X-Git-Url: http://gitweb.michael.orlitzky.com/?p=apply-default-acl.git;a=blobdiff_plain;f=src%2Flibadacl.c;h=a21aa709ba842bc7bd21aa672b99b4e3cb750cf0;hp=21b8141cbbc0158a3c6cfce3e985838bed1e20ce;hb=HEAD;hpb=aaf323d45b5c2043acd64b7e6b8b1fea1664dd0b diff --git a/src/libadacl.c b/src/libadacl.c index 21b8141..a21aa70 100644 --- a/src/libadacl.c +++ b/src/libadacl.c @@ -5,24 +5,31 @@ * */ -/* Enables get_current_dir_name() in unistd.h */ +/* Enables get_current_dir_name() in unistd.h, the O_PATH flag, and + * the asprintf() function. +*/ #define _GNU_SOURCE -#include /* ELOOP, EINVAL, etc. */ -#include /* openat() */ -#include /* basename(), dirname() */ -#include /* PATH_MAX */ -#include /* the "bool" type */ -#include /* perror(), snprintf() */ -#include /* free() */ -#include /* strdup() */ -#include /* fstat() */ -#include /* get_current_dir_name() */ +#include /* readdir(), etc. */ +#include /* EINVAL, ELOOP, ENOTDIR, etc. */ +#include /* openat() */ +#include /* basename(), dirname() */ +#include /* PATH_MAX */ +#include /* the "bool" type */ +#include /* perror(), asprintf() */ +#include /* free() */ +#include /* strdup() */ +#include /* fstat() */ +#include /* fgetxattr(), fsetxattr() */ +#include /* get_current_dir_name() */ /* ACLs */ #include /* acl_get_perm, not portable */ #include /* all other acl_foo functions */ +/* XATTR_NAME_POSIX_ACL_ACCESS and XATTR_NAME_POSIX_ACL_DEFAULT */ +#include + #include "libadacl.h" @@ -31,8 +38,27 @@ */ #define CLOSE_ERROR -1 #define OPEN_ERROR -1 -#define SNPRINTF_ERROR -1 +#define ASPRINTF_ERROR -1 #define STAT_ERROR -1 +#define XATTR_ERROR -1 + + +/* Prototypes */ +int safe_open_ex(int at_fd, char* pathname, int flags); +int safe_open(const char* pathname, int flags); +int acl_update_entry(acl_t aclp, acl_entry_t updated_entry); +int acl_entry_count(acl_t acl); +int acl_is_minimal(acl_t acl); +int acl_execute_masked(acl_t acl); +int any_can_execute(int fd, const struct stat* sp); +int acl_copy_xattr(int src_fd, + acl_type_t src_type, + int dst_fd, + acl_type_t dst_type); +int has_default_acl_fd(int fd); +int apply_default_acl_fds(int parent_fd, int fd, bool recursive); +int apply_default_acl(const char* path, bool recursive); + /** @@ -53,33 +79,39 @@ * and @c OPEN_ERROR if not. */ int safe_open_ex(int at_fd, char* pathname, int flags) { - if (pathname != NULL && strlen(pathname) == 0) { - /* Oops, went one level to deep with nothing to do. */ - return at_fd; + if (pathname == NULL) { + errno = EINVAL; + perror("safe_open_ex (args)"); + return OPEN_ERROR; } char* firstslash = strchr(pathname, '/'); if (firstslash == NULL) { /* No more slashes, this is the base case. */ - int r = openat(at_fd, pathname, flags); - return r; + return openat(at_fd, pathname, flags); + } + if (firstslash[1] == '\0') { + /* The first slash is the last character; ensure that we open + a directory. */ + firstslash[0] = '\0'; + return openat(at_fd, pathname, flags | O_DIRECTORY); } - /* Temporarily disable the slash, so that the subsequent call to - openat() opens only the next directory (and doesn't recurse). */ + /* The first slash exists and isn't the last character in the path, + so we can split the path wherever that first slash lies and + recurse. */ *firstslash = '\0'; - int fd = safe_open_ex(at_fd, pathname, flags); + int fd = openat(at_fd, pathname, flags | O_DIRECTORY | O_PATH); if (fd == OPEN_ERROR) { - if (errno != ELOOP) { + if (errno != ENOTDIR) { /* Don't output anything if we ignore a symlink */ perror("safe_open_ex (safe_open_ex)"); } return OPEN_ERROR; } - /* The ++ is safe because there needs to be at least a null byte - after the first slash, even if it's the last real character in - the string. */ + /* The +1 is safe because there needs to be at least one character + after the first slash (we checked this above). */ int result = safe_open_ex(fd, firstslash+1, flags); if (close(fd) == CLOSE_ERROR) { perror("safe_open_ex (close)"); @@ -116,17 +148,17 @@ int safe_open_ex(int at_fd, char* pathname, int flags) { * and @c OPEN_ERROR if not. */ int safe_open(const char* pathname, int flags) { - if (pathname == NULL || strlen(pathname) == 0 || pathname[0] == '\0') { + if (pathname == NULL) { errno = EINVAL; perror("safe_open (args)"); return OPEN_ERROR; } - char abspath[PATH_MAX]; - int snprintf_result = 0; + char* abspath = NULL; + int asprintf_result = 0; if (strchr(pathname, '/') == pathname) { /* pathname is already absolute; just copy it. */ - snprintf_result = snprintf(abspath, PATH_MAX, "%s", pathname); + asprintf_result = asprintf(&abspath, "%s", pathname); } else { /* Concatenate the current working directory and pathname into an @@ -151,29 +183,44 @@ int safe_open(const char* pathname, int flags) { free(cwd); return OPEN_ERROR; } - snprintf_result = snprintf(abspath, PATH_MAX, "%s/%s", abs_cwd, pathname); + asprintf_result = asprintf(&abspath, "%s/%s", abs_cwd, pathname); free(cwd); } - if (snprintf_result == SNPRINTF_ERROR || snprintf_result > PATH_MAX) { - perror("safe_open (snprintf)"); + if (asprintf_result == ASPRINTF_ERROR) { + perror("safe_open (asprintf)"); return OPEN_ERROR; } - int fd = open("/", flags); - if (fd == OPEN_ERROR) { + /* Beyond here, asprintf() worked, and we need to free abspath. */ + int result = OPEN_ERROR; + + bool abspath_is_root = (strcmp(abspath, "/") == 0); + int rootflags = flags | O_DIRECTORY; + if (!abspath_is_root) { + /* Use O_PATH for some added safety if "/" is not our target */ + rootflags |= O_PATH; + } + int rootfd = open("/", rootflags); + if (rootfd == OPEN_ERROR) { perror("safe_open (open)"); - return OPEN_ERROR; + result = OPEN_ERROR; + goto cleanup; } - if (strcmp(abspath, "/") == 0) { - return fd; + if (abspath_is_root) { + result = rootfd; + goto cleanup; } - int result = safe_open_ex(fd, abspath+1, flags); - if (close(fd) == CLOSE_ERROR) { + result = safe_open_ex(rootfd, abspath+1, flags); + if (close(rootfd) == CLOSE_ERROR) { perror("safe_open (close)"); - return OPEN_ERROR; + result = OPEN_ERROR; + goto cleanup; } + + cleanup: + free(abspath); return result; } @@ -181,130 +228,136 @@ int safe_open(const char* pathname, int flags) { /** - * @brief Update (or create) an entry in an @b minimal ACL. - * - * This function will not work if @c aclp contains extended - * entries. This is fine for our purposes, since we call @c wipe_acls - * on each path before applying the default to it. - * - * The assumption that there are no extended entries makes things much - * simpler. For example, we only have to update the @c ACL_USER_OBJ, - * @c ACL_GROUP_OBJ, and @c ACL_OTHER entries -- all others can simply - * be created anew. This means we don't have to fool around comparing - * named-user/group entries. + * @brief Update an entry in an @b minimal ACL. * * @param aclp - * A pointer to the acl_t structure whose entry we want to modify. - * - * @param entry - * The new entry. If @c entry contains a user/group/other entry, we - * update the existing one. Otherwise we create a new entry. + * A pointer to the acl_t structure whose entry we want to update. * - * @return If there is an unexpected library error, @c ACL_ERROR is - * returned. Otherwise, @c ACL_SUCCESS. + * @param updated_entry + * An updated copy of an existing entry in @c aclp. * + * @return + * - @c ACL_SUCCESS - If we update an existing entry. + * - @c ACL_FAILURE - If we don't find an entry to update. + * - @c ACL_ERROR - Unexpected library error. */ -int acl_set_entry(acl_t* aclp, acl_entry_t entry) { +int acl_update_entry(acl_t aclp, acl_entry_t updated_entry) { + if (aclp == NULL || updated_entry == NULL) { + errno = EINVAL; + perror("acl_update_entry (args)"); + return ACL_ERROR; + } + + acl_tag_t updated_tag; + if (acl_get_tag_type(updated_entry, &updated_tag) == ACL_ERROR) { + perror("acl_update_entry (acl_get_tag_type)"); + return ACL_ERROR; + } - acl_tag_t entry_tag; - if (acl_get_tag_type(entry, &entry_tag) == ACL_ERROR) { - perror("acl_set_entry (acl_get_tag_type)"); + acl_permset_t updated_permset; + if (acl_get_permset(updated_entry, &updated_permset) == ACL_ERROR) { + perror("acl_update_entry (acl_get_permset)"); return ACL_ERROR; } - acl_permset_t entry_permset; - if (acl_get_permset(entry, &entry_permset) == ACL_ERROR) { - perror("acl_set_entry (acl_get_permset)"); + /* This can allocate memory, so from here on out we have to jump to + the "cleanup" label to exit. */ + void* updated_qualifier = acl_get_qualifier(updated_entry); + if (updated_qualifier == NULL && + (updated_tag == ACL_USER || updated_tag == ACL_GROUP)) { + /* acl_get_qualifier() can return NULL, but it shouldn't for + ACL_USER or ACL_GROUP entries. */ + perror("acl_update_entry (acl_get_qualifier)"); return ACL_ERROR; } + /* Our return value. Default to failure, and change to success if we + actually update something. */ + int result = ACL_FAILURE; + acl_entry_t existing_entry; /* Loop through the given ACL looking for matching entries. */ - int result = acl_get_entry(*aclp, ACL_FIRST_ENTRY, &existing_entry); + int get_entry_result = acl_get_entry(aclp, ACL_FIRST_ENTRY, &existing_entry); - while (result == ACL_SUCCESS) { + while (get_entry_result == ACL_SUCCESS) { acl_tag_t existing_tag = ACL_UNDEFINED_TAG; if (acl_get_tag_type(existing_entry, &existing_tag) == ACL_ERROR) { perror("set_acl_tag_permset (acl_get_tag_type)"); - return ACL_ERROR; + result = ACL_ERROR; + goto cleanup; } - if (existing_tag == entry_tag) { - if (entry_tag == ACL_USER_OBJ || - entry_tag == ACL_GROUP_OBJ || - entry_tag == ACL_OTHER) { - /* Only update for these three since all other tags will have - been wiped. These three are guaranteed to exist, so if we - match one of them, we're allowed to return ACL_SUCCESS - below and bypass the rest of the function. */ - acl_permset_t existing_permset; - if (acl_get_permset(existing_entry, &existing_permset) == ACL_ERROR) { - perror("acl_set_entry (acl_get_permset)"); - return ACL_ERROR; - } - - if (acl_set_permset(existing_entry, entry_permset) == ACL_ERROR) { - perror("acl_set_entry (acl_set_permset)"); - return ACL_ERROR; - } - - return ACL_SUCCESS; + if (existing_tag == updated_tag) { + /* Our tag types match, but if we have a named user or group + entry, then we need to check that the user/group (that is, + the qualifier) matches too. */ + bool qualifiers_match = false; + + /* There are three ways the qualifiers can match... */ + void* existing_qualifier = acl_get_qualifier(existing_entry); + if (existing_qualifier == NULL) { + if (existing_tag == ACL_USER || existing_tag == ACL_GROUP) { + perror("acl_update_entry (acl_get_qualifier)"); + result = ACL_ERROR; + goto cleanup; + } + else { + /* First, we could be dealing with an entry that isn't a + named user or group, in which case they "match + vacuously." */ + qualifiers_match = true; + } } - } - - result = acl_get_entry(*aclp, ACL_NEXT_ENTRY, &existing_entry); - } + /* Second, they could have matching UIDs. We don't really need to + check both tags here, since we know that they're equal. However, + clang-tidy can't figure that out, and the redundant equality + check prevents it from complaining about a potential null pointer + dereference. */ + if (updated_tag == ACL_USER && existing_tag == ACL_USER) { + qualifiers_match = ( *((uid_t*)existing_qualifier) + == + *((uid_t*)updated_qualifier) ); + } - /* This catches both the initial acl_get_entry and the ones at the - end of the loop. */ - if (result == ACL_ERROR) { - perror("acl_set_entry (acl_get_entry)"); - return ACL_ERROR; - } + /* Third, they could have matching GIDs. See above for why + we check the redundant condition existing_tag == ACL_GROUP. */ + if (updated_tag == ACL_GROUP && existing_tag == ACL_GROUP) { + qualifiers_match = ( *((gid_t*)existing_qualifier) + == + *((gid_t*)updated_qualifier) ); + } - /* If we've made it this far, we need to add a new entry to the - ACL. */ - acl_entry_t new_entry; + /* Be sure to free this inside the loop, where memory is allocated. */ + acl_free(existing_qualifier); - /* The acl_create_entry() function can allocate new memory and/or - * change the location of the ACL structure entirely. When that - * happens, the value pointed to by aclp is updated, which means - * that a new acl_t gets "passed out" to our caller, eventually to - * be fed to acl_free(). In other words, we should still be freeing - * the right thing, even if the value pointed to by aclp changes. - */ - if (acl_create_entry(aclp, &new_entry) == ACL_ERROR) { - perror("acl_set_entry (acl_create_entry)"); - return ACL_ERROR; - } + if (qualifiers_match) { + /* If we update something, we're done and return ACL_SUCCESS */ + if (acl_set_permset(existing_entry, updated_permset) == ACL_ERROR) { + perror("acl_update_entry (acl_set_permset)"); + result = ACL_ERROR; + goto cleanup; + } - if (acl_set_tag_type(new_entry, entry_tag) == ACL_ERROR) { - perror("acl_set_entry (acl_set_tag_type)"); - return ACL_ERROR; - } + result = ACL_SUCCESS; + goto cleanup; + } + } - if (acl_set_permset(new_entry, entry_permset) == ACL_ERROR) { - perror("acl_set_entry (acl_set_permset)"); - return ACL_ERROR; + get_entry_result = acl_get_entry(aclp, ACL_NEXT_ENTRY, &existing_entry); } - if (entry_tag == ACL_USER || entry_tag == ACL_GROUP) { - /* We need to set the qualifier too. */ - void* entry_qual = acl_get_qualifier(entry); - if (entry_qual == (void*)NULL) { - perror("acl_set_entry (acl_get_qualifier)"); - return ACL_ERROR; - } - - if (acl_set_qualifier(new_entry, entry_qual) == ACL_ERROR) { - perror("acl_set_entry (acl_set_qualifier)"); - return ACL_ERROR; - } + /* This catches both the initial acl_get_entry and the ones at the + end of the loop. */ + if (get_entry_result == ACL_ERROR) { + perror("acl_update_entry (acl_get_entry)"); + result = ACL_ERROR; } - return ACL_SUCCESS; + cleanup: + acl_free(updated_qualifier); + return result; } @@ -353,6 +406,11 @@ int acl_entry_count(acl_t acl) { * - @c ACL_ERROR - Unexpected library error */ int acl_is_minimal(acl_t acl) { + if (acl == NULL) { + errno = EINVAL; + perror("acl_is_minimal (args)"); + return ACL_ERROR; + } int ec = acl_entry_count(acl); @@ -383,6 +441,11 @@ int acl_is_minimal(acl_t acl) { * - @c ACL_ERROR - Unexpected library error. */ int acl_execute_masked(acl_t acl) { + if (acl == NULL) { + errno = EINVAL; + perror("acl_execute_masked (args)"); + return ACL_ERROR; + } acl_entry_t entry; int ge_result = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); @@ -397,23 +460,23 @@ int acl_execute_masked(acl_t acl) { if (tag == ACL_MASK) { /* This is the mask entry, get its permissions, and see if - execute is specified. */ + execute is specified. */ acl_permset_t permset; if (acl_get_permset(entry, &permset) == ACL_ERROR) { - perror("acl_execute_masked (acl_get_permset)"); - return ACL_ERROR; + perror("acl_execute_masked (acl_get_permset)"); + return ACL_ERROR; } int gp_result = acl_get_perm(permset, ACL_EXECUTE); if (gp_result == ACL_ERROR) { - perror("acl_execute_masked (acl_get_perm)"); - return ACL_ERROR; + perror("acl_execute_masked (acl_get_perm)"); + return ACL_ERROR; } if (gp_result == ACL_FAILURE) { - /* No execute bit set in the mask; execute not allowed. */ - return ACL_SUCCESS; + /* No execute bit set in the mask; execute not allowed. */ + return ACL_SUCCESS; } } @@ -446,10 +509,16 @@ int acl_execute_masked(acl_t acl) { * - @c ACL_ERROR - Unexpected library error. */ int any_can_execute(int fd, const struct stat* sp) { + if (sp == NULL) { + errno = EINVAL; + perror("any_can_execute (args)"); + return ACL_ERROR; + } + acl_t acl = acl_get_fd(fd); if (acl == (acl_t)NULL) { - perror("any_can_execute (acl_get_file)"); + perror("any_can_execute (acl_get_fd)"); return ACL_ERROR; } @@ -505,8 +574,8 @@ int any_can_execute(int fd, const struct stat* sp) { if (gp_result == ACL_SUCCESS) { /* Only return ACL_SUCCESS if this execute bit is not masked. */ if (acl_execute_masked(acl) != ACL_SUCCESS) { - result = ACL_SUCCESS; - goto cleanup; + result = ACL_SUCCESS; + goto cleanup; } } @@ -527,148 +596,178 @@ int any_can_execute(int fd, const struct stat* sp) { /** - * @brief Set @c acl as the default ACL on @c path. + * @brief Copy ACLs between file descriptors as xattrs, verbatim. * - * This overwrites any existing default ACL on @c path. If @c path is - * not a directory, we return ACL_ERROR and @c errno is set. + * There is a small deficiency in libacl, namely that there is no way + * to get or set default ACLs through file descriptors. The @c + * acl_get_file and @c acl_set_file functions can do it, but they use + * paths, and are vulnerable to symlink attacks. * - * @param path - * The target directory whose ACL we wish to replace or create. + * Fortunately, when inheriting an ACL, we don't really need to look + * at what it contains. That means that we can copy the on-disk xattrs + * from the source directory to the destination file/directory without + * passing through libacl, and this can be done with file descriptors + * through @c fgetxattr and @c fsetxattr. That's what this function + * does. + * + * @param src_fd + * The file descriptor from which the ACL will be copied. + * + * @param src_type + * The type of ACL (either @c ACL_TYPE_ACCESS or @c ACL_TYPE_DEFAULT) + * to copy from @c src_fd. + * + * @param dst_fd + * The file descriptor whose ACL will be overwritten with the one + * from @c src_fd. * - * @param acl - * The ACL to set as default on @c path. + * @param dst_type + * The type of ACL (either @c ACL_TYPE_ACCESS or @c ACL_TYPE_DEFAULT) + * to replace on @c dst_fd. * * @return - * - @c ACL_SUCCESS - The default ACL was assigned successfully. + * - @c ACL_SUCCESS - The ACL was copied successfully. + * - @c ACL_FAILURE - There was no ACL on @c src_fd. * - @c ACL_ERROR - Unexpected library error. */ -int assign_default_acl(const char* path, acl_t acl) { - - if (path == NULL) { +int acl_copy_xattr(int src_fd, + acl_type_t src_type, + int dst_fd, + acl_type_t dst_type) { + + const char* src_name; + if (src_type == ACL_TYPE_ACCESS) { + src_name = XATTR_NAME_POSIX_ACL_ACCESS; + } + else if (src_type == ACL_TYPE_DEFAULT) { + src_name = XATTR_NAME_POSIX_ACL_DEFAULT; + } + else { errno = EINVAL; - perror("assign_default_acl (args)"); + perror("acl_copy_xattr (src type)"); return ACL_ERROR; } - /* Our return value; success unless something bad happens. */ - int result = ACL_SUCCESS; - acl_t path_acl = acl_dup(acl); + const char* dst_name; + if (dst_type == ACL_TYPE_ACCESS) { + dst_name = XATTR_NAME_POSIX_ACL_ACCESS; + } + else if (dst_type == ACL_TYPE_DEFAULT) { + dst_name = XATTR_NAME_POSIX_ACL_DEFAULT; + } + else { + errno = EINVAL; + perror("acl_copy_xattr (dst type)"); + return ACL_ERROR; + } - if (path_acl == (acl_t)NULL) { - perror("assign_default_acl (acl_dup)"); - return ACL_ERROR; /* Nothing to clean up in this case. */ + ssize_t src_size_guess = fgetxattr(src_fd, src_name, NULL, 0); + if (src_size_guess == XATTR_ERROR) { + if (errno == ENODATA) { + /* A missing ACL isn't really an error. ENOATTR and ENODATA are + synonyms, but using ENODATA here lets us avoid another + "include" directive. */ + return ACL_FAILURE; + } + perror("acl_copy_xattr (fgetxattr size guess)"); + return ACL_ERROR; + } + char* src_acl_p = alloca(src_size_guess); + /* The actual size may be smaller than our guess? I don't know. The + return value from fgetxattr() will either be nonnegative, or + XATTR_ERROR (which we've already ruled out), so it's safe to cast + it to an unsigned size_t here to avoid a compiler warning. */ + ssize_t src_size = fgetxattr(src_fd, + src_name, + src_acl_p, + (size_t)src_size_guess); + if (src_size == XATTR_ERROR) { + if (errno == ENODATA) { + /* A missing ACL isn't an error. */ + return ACL_FAILURE; + } + perror("acl_copy_xattr (fgetxattr)"); + return ACL_ERROR; } - if (acl_set_file(path, ACL_TYPE_DEFAULT, path_acl) == ACL_ERROR) { - perror("assign_default_acl (acl_set_file)"); - result = ACL_ERROR; + /* See above: src_size must be nonnegative at this point,so we cast + it to size_t to avoid a compiler warning. */ + if (fsetxattr(dst_fd, + dst_name, + src_acl_p, + (size_t)src_size, + 0) + == XATTR_ERROR) { + perror("acl_copy_xattr (fsetxattr)"); + return ACL_ERROR; } - acl_free(path_acl); - return result; + return ACL_SUCCESS; } - /** - * @brief Remove all @c ACL_TYPE_ACCESS entries from the given file - * descriptor, leaving the UNIX permission bits. + * @brief Determine if a file descriptor has a default ACL. * * @param fd - * The file descriptor whose ACLs we want to wipe. + * The file descriptor whose default ACL is in question. * * @return - * - @c ACL_SUCCESS - The ACLs were wiped successfully, or none - * existed in the first place. + * - @c ACL_SUCCESS - If @c fd has a default ACL. + * - @c ACL_FAILURE - If @c fd does not have a default ACL. * - @c ACL_ERROR - Unexpected library error. */ -int wipe_acls(int fd) { - /* Initialize an empty ACL, and then overwrite the one on "fd" with it. */ - acl_t empty_acl = acl_init(0); - - if (empty_acl == (acl_t)NULL) { - perror("wipe_acls (acl_init)"); - return ACL_ERROR; - } - - if (acl_set_fd(fd, empty_acl) == ACL_ERROR) { - perror("wipe_acls (acl_set_fd)"); - acl_free(empty_acl); +int has_default_acl_fd(int fd) { + if (fgetxattr(fd, XATTR_NAME_POSIX_ACL_DEFAULT, NULL, 0) == XATTR_ERROR) { + if (errno == ENODATA) { + return ACL_FAILURE; + } + perror("has_default_acl_fd (fgetxattr)"); return ACL_ERROR; } - acl_free(empty_acl); return ACL_SUCCESS; } /** - * @brief Apply parent default ACL to a path. + * @brief The recursive portion of @c apply_default_acl. * - * This overwrites any existing ACLs on @c path. + * The @c apply_default_acl function takes a path, but then opens file + * descriptors for the path and its parent. Afterwards, everything is + * done using file descriptors, including the recursive application on + * the path's children. This function encapsulates the portion of @c + * apply_default_acl that uses only file descriptors; for the + * recursion, this function ultimately calls itself. * - * @param path - * The path whose ACL we would like to reset to its default. + * This overwrites any existing ACLs on @c fd and, if @c recursive is + * @c true, its children. When @c recursive is @c true, the "worst" + * result encountered is returned as the overall result. * - * @param sp - * A pointer to a stat structure for @c path, or @c NULL if you don't - * have one handy. + * @param parent_fd + * A file descriptor for the parent directory of @c fd. * - * @param no_exec_mask - * The value (either true or false) of the --no-exec-mask flag. + * @param fd + * The file descriptor that should inherit its parent's default ACL. + * + * @param recursive + * Should we recurse into subdirectories? * * @return - * - @c ACL_SUCCESS - The parent default ACL was inherited successfully. + * - @c ACL_SUCCESS - The parent default ACLs were inherited successfully. * - @c ACL_FAILURE - If symlinks or hard links are encountered. * - @c ACL_ERROR - Unexpected library error. */ -int apply_default_acl_ex(const char* path, - const struct stat* sp, - bool no_exec_mask) { - - if (path == NULL) { - errno = EINVAL; - perror("apply_default_acl_ex (args)"); - return ACL_ERROR; - } - - /* Define these next three variables here because we may have to - * jump to the cleanup routine which expects them to exist. - */ - - /* Our return value. */ +int apply_default_acl_fds(int parent_fd, int fd, bool recursive) { int result = ACL_SUCCESS; - /* The default ACL on path's parent directory */ - acl_t defacl = (acl_t)NULL; - - /* The file descriptor corresponding to "path" */ - int fd = 0; - - /* Get the parent directory of "path" with dirname(), which happens - * to murder its argument and necessitates a path_copy. - */ - char* path_copy = strdup(path); - if (path_copy == NULL) { - perror("apply_default_acl_ex (strdup)"); - return ACL_ERROR; - } - char* parent = dirname(path_copy); - - fd = safe_open(path, O_NOFOLLOW); - if (fd == OPEN_ERROR) { - if (errno == ELOOP) { - result = ACL_FAILURE; /* hit a symlink */ - goto cleanup; - } - else { - perror("apply_default_acl_ex (open fd)"); - result = ACL_ERROR; - goto cleanup; - } - } + /* The new ACL for this path */ + acl_t new_acl = (acl_t)NULL; + /* A copy of new_acl, to be made before we begin mangling new_acl in + order to mask the execute bit. */ + acl_t new_acl_unmasked = (acl_t)NULL; /* Refuse to operate on hard links, which can be abused by an * attacker to trick us into changing the ACL on a file we didn't @@ -676,92 +775,122 @@ int apply_default_acl_ex(const char* path, * race condition here, but the window is as small as possible * between when we open the file descriptor (look above) and when we * fstat it. - * - * Note: we only need to call fstat ourselves if we weren't passed a - * valid pointer to a stat structure (nftw does that). */ - if (sp == NULL) { - struct stat s; - if (fstat(fd, &s) == STAT_ERROR) { - perror("apply_default_acl_ex (fstat)"); - goto cleanup; - } + struct stat s; + if (fstat(fd, &s) == STAT_ERROR) { + perror("apply_default_acl_fds (fstat)"); + /* We can't recurse without the stat struct for fd */ + goto cleanup; + } - sp = &s; + + /* Check to make sure the parent descriptor actually has a default + ACL. If it doesn't, then we can "succeed" immediately, saving a + little work, particularly in any_can_execute(). Note that we + can't skip the fstat() above, because we need it in case we + recurse. */ + if (has_default_acl_fd(parent_fd) == ACL_FAILURE) { + result = ACL_SUCCESS; + /* Just because this target can't inherit anything doesn't mean + that one of it's children can't. For example, if there's a + default on "c" in "a/b/c/d", then we don't want to skip all + children of "a"! */ + goto recurse; } - if (!S_ISDIR(sp->st_mode)) { + + if (!S_ISDIR(s.st_mode)) { /* If it's not a directory, make sure it's a regular, non-hard-linked file. */ - if (!S_ISREG(sp->st_mode) || sp->st_nlink != 1) { + if (!S_ISREG(s.st_mode) || s.st_nlink != 1) { result = ACL_FAILURE; - goto cleanup; + goto cleanup; /* It's not a directory, so we can skip the recursion. */ } } - /* Default to not masking the exec bit; i.e. applying the default - ACL literally. If --no-exec-mask was not specified, then we try - to "guess" whether or not to mask the exec bit. This behavior - is modeled after the capital 'X' perms of setfacl. */ - bool allow_exec = true; + /* Next We try to guess whether or not to strip the execute bits. + * This behavior is modeled after the capital 'X' perms of setfacl. + */ + int ace_result = any_can_execute(fd, &s); + + if (ace_result == ACL_ERROR) { + perror("apply_default_acl_fds (any_can_execute)"); + result = ACL_ERROR; + goto cleanup; + } + + /* Never mask the execute bit on directories. */ + bool allow_exec = (bool)ace_result || S_ISDIR(s.st_mode); - if (!no_exec_mask) { - /* Never mask the execute bit on directories. */ - int ace_result = any_can_execute(fd,sp) || S_ISDIR(sp->st_mode); - if (ace_result == ACL_ERROR) { - perror("apply_default_acl_ex (any_can_execute)"); + /* If it's a directory, inherit the parent's default. */ + if (S_ISDIR(s.st_mode)) { + if (acl_copy_xattr(parent_fd, + ACL_TYPE_DEFAULT, + fd, + ACL_TYPE_DEFAULT) == ACL_ERROR) { + perror("apply_default_acl_fds (acl_copy_xattr default)"); result = ACL_ERROR; goto cleanup; } - - allow_exec = (bool)ace_result; } - defacl = acl_get_file(parent, ACL_TYPE_DEFAULT); - - if (defacl == (acl_t)NULL) { - perror("apply_default_acl_ex (acl_get_file)"); + /* If it's anything, _apply_ the parent's default. */ + if (acl_copy_xattr(parent_fd, + ACL_TYPE_DEFAULT, + fd, + ACL_TYPE_ACCESS) == ACL_ERROR) { + perror("apply_default_acl_fds (acl_copy_xattr access)"); result = ACL_ERROR; goto cleanup; } - if (wipe_acls(fd) == ACL_ERROR) { - perror("apply_default_acl_ex (wipe_acls)"); - result = ACL_ERROR; - goto cleanup; + /* There's a good reason why we saved the ACL above, even though + * we're about to read it back into memory and mess with it on the + * next line. The acl_copy_xattr() function is already a hack to let + * us copy default ACLs without resorting to path names; we simply + * have no way to read the parent's default ACL into memory using + * parent_fd. We can, however, copy the parent's ACL to a file (with + * acl_copy_xattr), and then read the ACL from a file using + * "fd". It's quite the circus, but it works and should be safe from + * sym/hardlink attacks. + */ + + /* Now we potentially need to mask the execute permissions in the + ACL on fd; or maybe not. */ + if (allow_exec) { + /* Skip the mask code for this target, but don't skip its children! */ + goto recurse; } - /* Do this after wipe_acls(), otherwise we'll overwrite the wiped - ACL with this one. */ - acl_t acl = acl_get_fd(fd); - if (acl == (acl_t)NULL) { - perror("apply_default_acl_ex (acl_get_fd)"); + /* OK, we need to mask some execute permissions. First obtain the + current ACL... */ + new_acl = acl_get_fd(fd); + if (new_acl == (acl_t)NULL) { + perror("apply_default_acl_fds (acl_get_fd)"); result = ACL_ERROR; goto cleanup; } - /* If it's a directory, inherit the parent's default. We sure hope - * that "path" still points to the same thing that "fd" and this - * "sp" describe. If not, we may wind up trying to set a default ACL - * on a file, and this will throw an error. I guess that's what we - * want to do? - */ - if (S_ISDIR(sp->st_mode) && assign_default_acl(path, defacl) == ACL_ERROR) { - perror("apply_default_acl_ex (assign_default_acl)"); + /* ...and now make a copy of it, because otherwise when we loop + below, some shit gets stuck (modifying the structure while + looping over it no worky). */ + new_acl_unmasked = acl_dup(new_acl); + if (new_acl_unmasked == (acl_t)NULL) { + perror("apply_default_acl_fds (acl_dup)"); result = ACL_ERROR; goto cleanup; } acl_entry_t entry; - int ge_result = acl_get_entry(defacl, ACL_FIRST_ENTRY, &entry); + int ge_result = acl_get_entry(new_acl_unmasked, ACL_FIRST_ENTRY, &entry); while (ge_result == ACL_SUCCESS) { acl_tag_t tag = ACL_UNDEFINED_TAG; if (acl_get_tag_type(entry, &tag) == ACL_ERROR) { - perror("apply_default_acl_ex (acl_get_tag_type)"); + perror("apply_default_acl_fds (acl_get_tag_type)"); result = ACL_ERROR; goto cleanup; } @@ -770,110 +899,256 @@ int apply_default_acl_ex(const char* path, /* We've got an entry/tag from the default ACL. Get its permset. */ acl_permset_t permset; if (acl_get_permset(entry, &permset) == ACL_ERROR) { - perror("apply_default_acl_ex (acl_get_permset)"); + perror("apply_default_acl_fds (acl_get_permset)"); result = ACL_ERROR; goto cleanup; } - /* If this is a default mask, fix it up. */ + /* To mimic what the kernel does, I think we could drop + ACL_GROUP_OBJ from the list below? */ if (tag == ACL_MASK || - tag == ACL_USER_OBJ || - tag == ACL_GROUP_OBJ || - tag == ACL_OTHER) { - - if (!allow_exec) { - /* The mask doesn't affect acl_user_obj, acl_group_obj (in - minimal ACLs) or acl_other entries, so if execute should be - masked, we have to do it manually. */ - if (acl_delete_perm(permset, ACL_EXECUTE) == ACL_ERROR) { - perror("apply_default_acl_ex (acl_delete_perm)"); - result = ACL_ERROR; - goto cleanup; - } - - if (acl_set_permset(entry, permset) == ACL_ERROR) { - perror("apply_default_acl_ex (acl_set_permset)"); - result = ACL_ERROR; - goto cleanup; - } + tag == ACL_USER_OBJ || + tag == ACL_GROUP_OBJ || + tag == ACL_OTHER) { + + /* The mask doesn't affect acl_user_obj, acl_group_obj (in + minimal ACLs) or acl_other entries, so if execute should be + masked, we have to do it manually. */ + if (acl_delete_perm(permset, ACL_EXECUTE) == ACL_ERROR) { + perror("apply_default_acl_fds (acl_delete_perm)"); + result = ACL_ERROR; + goto cleanup; + } + + if (acl_set_permset(entry, permset) == ACL_ERROR) { + perror("apply_default_acl_fds (acl_set_permset)"); + result = ACL_ERROR; + goto cleanup; } } - /* Finally, add the permset to the access ACL. It's actually - * important that we pass in the address of "acl" here, and not - * "acl" itself. Why? The call to acl_create_entry() within - * acl_set_entry() can allocate new memory for the entry. - * Sometimes that can be done in-place, in which case everything - * is cool and the new memory gets released when we call - * acl_free(acl). - * - * But occasionally, the whole ACL structure will have to be moved - * in order to allocate the extra space. When that happens, - * acl_create_entry() modifies the pointer it was passed (in this - * case, &acl) to point to the new location. We want to call - * acl_free() on the new location, and since acl_free() gets - * called right here, we need acl_create_entry() to update the - * value of "acl". To do that, it needs the address of "acl". - */ - if (acl_set_entry(&acl, entry) == ACL_ERROR) { - perror("apply_default_acl_ex (acl_set_entry)"); + if (acl_update_entry(new_acl, entry) == ACL_ERROR) { + perror("apply_default_acl_fds (acl_update_entry)"); result = ACL_ERROR; goto cleanup; } - ge_result = acl_get_entry(defacl, ACL_NEXT_ENTRY, &entry); + ge_result = acl_get_entry(new_acl_unmasked, ACL_NEXT_ENTRY, &entry); } /* Catches the first acl_get_entry as well as the ones at the end of the loop. */ if (ge_result == ACL_ERROR) { - perror("apply_default_acl_ex (acl_get_entry)"); + perror("apply_default_acl_fds (acl_get_entry)"); result = ACL_ERROR; goto cleanup; } - if (acl_set_fd(fd, acl) == ACL_ERROR) { - perror("apply_default_acl_ex (acl_set_fd)"); + if (acl_set_fd(fd, new_acl) == ACL_ERROR) { + perror("apply_default_acl_fds (acl_set_fd)"); result = ACL_ERROR; goto cleanup; } - cleanup: - free(path_copy); - if (defacl != (acl_t)NULL) { - acl_free(defacl); - } - if (fd >= 0 && close(fd) == CLOSE_ERROR) { - perror("apply_default_acl_ex (close)"); - result = ACL_ERROR; + recurse: + if (recursive && S_ISDIR(s.st_mode)) { + /* Recurse into subdirectories. Don't call closedir() on d! It + closes the open file descriptor as well, and subsequent calls + to close() then throw errors. */ + DIR* d = fdopendir(fd); + if (d == NULL) { + perror("apply_default_acl_fds (fdopendir)"); + result = ACL_ERROR; + goto cleanup; + } + + struct dirent* de; + int new_fd = 0; + while ((de = readdir(d)) != NULL) { + if (de->d_type != DT_DIR && de->d_type != DT_REG) { + /* Hit a symlink or whatever. */ + result = ACL_FAILURE; + continue; + } + if (strcmp(de->d_name, ".") == 0) { continue; } + if (strcmp(de->d_name, "..") == 0) { continue; } + + /* Be careful not to "return" out of this loop and leave the + new_fd open! */ + new_fd = openat(fd, de->d_name, O_NOFOLLOW); + if (new_fd == OPEN_ERROR) { + if (errno == ELOOP || errno == ENOTDIR) { + /* We hit a symlink, either in the last path component (ELOOP) + or higher up (ENOTDIR). */ + if (result == ACL_SUCCESS) { + /* Don't overwrite an error result with success/failure. */ + result = ACL_FAILURE; + } + continue; + } + else { + perror("apply_default_acl_fds (openat)"); + result = ACL_ERROR; + continue; + } + } + switch (apply_default_acl_fds(fd, new_fd, recursive)) { + /* Don't overwrite an error result with success/failure. */ + case ACL_FAILURE: + if (result == ACL_SUCCESS) { + result = ACL_FAILURE; + } + break; + case ACL_ERROR: + result = ACL_ERROR; + default: + if (close(new_fd) == CLOSE_ERROR) { + perror("apply_default_acl_fds (close)"); + result = ACL_ERROR; + } + } + } } + + cleanup: + acl_free(new_acl); + acl_free(new_acl_unmasked); return result; } - /** - * @brief The friendly interface to @c apply_default_acl_ex. + * @brief Apply parent default ACL to a path and optionally its children. * - * The @c apply_default_acl_ex function holds the real implementation - * of this function, but it takes a weird second argument that most - * people won't care about (a stat structure). But, we use that - * argument for the recursive mode of the CLI, so it's there. - * - * If you don't have a stat structure for your @c path, use this instead. + * This overwrites any existing ACLs on the target, and, if @c + * recursive is @c true, its children. When @c recursive is @c true, + * the "worst" result encountered is returned as the overall result. * * @param path * The path whose ACL we would like to reset to its default. * - * @param no_exec_mask - * The value (either true or false) of the --no-exec-mask flag. + * @param recursive + * Should we recurse into subdirectories? * * @return - * - @c ACL_SUCCESS - The parent default ACL was inherited successfully. + * - @c ACL_SUCCESS - The parent default ACLs were inherited successfully. * - @c ACL_FAILURE - If symlinks or hard links are encountered. - * or the parent of @c path is not a directory. * - @c ACL_ERROR - Unexpected library error. */ -int apply_default_acl(const char* path, bool no_exec_mask) { - return apply_default_acl_ex(path, NULL, no_exec_mask); +int apply_default_acl(const char* path, bool recursive) { + + if (path == NULL) { + errno = EINVAL; + perror("apply_default_acl (args)"); + return ACL_ERROR; + } + + /* Define these next three variables here because we may have to + * jump to the cleanup routine which expects them to exist. + */ + + /* Our return value. */ + int result = ACL_SUCCESS; + + /* The file descriptor corresponding to "path" */ + int fd = 0; + + /* The file descriptor for the directory containing "path" */ + int parent_fd = 0; + + /* dirname() and basename() mangle their arguments, so we need + to make copies of "path" before using them. */ + char* dirname_path_copy = NULL; + char* basename_path_copy = NULL; + + /* Get the parent directory of "path" with dirname(), which happens + * to murder its argument and necessitates a path_copy. */ + dirname_path_copy = strdup(path); + if (dirname_path_copy == NULL) { + perror("apply_default_acl (strdup)"); + return ACL_ERROR; + } + char* parent = dirname(dirname_path_copy); + + basename_path_copy = strdup(path); + if (basename_path_copy == NULL) { + perror("apply_default_acl (strdup)"); + result = ACL_ERROR; + goto cleanup; + } + char* child = basename(basename_path_copy); + + /* Just kidding, if the path is "." or "..", then dirname will do + * the wrong thing and give us "." as its parent, too. So, we handle + * those as special cases. We use "child" instead of "path" here to + * catch things like "./" and "../" + */ + bool path_is_dots = strcmp(child, ".") == 0 || strcmp(child, "..") == 0; + char dots_parent[6] = "../"; + if (path_is_dots) { + /* We know that "child" contains no more than two characters here, and + using strncat to enforce that belief keeps clang-tidy happy. */ + parent = strncat(dots_parent, child, 2); + } + + parent_fd = safe_open(parent, O_DIRECTORY | O_NOFOLLOW); + + if (parent_fd == OPEN_ERROR) { + if (errno == ELOOP || errno == ENOTDIR) { + /* We hit a symlink, either in the last path component (ELOOP) + or higher up (ENOTDIR). */ + result = ACL_FAILURE; + goto cleanup; + } + else { + perror("apply_default_acl (open parent fd)"); + result = ACL_ERROR; + goto cleanup; + } + } + + /* We already obtained the parent fd safely, so if we use the + * basename of path here instead of the full thing, then we can get + * away with using openat() and spare ourselves the slowness of + * another safe_open(). + * + * Note that if the basename is "." or "..", then we don't want to + * open it relative to the parent_fd, so we need another special + * case for those paths here. + */ + if (path_is_dots) { + fd = open(child, O_NOFOLLOW); + } + else { + fd = openat(parent_fd, child, O_NOFOLLOW); + } + if (fd == OPEN_ERROR) { + if (errno == ELOOP || errno == ENOTDIR) { + /* We hit a symlink, either in the last path component (ELOOP) + or higher up (ENOTDIR). */ + result = ACL_FAILURE; + goto cleanup; + } + else { + perror("apply_default_acl (open fd)"); + result = ACL_ERROR; + goto cleanup; + } + } + + result = apply_default_acl_fds(parent_fd, fd, recursive); + + cleanup: + free(dirname_path_copy); + free(basename_path_copy); + + if (parent_fd > 0 && close(parent_fd) == CLOSE_ERROR) { + perror("apply_default_acl (close parent_fd)"); + result = ACL_ERROR; + } + if (fd > 0 && close(fd) == CLOSE_ERROR) { + perror("apply_default_acl (close fd)"); + result = ACL_ERROR; + } + return result; }