERROR
) {
689 perror("apply_default_acl_ex (fstat)");
696 if (!S_ISDIR(sp
->st_mode
)) {
697 /* If it's not a directory, make sure it's a regular,
698 non-hard-linked file. */
699 if (!S_ISREG(sp
->st_mode
) || sp
->st_nlink
!= 1) {
700 result
= ACL_FAILURE
;
706 /* Default to not masking the exec bit; i.e. applying the default
707 ACL literally. If --no-exec-mask was not specified, then we try
708 to "guess" whether or not to mask the exec bit. This behavior
709 is modeled after the capital 'X' perms of setfacl. */
710 bool allow_exec
= true;
713 /* Never mask the execute bit on directories. */
714 int ace_result
= any_can_execute(fd
,sp
) || S_ISDIR(sp
->st_mode
);
716 if (ace_result
== ACL_ERROR
) {
717 perror("apply_default_acl_ex (any_can_execute)");
722 allow_exec
= (bool)ace_result
;
725 defacl
= acl_get_file(parent
, ACL_TYPE_DEFAULT
);
727 if (defacl
== (acl_t
)NULL
) {
728 perror("apply_default_acl_ex (acl_get_file)");
733 if (wipe_acls(fd
) == ACL_ERROR
) {
734 perror("apply_default_acl_ex (wipe_acls)");
739 /* Do this after wipe_acls(), otherwise we'll overwrite the wiped
740 ACL with this one. */
741 acl_t acl
= acl_get_fd(fd
);
742 if (acl
== (acl_t
)NULL
) {
743 perror("apply_default_acl_ex (acl_get_fd)");
748 /* If it's a directory, inherit the parent's default. We sure hope
749 * that "path" still points to the same thing that "fd" and this
750 * "sp" describe. If not, we may wind up trying to set a default ACL
751 * on a file, and this will throw an error. I guess that's what we
754 if (S_ISDIR(sp
->st_mode
) && assign_default_acl(path
, defacl
) == ACL_ERROR
) {
755 perror("apply_default_acl_ex (assign_default_acl)");
761 int ge_result
= acl_get_entry(defacl
, ACL_FIRST_ENTRY
, &entry
);
763 while (ge_result
== ACL_SUCCESS
) {
764 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
766 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
767 perror("apply_default_acl_ex (acl_get_tag_type)");
773 /* We've got an entry/tag from the default ACL. Get its permset. */
774 acl_permset_t permset
;
775 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
776 perror("apply_default_acl_ex (acl_get_permset)");
781 /* If this is a default mask, fix it up. */
782 if (tag
== ACL_MASK
||
783 tag
== ACL_USER_OBJ
||
784 tag
== ACL_GROUP_OBJ
||
788 /* The mask doesn't affect acl_user_obj, acl_group_obj (in
789 minimal ACLs) or acl_other entries, so if execute should be
790 masked, we have to do it manually. */
791 if (acl_delete_perm(permset
, ACL_EXECUTE
) == ACL_ERROR
) {
792 perror("apply_default_acl_ex (acl_delete_perm)");
797 if (acl_set_permset(entry
, permset
) == ACL_ERROR
) {
798 perror("apply_default_acl_ex (acl_set_permset)");
805 /* Finally, add the permset to the access ACL. It's actually
806 * important that we pass in the address of "acl" here, and not
807 * "acl" itself. Why? The call to acl_create_entry() within
808 * acl_set_entry() can allocate new memory for the entry.
809 * Sometimes that can be done in-place, in which case everything
810 * is cool and the new memory gets released when we call
813 * But occasionally, the whole ACL structure will have to be moved
814 * in order to allocate the extra space. When that happens,
815 * acl_create_entry() modifies the pointer it was passed (in this
816 * case, &acl) to point to the new location. We want to call
817 * acl_free() on the new location, and since acl_free() gets
818 * called right here, we need acl_create_entry() to update the
819 * value of "acl". To do that, it needs the address of "acl".
821 if (acl_set_entry(&acl
, entry
) == ACL_ERROR
) {
822 perror("apply_default_acl_ex (acl_set_entry)");
827 ge_result
= acl_get_entry(defacl
, ACL_NEXT_ENTRY
, &entry
);
830 /* Catches the first acl_get_entry as well as the ones at the end of
832 if (ge_result
== ACL_ERROR
) {
833 perror("apply_default_acl_ex (acl_get_entry)");
838 if (acl_set_fd(fd
, acl
) == ACL_ERROR
) {
839 perror("apply_default_acl_ex (acl_set_fd)");
846 if (defacl
!= (acl_t
)NULL
) {
849 if (fd
>= 0 && close(fd
) == CLOSE_ERROR
) {
850 perror("apply_default_acl_ex (close)");
859 * @brief The friendly interface to @c apply_default_acl_ex.
861 * The @c apply_default_acl_ex function holds the real implementation
862 * of this function, but it takes a weird second argument that most
863 * people won't care about (a stat structure). But, we use that
864 * argument for the recursive mode of the CLI, so it's there.
866 * If you don't have a stat structure for your @c path, use this instead.
869 * The path whose ACL we would like to reset to its default.
871 * @param no_exec_mask
872 * The value (either true or false) of the --no-exec-mask flag.
875 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
876 * - @c ACL_FAILURE - If symlinks or hard links are encountered.
877 * or the parent of @c path is not a directory.
878 * - @c ACL_ERROR - Unexpected library error.
880 int apply_default_acl(const char* path
, bool no_exec_mask
) {
881 return apply_default_acl_ex(path
, NULL
, no_exec_mask
);