*
*/
-/* Enables get_current_dir_name() in unistd.h */
+/* Enables get_current_dir_name() in unistd.h and the O_PATH flag. */
#define _GNU_SOURCE
-#include <errno.h> /* EINVAL, ELOOP, ENOTDIR, etc. */
-#include <fcntl.h> /* openat() */
-#include <libgen.h> /* basename(), dirname() */
-#include <limits.h> /* PATH_MAX */
-#include <stdbool.h> /* the "bool" type */
-#include <stdio.h> /* perror(), snprintf() */
-#include <stdlib.h> /* free() */
-#include <string.h> /* strdup() */
-#include <sys/stat.h> /* fstat() */
-#include <unistd.h> /* get_current_dir_name() */
+#include <errno.h> /* EINVAL, ELOOP, ENOTDIR, etc. */
+#include <fcntl.h> /* openat() */
+#include <libgen.h> /* basename(), dirname() */
+#include <limits.h> /* PATH_MAX */
+#include <stdbool.h> /* the "bool" type */
+#include <stdio.h> /* perror(), snprintf() */
+#include <stdlib.h> /* free() */
+#include <string.h> /* strdup() */
+#include <sys/stat.h> /* fstat() */
+#include <sys/xattr.h> /* fgetxattr(), fsetxattr() */
+#include <unistd.h> /* get_current_dir_name() */
/* ACLs */
#include <acl/libacl.h> /* acl_get_perm, not portable */
#include <sys/acl.h> /* all other acl_foo functions */
+/* XATTR_NAME_POSIX_ACL_ACCESS and XATTR_NAME_POSIX_ACL_DEFAULT */
+#include <linux/xattr.h>
+
#include "libadacl.h"
#define OPEN_ERROR -1
#define SNPRINTF_ERROR -1
#define STAT_ERROR -1
+#define XATTR_ERROR -1
/**
/* No more slashes, this is the base case. */
return openat(at_fd, pathname, flags);
}
- else if (firstslash[1] == '\0') {
+ if (firstslash[1] == '\0') {
/* The first slash is the last character; ensure that we open
a directory. */
firstslash[0] = '\0';
}
if (existing_tag == entry_tag) {
- if (entry_tag == ACL_USER_OBJ ||
- entry_tag == ACL_GROUP_OBJ ||
- entry_tag == ACL_OTHER) {
- /* Only update for these three since all other tags will have
- been wiped. These three are guaranteed to exist, so if we
- match one of them, we're allowed to return ACL_SUCCESS
- below and bypass the rest of the function. */
- acl_permset_t existing_permset;
- if (acl_get_permset(existing_entry, &existing_permset) == ACL_ERROR) {
- perror("acl_set_entry (acl_get_permset)");
- return ACL_ERROR;
- }
-
- if (acl_set_permset(existing_entry, entry_permset) == ACL_ERROR) {
- perror("acl_set_entry (acl_set_permset)");
- return ACL_ERROR;
- }
-
- return ACL_SUCCESS;
+ /* If we update something, we're done and return ACL_SUCCESS */
+ if (acl_set_permset(existing_entry, entry_permset) == ACL_ERROR) {
+ perror("acl_set_entry (acl_set_permset)");
+ return ACL_ERROR;
}
+ return ACL_SUCCESS;
}
result = acl_get_entry(*aclp, ACL_NEXT_ENTRY, &existing_entry);
if (tag == ACL_MASK) {
/* This is the mask entry, get its permissions, and see if
- execute is specified. */
+ execute is specified. */
acl_permset_t permset;
if (acl_get_permset(entry, &permset) == ACL_ERROR) {
- perror("acl_execute_masked (acl_get_permset)");
- return ACL_ERROR;
+ perror("acl_execute_masked (acl_get_permset)");
+ return ACL_ERROR;
}
int gp_result = acl_get_perm(permset, ACL_EXECUTE);
if (gp_result == ACL_ERROR) {
- perror("acl_execute_masked (acl_get_perm)");
- return ACL_ERROR;
+ perror("acl_execute_masked (acl_get_perm)");
+ return ACL_ERROR;
}
if (gp_result == ACL_FAILURE) {
- /* No execute bit set in the mask; execute not allowed. */
- return ACL_SUCCESS;
+ /* No execute bit set in the mask; execute not allowed. */
+ return ACL_SUCCESS;
}
}
acl_t acl = acl_get_fd(fd);
if (acl == (acl_t)NULL) {
- perror("any_can_execute (acl_get_file)");
+ perror("any_can_execute (acl_get_fd)");
return ACL_ERROR;
}
if (gp_result == ACL_SUCCESS) {
/* Only return ACL_SUCCESS if this execute bit is not masked. */
if (acl_execute_masked(acl) != ACL_SUCCESS) {
- result = ACL_SUCCESS;
- goto cleanup;
+ result = ACL_SUCCESS;
+ goto cleanup;
}
}
/**
- * @brief Set @c acl as the default ACL on @c path.
+ * @brief Remove all @c ACL_TYPE_ACCESS entries from the given file
+ * descriptor, leaving the UNIX permission bits.
*
- * This overwrites any existing default ACL on @c path. If @c path is
- * not a directory, we return ACL_ERROR and @c errno is set.
+ * @param fd
+ * The file descriptor whose ACLs we want to wipe.
*
- * @param path
- * The target directory whose ACL we wish to replace or create.
+ * @return
+ * - @c ACL_SUCCESS - The ACLs were wiped successfully, or none
+ * existed in the first place.
+ * - @c ACL_ERROR - Unexpected library error.
+ */
+int wipe_acls(int fd) {
+ /* Initialize an empty ACL, and then overwrite the one on "fd" with it. */
+ acl_t empty_acl = acl_init(0);
+
+ if (empty_acl == (acl_t)NULL) {
+ perror("wipe_acls (acl_init)");
+ return ACL_ERROR;
+ }
+
+ if (acl_set_fd(fd, empty_acl) == ACL_ERROR) {
+ perror("wipe_acls (acl_set_fd)");
+ acl_free(empty_acl);
+ return ACL_ERROR;
+ }
+
+ acl_free(empty_acl);
+ return ACL_SUCCESS;
+}
+
+
+/**
+ * @brief Copy ACLs between file descriptors as xattrs, verbatim.
+ *
+ * There is a small deficiency in libacl, namely that there is no way
+ * to get or set default ACLs through file descriptors. The @c
+ * acl_get_file and @c acl_set_file functions can do it, but they use
+ * paths, and are vulnerable to symlink attacks.
+ *
+ * Fortunately, when inheriting an ACL, we don't really need to look
+ * at what it contains. That means that we can copy the on-disk xattrs
+ * from the source directory to the destination file/directory without
+ * passing through libacl, and this can be done with file descriptors
+ * through @c fgetxattr and @c fsetxattr. That's what this function
+ * does.
*
- * @param acl
- * The ACL to set as default on @c path.
+ * @param src_fd
+ * The file descriptor from which the ACL will be copied.
+ *
+ * @param src_type
+ * The type of ACL (either @c ACL_TYPE_ACCESS or @c ACL_TYPE_DEFAULT)
+ * to copy from @c src_fd.
+ *
+ * @param dst_fd
+ * The file descriptor whose ACL will be overwritten with the one
+ * from @c src_fd.
+ *
+ * @param dst_type
+ * The type of ACL (either @c ACL_TYPE_ACCESS or @c ACL_TYPE_DEFAULT)
+ * to replace on @c dst_fd.
*
* @return
- * - @c ACL_SUCCESS - The default ACL was assigned successfully.
+ * - @c ACL_SUCCESS - The ACL was copied successfully.
+ * - @c ACL_FAILURE - There was no ACL on @c src_fd.
* - @c ACL_ERROR - Unexpected library error.
*/
-int assign_default_acl(const char* path, acl_t acl) {
- if (path == NULL || acl == NULL) {
+int acl_copy_xattr(int src_fd,
+ acl_type_t src_type,
+ int dst_fd,
+ acl_type_t dst_type) {
+
+ const char* src_name;
+ if (src_type == ACL_TYPE_ACCESS) {
+ src_name = XATTR_NAME_POSIX_ACL_ACCESS;
+ }
+ else if (src_type == ACL_TYPE_DEFAULT) {
+ src_name = XATTR_NAME_POSIX_ACL_DEFAULT;
+ }
+ else {
errno = EINVAL;
- perror("assign_default_acl (args)");
+ perror("acl_copy_xattr (src type)");
return ACL_ERROR;
}
- /* Our return value; success unless something bad happens. */
- int result = ACL_SUCCESS;
- acl_t path_acl = acl_dup(acl);
+ const char* dst_name;
+ if (dst_type == ACL_TYPE_ACCESS) {
+ dst_name = XATTR_NAME_POSIX_ACL_ACCESS;
+ }
+ else if (dst_type == ACL_TYPE_DEFAULT) {
+ dst_name = XATTR_NAME_POSIX_ACL_DEFAULT;
+ }
+ else {
+ errno = EINVAL;
+ perror("acl_copy_xattr (dst type)");
+ return ACL_ERROR;
+ }
- if (path_acl == (acl_t)NULL) {
- perror("assign_default_acl (acl_dup)");
- return ACL_ERROR; /* Nothing to clean up in this case. */
+ size_t src_size_guess = fgetxattr(src_fd, src_name, NULL, 0);
+ if (src_size_guess == XATTR_ERROR) {
+ if (errno == ENODATA) {
+ /* A missing ACL isn't really an error. ENOATTR and ENODATA are
+ synonyms, but using ENODATA here lets us avoid another
+ "include" directive. */
+ return ACL_FAILURE;
+ }
+ perror("acl_copy_xattr (fgetxattr size guess)");
+ return ACL_ERROR;
+ }
+ char* src_acl_p = alloca(src_size_guess);
+ /* The actual size may be smaller than our guess? I don't know. */
+ size_t src_size = fgetxattr(src_fd, src_name, src_acl_p, (int)src_size_guess);
+ if (src_size == XATTR_ERROR) {
+ if (errno == ENODATA) {
+ /* A missing ACL isn't an error. */
+ return ACL_FAILURE;
+ }
+ perror("acl_copy_xattr (fgetxattr)");
+ return ACL_ERROR;
}
- if (acl_set_file(path, ACL_TYPE_DEFAULT, path_acl) == ACL_ERROR) {
- perror("assign_default_acl (acl_set_file)");
- result = ACL_ERROR;
+ if (fsetxattr(dst_fd, dst_name, src_acl_p, src_size, 0) == XATTR_ERROR) {
+ perror("acl_copy_xattr (fsetxattr)");
+ return ACL_ERROR;
}
- acl_free(path_acl);
- return result;
+ return ACL_SUCCESS;
}
-
/**
- * @brief Remove all @c ACL_TYPE_ACCESS entries from the given file
- * descriptor, leaving the UNIX permission bits.
+ * @brief Determine if a file descriptor has a default ACL.
*
* @param fd
- * The file descriptor whose ACLs we want to wipe.
+ * The file descriptor whose default ACL is in question.
*
* @return
- * - @c ACL_SUCCESS - The ACLs were wiped successfully, or none
- * existed in the first place.
+ * - @c ACL_SUCCESS - If @c fd has a default ACL.
+ * - @c ACL_FAILURE - If @c fd does not have a default ACL.
* - @c ACL_ERROR - Unexpected library error.
*/
-int wipe_acls(int fd) {
- /* Initialize an empty ACL, and then overwrite the one on "fd" with it. */
- acl_t empty_acl = acl_init(0);
-
- if (empty_acl == (acl_t)NULL) {
- perror("wipe_acls (acl_init)");
- return ACL_ERROR;
- }
-
- if (acl_set_fd(fd, empty_acl) == ACL_ERROR) {
- perror("wipe_acls (acl_set_fd)");
- acl_free(empty_acl);
+int has_default_acl_fd(int fd) {
+ if (fgetxattr(fd, XATTR_NAME_POSIX_ACL_DEFAULT, NULL, 0) == XATTR_ERROR) {
+ if (errno == ENODATA) {
+ return ACL_FAILURE;
+ }
+ perror("has_default_acl_fd (fgetxattr)");
return ACL_ERROR;
}
- acl_free(empty_acl);
return ACL_SUCCESS;
}
-
/**
* @brief Apply parent default ACL to a path.
*
* - @c ACL_ERROR - Unexpected library error.
*/
int apply_default_acl_ex(const char* path,
- const struct stat* sp,
- bool no_exec_mask) {
+ const struct stat* sp,
+ bool no_exec_mask) {
if (path == NULL) {
errno = EINVAL;
/* Our return value. */
int result = ACL_SUCCESS;
- /* The default ACL on path's parent directory */
- acl_t defacl = (acl_t)NULL;
+ /* The new ACL for this path */
+ acl_t new_acl = (acl_t)NULL;
+
+ /* A copy of new_acl, to be made before we begin mangling new_acl in
+ order to mask the execute bit. */
+ acl_t new_acl_unmasked = (acl_t)NULL;
/* The file descriptor corresponding to "path" */
int fd = 0;
+ /* The file descriptor for the directory containing "path" */
+ int parent_fd = 0;
+
/* Get the parent directory of "path" with dirname(), which happens
- * to murder its argument and necessitates a path_copy.
- */
+ * to murder its argument and necessitates a path_copy. */
char* path_copy = strdup(path);
if (path_copy == NULL) {
perror("apply_default_acl_ex (strdup)");
return ACL_ERROR;
}
char* parent = dirname(path_copy);
+ parent_fd = safe_open(parent, O_DIRECTORY | O_NOFOLLOW);
+ if (parent_fd == OPEN_ERROR) {
+ if (errno == ELOOP || errno == ENOTDIR) {
+ /* We hit a symlink, either in the last path component (ELOOP)
+ or higher up (ENOTDIR). */
+ result = ACL_FAILURE;
+ goto cleanup;
+ }
+ else {
+ perror("apply_default_acl_ex (open parent fd)");
+ result = ACL_ERROR;
+ goto cleanup;
+ }
+ }
+
+ /* Check to make sure the parent descriptor actually has a default
+ ACL. If it doesn't, then we can "succeed" immediately. */
+ if (has_default_acl_fd(parent_fd) == ACL_FAILURE) {
+ result = ACL_SUCCESS;
+ goto cleanup;
+ }
fd = safe_open(path, O_NOFOLLOW);
if (fd == OPEN_ERROR) {
if (errno == ELOOP || errno == ENOTDIR) {
/* We hit a symlink, either in the last path component (ELOOP)
- or higher up (ENOTDIR). */
+ or higher up (ENOTDIR). */
result = ACL_FAILURE;
goto cleanup;
}
}
}
-
/* Refuse to operate on hard links, which can be abused by an
* attacker to trick us into changing the ACL on a file we didn't
* intend to; namely the "target" of the hard link. There is TOCTOU
allow_exec = (bool)ace_result;
}
- defacl = acl_get_file(parent, ACL_TYPE_DEFAULT);
-
- if (defacl == (acl_t)NULL) {
- perror("apply_default_acl_ex (acl_get_file)");
+ if (wipe_acls(fd) == ACL_ERROR) {
+ perror("apply_default_acl_ex (wipe_acls)");
result = ACL_ERROR;
goto cleanup;
}
- if (wipe_acls(fd) == ACL_ERROR) {
- perror("apply_default_acl_ex (wipe_acls)");
+ /* If it's a directory, inherit the parent's default. */
+ if (S_ISDIR(sp->st_mode)) {
+ if (acl_copy_xattr(parent_fd,
+ ACL_TYPE_DEFAULT,
+ fd,
+ ACL_TYPE_DEFAULT) == ACL_ERROR) {
+ perror("apply_default_acl_ex (acl_copy_xattr default)");
+ result = ACL_ERROR;
+ goto cleanup;
+ }
+ }
+
+ /* If it's anything, _apply_ the parent's default. */
+ if (acl_copy_xattr(parent_fd,
+ ACL_TYPE_DEFAULT,
+ fd,
+ ACL_TYPE_ACCESS) == ACL_ERROR) {
+ perror("apply_default_acl_ex (acl_copy_xattr access)");
result = ACL_ERROR;
goto cleanup;
}
- /* Do this after wipe_acls(), otherwise we'll overwrite the wiped
- ACL with this one. */
- acl_t acl = acl_get_fd(fd);
- if (acl == (acl_t)NULL) {
+ /* There's a good reason why we saved the ACL above, even though
+ * we're about tto read it back into memory and mess with it on the
+ * next line. The acl_copy_xattr() function is already a hack to let
+ * us copy default ACLs without resorting to path names; we simply
+ * have no way to read the parent's default ACL into memory using
+ * parent_fd. We can, however, copy the parent's ACL to a file (with
+ * acl_copy_xattr), and then read the ACL from a file using
+ * "fd". It's quite the circus, but it works and should be safe from
+ * sym/hardlink attacks.
+ */
+
+ /* Now we potentially need to mask the execute permissions in the
+ ACL on fd; or maybe now. */
+ if (allow_exec) {
+ goto cleanup;
+ }
+
+ /* OK, we need to mask some execute permissions. First obtain the
+ current ACL... */
+ new_acl = acl_get_fd(fd);
+ if (new_acl == (acl_t)NULL) {
perror("apply_default_acl_ex (acl_get_fd)");
result = ACL_ERROR;
goto cleanup;
}
- /* If it's a directory, inherit the parent's default. We sure hope
- * that "path" still points to the same thing that "fd" and this
- * "sp" describe. If not, we may wind up trying to set a default ACL
- * on a file, and this will throw an error. I guess that's what we
- * want to do?
- */
- if (S_ISDIR(sp->st_mode) && assign_default_acl(path, defacl) == ACL_ERROR) {
- perror("apply_default_acl_ex (assign_default_acl)");
+ /* ...and now make a copy of it, because otherwise when we loop
+ below, some shit gets stuck (modifying the structure while
+ looping over it no worky). */
+ new_acl_unmasked = acl_dup(new_acl);
+ if (new_acl_unmasked == (acl_t)NULL) {
+ perror("apply_default_acl_ex (acl_dup)");
result = ACL_ERROR;
goto cleanup;
}
acl_entry_t entry;
- int ge_result = acl_get_entry(defacl, ACL_FIRST_ENTRY, &entry);
+ int ge_result = acl_get_entry(new_acl_unmasked, ACL_FIRST_ENTRY, &entry);
while (ge_result == ACL_SUCCESS) {
acl_tag_t tag = ACL_UNDEFINED_TAG;
goto cleanup;
}
- /* If this is a default mask, fix it up. */
if (tag == ACL_MASK ||
- tag == ACL_USER_OBJ ||
- tag == ACL_GROUP_OBJ ||
- tag == ACL_OTHER) {
-
- if (!allow_exec) {
- /* The mask doesn't affect acl_user_obj, acl_group_obj (in
- minimal ACLs) or acl_other entries, so if execute should be
- masked, we have to do it manually. */
- if (acl_delete_perm(permset, ACL_EXECUTE) == ACL_ERROR) {
- perror("apply_default_acl_ex (acl_delete_perm)");
- result = ACL_ERROR;
- goto cleanup;
- }
-
- if (acl_set_permset(entry, permset) == ACL_ERROR) {
- perror("apply_default_acl_ex (acl_set_permset)");
- result = ACL_ERROR;
- goto cleanup;
- }
+ tag == ACL_USER_OBJ ||
+ tag == ACL_GROUP_OBJ ||
+ tag == ACL_OTHER) {
+
+ /* The mask doesn't affect acl_user_obj, acl_group_obj (in
+ minimal ACLs) or acl_other entries, so if execute should be
+ masked, we have to do it manually. */
+ if (acl_delete_perm(permset, ACL_EXECUTE) == ACL_ERROR) {
+ perror("apply_default_acl_ex (acl_delete_perm)");
+ result = ACL_ERROR;
+ goto cleanup;
+ }
+
+ if (acl_set_permset(entry, permset) == ACL_ERROR) {
+ perror("apply_default_acl_ex (acl_set_permset)");
+ result = ACL_ERROR;
+ goto cleanup;
}
}
/* Finally, add the permset to the access ACL. It's actually
- * important that we pass in the address of "acl" here, and not
- * "acl" itself. Why? The call to acl_create_entry() within
+ * important that we pass in the address of "new_acl" here, and not
+ * "new_acl" itself. Why? The call to acl_create_entry() within
* acl_set_entry() can allocate new memory for the entry.
* Sometimes that can be done in-place, in which case everything
* is cool and the new memory gets released when we call
* case, &acl) to point to the new location. We want to call
* acl_free() on the new location, and since acl_free() gets
* called right here, we need acl_create_entry() to update the
- * value of "acl". To do that, it needs the address of "acl".
+ * value of "new_acl". To do that, it needs the address of "new_acl".
*/
- if (acl_set_entry(&acl, entry) == ACL_ERROR) {
+
+ if (acl_set_entry(&new_acl, entry) == ACL_ERROR) {
perror("apply_default_acl_ex (acl_set_entry)");
result = ACL_ERROR;
goto cleanup;
}
- ge_result = acl_get_entry(defacl, ACL_NEXT_ENTRY, &entry);
+ ge_result = acl_get_entry(new_acl_unmasked, ACL_NEXT_ENTRY, &entry);
}
/* Catches the first acl_get_entry as well as the ones at the end of
goto cleanup;
}
- if (acl_set_fd(fd, acl) == ACL_ERROR) {
+ if (acl_set_fd(fd, new_acl) == ACL_ERROR) {
perror("apply_default_acl_ex (acl_set_fd)");
result = ACL_ERROR;
goto cleanup;
cleanup:
free(path_copy);
- if (defacl != (acl_t)NULL) {
- acl_free(defacl);
+ if (new_acl != (acl_t)NULL) {
+ acl_free(new_acl);
+ }
+ if (new_acl_unmasked != (acl_t)NULL) {
+ acl_free(new_acl_unmasked);
+ }
+ if (fd > 0 && close(fd) == CLOSE_ERROR) {
+ perror("apply_default_acl_ex (close fd)");
+ result = ACL_ERROR;
}
- if (fd >= 0 && close(fd) == CLOSE_ERROR) {
- perror("apply_default_acl_ex (close)");
+ if (parent_fd > 0 && close(parent_fd) == CLOSE_ERROR) {
+ perror("apply_default_acl_ex (close parent_fd)");
result = ACL_ERROR;
}
return result;
projects / apply-default-acl.git / blobdiff