16 months update the version to 0.4.4. master v0.4.4
Michael Orlitzky [Mon, 1 Jun 2020 21:16:09 +0000 (17:16 -0400)] update the version to 0.4.4.

I forgot to push the old release tarball live, and Gentoo mirrored a
distfile that doesn't exist and the checksum doesn't match the real
version 0.4.3. Let's just make a 0.4.4 that's identical but that will
have a different tarball name.

17 months agosrc/ mention our (private) dependency on libacl. v0.4.3
Michael Orlitzky [Wed, 27 May 2020 00:32:34 +0000 (20:32 -0400)]
src/ mention our (private) dependency on libacl.

17 months agodoc/LICENSE: replace GPL-3 with AGPL-3.
Michael Orlitzky [Wed, 27 May 2020 00:20:56 +0000 (20:20 -0400)]
doc/LICENSE: replace GPL-3 with AGPL-3.

If this change bothers you, it's directed at you.

17 months bump the version number to 0.4.3.
Michael Orlitzky [Wed, 27 May 2020 00:06:49 +0000 (20:06 -0400)] bump the version number to 0.4.3.

17 months,src/ new pkg-config file.
Michael Orlitzky [Wed, 27 May 2020 00:05:52 +0000 (20:05 -0400)],src/ new pkg-config file.

We ship a library, so we might as well be nice and provide a pkg-config
file for the people who want to detect us.

17 months disable static libraries by default.
Michael Orlitzky [Tue, 26 May 2020 23:23:08 +0000 (19:23 -0400)] disable static libraries by default.

Static libraries are a security risk and a waste of space. Most users
will not want to build or install them, so this commit disables them
by passing "disable-static" to the LT_INIT macro. If you really think
you know what you're doing, they can be re-enabled by passing the
"--enable-static" flag to ./configure.

19 months define a configuration header.
Michael Orlitzky [Mon, 16 Mar 2020 14:45:09 +0000 (10:45 -0400)] define a configuration header.

Instead of passing a million unused -DFOO options on the command-line,
this will define a million constants in an unused config.h file, thereby
keeping the build logs readable.

19 months place build artifacts in the "build-aux" directory.
Michael Orlitzky [Mon, 16 Mar 2020 14:41:40 +0000 (10:41 -0400)] place build artifacts in the "build-aux" directory.

During the build, autotools generates a bunch of files that need a
place to live. By default, most of them (the "compile" and "missing"
scripts, for example) wind up in the project root. This commit sets


in so that the aforementioned files are placed in the
build-aux directory instead. This keeps the top-level directory
nice and clean.

19 months agosrc/libadacl.c: include limits.h for PATH_MAX.
Michael Orlitzky [Mon, 16 Mar 2020 14:39:00 +0000 (10:39 -0400)]
src/libadacl.c: include limits.h for PATH_MAX.

We incidentally get PATH_MAX on linux/glibc by way of dirent.h, but
POSIX says that it should be defined in limits.h. We now include
limits.h explicitly to fix the build with musl.


19 months delete redundant file in favor of "autoreconf -fi".
Michael Orlitzky [Mon, 16 Mar 2020 14:36:22 +0000 (10:36 -0400)] delete redundant file in favor of "autoreconf -fi".

23 months add "tar-ustar" to AM_INIT_AUTOMAKE.
Michael Orlitzky [Wed, 30 Oct 2019 02:10:46 +0000 (22:10 -0400)] add "tar-ustar" to AM_INIT_AUTOMAKE.

The default tar format sucks, and ustar is my pick for the best
alternative based on Michał's article,

2 years update to version 0.4.2. v0.4.2
Michael Orlitzky [Tue, 11 Dec 2018 21:20:44 +0000 (16:20 -0500)] update to version 0.4.2.

2 years agosrc/libadacl.c: fix a clang-tidy warning by adding a redundant check.
Michael Orlitzky [Tue, 11 Dec 2018 21:13:31 +0000 (16:13 -0500)]
src/libadacl.c: fix a clang-tidy warning by adding a redundant check.

The clang-tidy program is complaining about a potential null pointer
dereference where none is possible. To convince it of that fact, I've
added a redundant equality check: we have a case where (a == b) and (a
== c), and I've added (b == c) explicitly. This fixes the warning, and
should have very little performance impact, so everyone is happy.

2 years agosrc/libadacl.c: rename variables in acl_update_entry() for clarity.
Michael Orlitzky [Tue, 11 Dec 2018 20:23:28 +0000 (15:23 -0500)]
src/libadacl.c: rename variables in acl_update_entry() for clarity.

The updated copy of the entry in the acl_update_entry() function was
called simply "entry", which makes it hard to mentally separate from,
say, the "existing_entry" that is used in the same place. The same
problem exists with names like "entry_tag" with respect to
"existing_tag", and so on.

This commit renames "entry" to "updated_entry" and all of the other
variables like "entry_tag" to "updated_tag". That should make it a
little clearer which entry is the new one.

2 years agosrc/libadacl.c: only update entries with matching qualifiers.
Michael Orlitzky [Tue, 11 Dec 2018 05:40:17 +0000 (00:40 -0500)]
src/libadacl.c: only update entries with matching qualifiers.

This fixes the bug reported by Michał Bartoszkiewicz wherein multiple
named user/group entries clobber one another. Now, when updating an
existing ACL entry with a given one, we check that their qualifiers
match. This can mean one of three things:

  1. Both entries are named user entries, and their UIDs match.

  2. Both entries are named group entries, and their GIDs match.

  3. Both entries are neither named user or group entries, and
     their qualifiers "match vacuously." That is to say: they
     don't have any qualifiers that should match in the first
     place, so we want to update the entry regardless.

This passes the regression test case that I recently added, and (I
hope) fixes the problem entirely.

2 years agostc/libadacl.c: use a "cleanup" routine in acl_update_entry().
Michael Orlitzky [Tue, 11 Dec 2018 05:16:21 +0000 (00:16 -0500)]
stc/libadacl.c: use a "cleanup" routine in acl_update_entry().

This is in preparation for comparing the qualifiers of the given and
existing ACL entries. Since acl_get_qualifier() can allocate memory,
we need to be sure that memory gets freed, even if an error occurs. A
"cleanup" routine and liberal use of "goto" is the standard pattern
throughout the rest of the library to deal with that problem.

2 years add regression test for bug with multiple named entities.
Michael Orlitzky [Tue, 11 Dec 2018 03:12:23 +0000 (22:12 -0500)] add regression test for bug with multiple named entities.

Michał Bartoszkiewicz just reported a very bad bug in the latest
release. When multiple named-user and named-group entries exist, the
later entries clobber earlier ones in the list. So if there are two
default ACL entries on a parent directory for group:bar and group:foo,
then apply-default-acl will create two entries on a child but both
wind up with the permissions of the group:foo entry. The full test
case he provided is as follows:

  $ getfacl -n .
  # file: .
  # owner: 1000
  # group: 1000

  $ touch foo
  $ getfacl -n foo
  # file: foo
  # owner: 1000
  # group: 1000
  group::r-x            #effective:r--

  $ apply-default-acl foo
  $ getfacl -n foo
  # file: foo
  # owner: 1000
  # group: 1000

This commit adds a new regression test that creates multiple default
named-user and named-group entries at once (with different
permissions!) and checks that they get applied correctly.

3 years update to version 0.4.1. v0.4.1
Michael Orlitzky [Sun, 24 Jun 2018 22:28:55 +0000 (18:28 -0400)] update to version 0.4.1.

3 years agosrc/libadacl.c: use strncat instead of strcat to appease clang-tidy.
Michael Orlitzky [Sun, 24 Jun 2018 22:25:56 +0000 (18:25 -0400)]
src/libadacl.c: use strncat instead of strcat to appease clang-tidy.

3 years agosrc/libadacl.c: fix handling of "./" and "../" as paths.
Michael Orlitzky [Mon, 18 Jun 2018 01:48:40 +0000 (21:48 -0400)]
src/libadacl.c: fix handling of "./" and "../" as paths.

The recent fixes for the paths "." and ".." ignored the other obvious
cases, where those paths have a trailing slash appended. The trailing
slash is now handled by comparing the basename of the path against "."
and ".." rather than the path itself. This allows the test suite,
which now contains tests for "./" and "../", to pass.

3 years add tests for "./" and "../" as arguments, too.
Michael Orlitzky [Mon, 18 Jun 2018 01:45:47 +0000 (21:45 -0400)] add tests for "./" and "../" as arguments, too.

3 years agosrc/libadacl.c: simplify the "." and ".." path handling.
Michael Orlitzky [Mon, 18 Jun 2018 01:28:32 +0000 (21:28 -0400)]
src/libadacl.c: simplify the "." and ".." path handling.

The initial fix for the path arguments "." and ".." was a little
hacky, but necessary to get the test suite passing. Now the logic is a
little cleaner, and both paths are handled in one special-case rather
than two separate "if" statements.

3 years add recursive versions of the "." and ".." tests.
Michael Orlitzky [Mon, 18 Jun 2018 01:00:26 +0000 (21:00 -0400)] add recursive versions of the "." and ".." tests.

3 years agosrc/libadacl.c: add a special case for the path ".." as an argument.
Michael Orlitzky [Mon, 18 Jun 2018 00:57:24 +0000 (20:57 -0400)]
src/libadacl.c: add a special case for the path ".." as an argument.

In a similar vein, the path ".." needs special-case handling when
opening its parent and child file descriptots. With the special-case
added, the test suite once again passes.

3 years remove --recursive flag from the "." and ".." tests.
Michael Orlitzky [Mon, 18 Jun 2018 00:09:51 +0000 (20:09 -0400)] remove --recursive flag from the "." and ".." tests.

3 years add test to ensure that ".." works as an argument.
Michael Orlitzky [Sun, 17 Jun 2018 23:47:42 +0000 (19:47 -0400)] add test to ensure that ".." works as an argument.

3 years agosrc/libadacl.c: add a special case for the path "." as an argument.
Michael Orlitzky [Sun, 17 Jun 2018 23:43:21 +0000 (19:43 -0400)]
src/libadacl.c: add a special case for the path "." as an argument.

There's a bug (exposed by the most recent test case) in the way the
path "." is handled. Specifically, the dirname() function miscomputes
its parent path as ".", which is clearly not correct.

In this commit, a special case is added for the path ".", and the test
suite passes once more. The implementation is a bit of a hack, however,
and will be improved once the same issue with ".." has been dealt with.

3 years add test to ensure that "." works as an argument.
Michael Orlitzky [Thu, 14 Jun 2018 11:01:31 +0000 (07:01 -0400)] add test to ensure that "." works as an argument.

3 years agosrc/libadacl.c: fix a memory leak found by clang-tidy. v0.4.0
Michael Orlitzky [Thu, 29 Mar 2018 01:59:51 +0000 (21:59 -0400)]
src/libadacl.c: fix a memory leak found by clang-tidy.

There was an error path in apply_default_acl() that was returning
directly rather than jumping to the cleanup function where memory is
freed. Thanks, clang-tidy.

3 years agosrc/libadacl.c: cast two fgetxattr() and fsetxattr() params to size_t.
Michael Orlitzky [Thu, 29 Mar 2018 01:41:31 +0000 (21:41 -0400)]
src/libadacl.c: cast two fgetxattr() and fsetxattr() params to size_t.

The two functions fgetxattr() and fsetxattr() take an unsigned "size"
parameter as arguments. We are passing them signed integers that we
happen to know are nonnegative, since we have ruled out the one
possible negative value -- but the compiler doesn't know that. To
avoid a warning from clang, we now cast the parameters to the
(unsigned) size_t type.

3 years agosrc/libadacl.c: remove newline from function arguments.
Michael Orlitzky [Wed, 28 Mar 2018 20:54:48 +0000 (16:54 -0400)]
src/libadacl.c: remove newline from function arguments.

3 years agosrc: add prototypes for all functions.
Michael Orlitzky [Wed, 28 Mar 2018 20:54:32 +0000 (16:54 -0400)]
src: add prototypes for all functions.

3 years agodoc: add a RATIONALE section to the man page.
Michael Orlitzky [Wed, 28 Mar 2018 14:35:00 +0000 (10:35 -0400)]
doc: add a RATIONALE section to the man page.

3 years agodoc: use bold face for "mkdir" and "touch".
Michael Orlitzky [Wed, 28 Mar 2018 14:34:35 +0000 (10:34 -0400)]
doc: use bold face for "mkdir" and "touch".

3 years agoDrop the "--no-exec-mask" flag and function parameters.
Michael Orlitzky [Wed, 28 Mar 2018 03:50:41 +0000 (23:50 -0400)]
Drop the "--no-exec-mask" flag and function parameters.

Nobody needs the "--no-exec-mask" flag, and it's uglying up the
library's API. Sayonara:

  * Update the man page:
    * Remove all mentions of the flag.
    * Update the algorithm description.
    * Reword the general description.
  * Remove all --no-exec-mask tests.
  * Bump the program version in
  * Make apply_default_acl() work as if no_exec_mask == false.
  * Remove all no_exec_mask function parameters.
  * Bump the soname major version in src/

3 years use auto-incrementing test numbers.
Michael Orlitzky [Wed, 28 Mar 2018 03:55:33 +0000 (23:55 -0400)] use auto-incrementing test numbers.

3 years agosrc/libadacl.c: use asprintf() instead of snprintf() for paths.
Michael Orlitzky [Wed, 28 Mar 2018 01:03:01 +0000 (21:03 -0400)]
src/libadacl.c: use asprintf() instead of snprintf() for paths.

When constructing a path, there is an ancient problem: how do you
ensure that your path-name buffer is large enough, and what do you do
if it isn't? The existing solution was to use the PATH_MAX constant
from limits.h, which is often a big number, but need not actually be
defined. If a path exceeded PATH_MAX bytes, we would fail.

Now the GNU/BSD extension asprintf() is used instead. The path-name
buffer is constructed on-the-fly to be as large as necessary, and if
allocation fails, an error is returned. This solution is a little
cleaner, and is not too much less portable considering that we only
work on Linux anyway.

3 years agosrc/libadacl.c: add a comment about how we might agree with the kernel.
Michael Orlitzky [Wed, 28 Mar 2018 00:25:46 +0000 (20:25 -0400)]
src/libadacl.c: add a comment about how we might agree with the kernel.

3 years agodoc: document the apply-default-acl algorithm.
Michael Orlitzky [Wed, 28 Mar 2018 00:23:16 +0000 (20:23 -0400)]
doc: document the apply-default-acl algorithm.

It's nice to have a high-level overview of what the ACL application
actually does, so I have added one to the man page in a new section
titled "ALGORITHM". The manual now also explains how apply-default-acl
differs from the kernel when, for example, you "touch" a file in a
directory with a default ACL.

3 years simplify the EXPECTED output in test 29.
Michael Orlitzky [Sat, 24 Mar 2018 23:43:51 +0000 (19:43 -0400)] simplify the EXPECTED output in test 29.

3 years simplify the EXPECTED output in test 32.
Michael Orlitzky [Sat, 24 Mar 2018 23:39:41 +0000 (19:39 -0400)] simplify the EXPECTED output in test 32.

3 years bump to version 0.3.1. v0.3.1
Michael Orlitzky [Fri, 2 Mar 2018 23:04:18 +0000 (18:04 -0500)] bump to version 0.3.1.

3 years agoAdd a missing "break" statement in a switch, and test for that bug.
Michael Orlitzky [Fri, 2 Mar 2018 23:03:41 +0000 (18:03 -0500)]
Add a missing "break" statement in a switch, and test for that bug.

3 years agoautotools: replace my busted header checks with something that works. v0.3.0
Michael Orlitzky [Fri, 2 Mar 2018 22:07:10 +0000 (17:07 -0500)]
autotools: replace my busted header checks with something that works.

My existing AC_CHECK_HEADERS checks were failing silently. Oops. I've
now defined my own macro in m4/ac_header_required.m4 that successfully
fails when a required header is missing.

3 years fix header name sys/libacl.h -> acl/libacl.h.
Michael Orlitzky [Fri, 2 Mar 2018 21:05:44 +0000 (16:05 -0500)] fix header name sys/libacl.h -> acl/libacl.h.

3 years use AC_HEADER_DIRENT to check for dirent.h.
Michael Orlitzky [Fri, 2 Mar 2018 21:03:13 +0000 (16:03 -0500)] use AC_HEADER_DIRENT to check for dirent.h.

3 years remove check for the (not used) sys/types.h header.
Michael Orlitzky [Fri, 2 Mar 2018 21:01:30 +0000 (16:01 -0500)] remove check for the (not used) sys/types.h header.

3 years remove the check for the (not used) ftw.h header.
Michael Orlitzky [Fri, 2 Mar 2018 20:58:56 +0000 (15:58 -0500)] remove the check for the (not used) ftw.h header.

3 years drop AC_TYPE_MODE_T since we don't use mode_t anywhere.
Michael Orlitzky [Fri, 2 Mar 2018 20:58:16 +0000 (15:58 -0500)] drop AC_TYPE_MODE_T since we don't use mode_t anywhere.

3 years agoautotools: bump the package and library versions to v0.3.0 and v2.0.0.
Michael Orlitzky [Fri, 2 Mar 2018 20:20:27 +0000 (15:20 -0500)]
autotools: bump the package and library versions to v0.3.0 and v2.0.0.

The apply_default_acl() function now takes a third "recursive"
parameter, so the library gets a new version.

3 years agoReplace nftw() with manual recursion in apply_default_acl().
Michael Orlitzky [Fri, 2 Mar 2018 20:19:13 +0000 (15:19 -0500)]
Replace nftw() with manual recursion in apply_default_acl().

The nftw() tree walk worked well for a while; in particular, before we
handled symlinks safely, it was empirically faster than a hand-written
recursive descent. But recently, the very slow safe_open() function
was being called on the path that was passed to apply_default_acl(),
and nftw() fed that function a whole bunch of paths.

The apply_default_acl() function now takes a third "recusive"
parameter, and implements the recursion on its own. This lets us pass
down the old child file descriptor as the new parent file descriptor,
and avoid calling safe_open() more than once when we're operating
recursively. The result is a big speed improvement with --recursive,
tested for example on the Linux kernel source tree.

The hand-written recursion also allows us to fix a lingering exit code
bug. Now --recursive acts as if all of the targets were passed (in the
right order) on the command-line.

The new parameter affects the public API, so in the next release the
library will get a new version. The upside to this is that now it's
easy for other programs to operate recursively, simply by passing
"true" as the third parameter to apply_default_acl().

3 years agoUpdate docs and tests for the --recursive exit code.
Michael Orlitzky [Fri, 2 Mar 2018 19:59:10 +0000 (14:59 -0500)]
Update docs and tests for the --recursive exit code.

With the nftw() implementation, there was some bugginess in our exit
code that was both documented and tested. Well now I plan on fixing
that, so the documentation has been updated to state what the exit
code _should_ be, and the tests now check for the correct behavior
(meaning that they fail, for the moment).

3 years ensure that we descend into directories with no ACLs.
Michael Orlitzky [Fri, 2 Mar 2018 19:57:50 +0000 (14:57 -0500)] ensure that we descend into directories with no ACLs.

3 years agosrc/libadacl.c: delete an outdated comment.
Michael Orlitzky [Fri, 2 Mar 2018 16:51:53 +0000 (11:51 -0500)]
src/libadacl.c: delete an outdated comment.

3 years agoautotools: bump the package and library versions to v0.2.0 and v1.0.0. v0.2.0
Michael Orlitzky [Fri, 2 Mar 2018 14:14:35 +0000 (09:14 -0500)]
autotools: bump the package and library versions to v0.2.0 and v1.0.0.

Since the apply_default_acl_ex() function has been removed from the
public API, a new is needed.

3 years agoEliminate the apply_default_acl_ex() function.
Michael Orlitzky [Fri, 2 Mar 2018 14:11:40 +0000 (09:11 -0500)]
Eliminate the apply_default_acl_ex() function.

The apply_default_acl_ex() function was an "extended" version of the
apply_default_acl() function that, in addition, took a stat structure
pointer to the target path. The extended function was used by nftw(),
which usually has such a stat structure handy. However, the provenance
of that stat structure is not clear: does nftw() obtain it in a safe

Since I don't know the answer to that question, I would rather stat()
the descriptor that I know was obtained safely. Thus there's no reason
to take the pointer as an argument, and then no reason to keep the
extended function around at all.

3 years agosrc/libadacl.c: remove two NULL checks around acl_free() calls.
Michael Orlitzky [Fri, 2 Mar 2018 13:52:19 +0000 (08:52 -0500)]
src/libadacl.c: remove two NULL checks around acl_free() calls.

The acl_free() function will return ACL_ERROR and set errno to EINVAL
if we pass it a null pointer; but aside from that, nothing bad
happens, and removing the checks makes the code marginally cleaner.

3 years agosrc/libadacl.c: fix two comment typos.
Michael Orlitzky [Fri, 2 Mar 2018 13:47:56 +0000 (08:47 -0500)]
src/libadacl.c: fix two comment typos.

3 years agoapply_default_acl_ex: avoid second call to safe_open() to speed things up.
Michael Orlitzky [Fri, 2 Mar 2018 02:08:51 +0000 (21:08 -0500)]
apply_default_acl_ex: avoid second call to safe_open() to speed things up.

3 years agosrc/libadacl.c: minor code simplification in safe_open().
Michael Orlitzky [Fri, 2 Mar 2018 01:57:50 +0000 (20:57 -0500)]
src/libadacl.c: minor code simplification in safe_open().

3 years agosrc/libadacl.c: fix return type of fgetxattr in acl_copy_xattr().
Michael Orlitzky [Fri, 2 Mar 2018 00:29:55 +0000 (19:29 -0500)]
src/libadacl.c: fix return type of fgetxattr in acl_copy_xattr().

3 years add two tests to ensure a no-op without default ACLs.
Michael Orlitzky [Fri, 2 Mar 2018 00:25:31 +0000 (19:25 -0500)] add two tests to ensure a no-op without default ACLs.

3 years add a test for the "Not a directory" error message.
Michael Orlitzky [Fri, 2 Mar 2018 00:21:16 +0000 (19:21 -0500)] add a test for the "Not a directory" error message.

3 years whitespace cleanup.
Michael Orlitzky [Fri, 2 Mar 2018 00:16:05 +0000 (19:16 -0500)] whitespace cleanup.

3 years agosrc/libadacl.c: rewrite acl_set_entry() as acl_update_entry().
Michael Orlitzky [Thu, 1 Mar 2018 23:51:58 +0000 (18:51 -0500)]
src/libadacl.c: rewrite acl_set_entry() as acl_update_entry().

It turns out we only need to update existing entries in our ACLs, to
mask the execute permissions. Since we never need to create new
entries, the name "acl_set_entry" was not quite right. The
new-entry-creation code has been removed from the bottom half of the
function, and it has been renamed to "acl_update_entry".

3 years agoEliminate the wipe_acls() function that is apparently not needed.
Michael Orlitzky [Thu, 1 Mar 2018 23:38:59 +0000 (18:38 -0500)]
Eliminate the wipe_acls() function that is apparently not needed.

3 years agosrc/libadacl.c: remove redundant empty pathname checks from safe_open().
Michael Orlitzky [Thu, 1 Mar 2018 23:20:09 +0000 (18:20 -0500)]
src/libadacl.c: remove redundant empty pathname checks from safe_open().

3 years agosrc/libadacl.c: kill a pointless "else if" after an "if" that returns.
Michael Orlitzky [Thu, 1 Mar 2018 23:19:24 +0000 (18:19 -0500)]
src/libadacl.c: kill a pointless "else if" after an "if" that returns.

3 years agoapply_default_acl_ex: don't loop through the ACL unless we're masking exec.
Michael Orlitzky [Thu, 1 Mar 2018 22:25:05 +0000 (17:25 -0500)]
apply_default_acl_ex: don't loop through the ACL unless we're masking exec.

3 years agoImprove the error message for most types of inaccessible paths.
Michael Orlitzky [Thu, 1 Mar 2018 22:15:07 +0000 (17:15 -0500)]
Improve the error message for most types of inaccessible paths.

3 years agoBail out of apply_default_acl_ex() early if the parent has no default ACL.
Michael Orlitzky [Thu, 1 Mar 2018 21:20:15 +0000 (16:20 -0500)]
Bail out of apply_default_acl_ex() early if the parent has no default ACL.

3 years agosrc/libadacl.c: don't try to close file descriptor zero.
Michael Orlitzky [Thu, 1 Mar 2018 21:12:41 +0000 (16:12 -0500)]
src/libadacl.c: don't try to close file descriptor zero.

3 years bump to version 0.1.5. v0.1.5
Michael Orlitzky [Thu, 1 Mar 2018 13:31:52 +0000 (08:31 -0500)] bump to version 0.1.5.

3 years agoReplace all tabs with spaces. We're not animals.
Michael Orlitzky [Thu, 1 Mar 2018 13:24:38 +0000 (08:24 -0500)]
Replace all tabs with spaces. We're not animals.

3 years agoEliminate the last bit of pathname usage.
Michael Orlitzky [Wed, 28 Feb 2018 22:33:17 +0000 (17:33 -0500)]
Eliminate the last bit of pathname usage.

A lot of work has been done recently to make apply-default-acl safe
from symlink and hardlink attacks. A big part of that work was the
recent switch to using file descriptors instead of pathnames; but,
pathnames still lingered in a few places due to a shortcoming in
libacl. Through the use of a new function, acl_copy_xattr(), I've
finally eliminated those last few bits.

The apply_default_acl_ex() function now uses path names only as
arguments to safe_open(), which hopefully is safe. Afterwards, the
file descriptors obtained from safe_open() are used. Thus the hard and
symlink attacks should finally be fixed, modulo a tiny race condition
between safe_open() and fstat() that has no known solution.

These changes rely on the Linux xattr implementation and kill our
portability, but I don't think we ever had any to begin with.

3 years agosrc/libadacl.c: fix a function name inside perror output.
Michael Orlitzky [Wed, 28 Feb 2018 22:23:41 +0000 (17:23 -0500)]
src/libadacl.c: fix a function name inside perror output.

3 years agolibadacl.c: remove unused acl_get_permset() call in acl_set_entry().
Michael Orlitzky [Wed, 28 Feb 2018 22:17:59 +0000 (17:17 -0500)]
libadacl.c: remove unused acl_get_permset() call in acl_set_entry().

3 years bump to version 0.1.4. v0.1.4
Michael Orlitzky [Wed, 28 Feb 2018 15:07:26 +0000 (10:07 -0500)] bump to version 0.1.4.

3 years check for the O_PATH flag in fcntl.h.
Michael Orlitzky [Wed, 28 Feb 2018 15:06:59 +0000 (10:06 -0500)] check for the O_PATH flag in fcntl.h.

3 years agosrc/libadacl.c: mention the O_PATH flag in a comment.
Michael Orlitzky [Wed, 28 Feb 2018 15:06:39 +0000 (10:06 -0500)]
src/libadacl.c: mention the O_PATH flag in a comment.

3 years check for the O_DIRECTORY flag in fcntl.h.
Michael Orlitzky [Wed, 28 Feb 2018 14:56:59 +0000 (09:56 -0500)] check for the O_DIRECTORY flag in fcntl.h.

3 years agolibadacl.c: use O_PATH in safe_open() for added safety.
Michael Orlitzky [Wed, 28 Feb 2018 14:55:25 +0000 (09:55 -0500)]
libadacl.c: use O_PATH in safe_open() for added safety.

3 years bump to version 0.1.3. v0.1.3
Michael Orlitzky [Tue, 27 Feb 2018 23:02:59 +0000 (18:02 -0500)] bump to version 0.1.3.

3 years agoAdd various NULL pointer checks for good measure.
Michael Orlitzky [Tue, 27 Feb 2018 23:02:21 +0000 (18:02 -0500)]
Add various NULL pointer checks for good measure.

3 years agosafe_open_ex: remove redundant (pathname == NULL) check.
Michael Orlitzky [Tue, 27 Feb 2018 19:21:11 +0000 (14:21 -0500)]
safe_open_ex: remove redundant (pathname == NULL) check.

3 years agosafe_open_ex: add a comment about why O_PATH doesn't work.
Michael Orlitzky [Tue, 27 Feb 2018 19:20:33 +0000 (14:20 -0500)]
safe_open_ex: add a comment about why O_PATH doesn't work.

3 years add more tests for exit codes.
Michael Orlitzky [Tue, 27 Feb 2018 18:48:18 +0000 (13:48 -0500)] add more tests for exit codes.

3 years agosrc/apply-default-acl.c: update the CLI to match documented exit codes.
Michael Orlitzky [Tue, 27 Feb 2018 18:38:23 +0000 (13:38 -0500)]
src/apply-default-acl.c: update the CLI to match documented exit codes.

3 years agoman/apply-default-acl.1: add a note about the --recursive exit codes.
Michael Orlitzky [Tue, 27 Feb 2018 18:22:51 +0000 (13:22 -0500)]
man/apply-default-acl.1: add a note about the --recursive exit codes.

3 years add two tests for regular file and symlink exit codes.
Michael Orlitzky [Tue, 27 Feb 2018 18:00:06 +0000 (13:00 -0500)] add two tests for regular file and symlink exit codes.

3 years agoman/apply-default-acl.1: document the way exit codes are SUPPOSED to work.
Michael Orlitzky [Tue, 27 Feb 2018 17:59:14 +0000 (12:59 -0500)]
man/apply-default-acl.1: document the way exit codes are SUPPOSED to work.

3 years agodoc/man/apply-default-acl.1: remove superfluous line breaks.
Michael Orlitzky [Tue, 27 Feb 2018 14:52:40 +0000 (09:52 -0500)]
doc/man/apply-default-acl.1: remove superfluous line breaks.

3 years bump to version 0.1.2. v0.1.2
Michael Orlitzky [Tue, 27 Feb 2018 00:17:02 +0000 (19:17 -0500)] bump to version 0.1.2.

3 years agosrc/libadacl.h: add missing includes for "bool" and "struct stat" types.
Michael Orlitzky [Tue, 27 Feb 2018 00:08:38 +0000 (19:08 -0500)]
src/libadacl.h: add missing includes for "bool" and "struct stat" types.

3 years use xz for distfiles.
Michael Orlitzky [Mon, 26 Feb 2018 22:41:42 +0000 (17:41 -0500)] use xz for distfiles.

3 years bump to version 0.1.1. v0.1.1
Michael Orlitzky [Mon, 26 Feb 2018 22:38:05 +0000 (17:38 -0500)] bump to version 0.1.1.

3 years agolibadacl: add error checking when we open() the filesystem root.
Michael Orlitzky [Mon, 26 Feb 2018 22:36:24 +0000 (17:36 -0500)]
libadacl: add error checking when we open() the filesystem root.

3 years bump to version 0.1.0. v0.1.0
Michael Orlitzky [Mon, 26 Feb 2018 20:00:47 +0000 (15:00 -0500)] bump to version 0.1.0.

3 years remove pointless comment at the top of the file.
Michael Orlitzky [Mon, 26 Feb 2018 20:00:18 +0000 (15:00 -0500)] remove pointless comment at the top of the file.

3 years add checks for openat() and O_NOFOLLOW.
Michael Orlitzky [Mon, 26 Feb 2018 19:56:00 +0000 (14:56 -0500)] add checks for openat() and O_NOFOLLOW.