4 * @brief The adacl (apply default acl) shared library.
8 /* Enables get_current_dir_name() in unistd.h */
11 #include <errno.h> /* ELOOP, EINVAL, etc. */
12 #include <fcntl.h> /* openat() */
13 #include <libgen.h> /* basename(), dirname() */
14 #include <limits.h> /* PATH_MAX */
15 #include <stdbool.h> /* the "bool" type */
16 #include <stdio.h> /* perror(), snprintf() */
17 #include <stdlib.h> /* free() */
18 #include <string.h> /* strdup() */
19 #include <sys/stat.h> /* fstat() */
20 #include <unistd.h> /* get_current_dir_name() */
23 #include <acl/libacl.h> /* acl_get_perm, not portable */
24 #include <sys/acl.h> /* all other acl_foo functions */
30 * @brief The recursive portion of the @c safe_open function, used to
31 * open a file descriptor in a symlink-safe way when combined with
32 * the @c O_NOFOLLOW flag.
35 * A file descriptor relative to which @c pathname will be opened.
38 * The path to the file/directory/whatever whose descriptor you want.
40 * @return a file descriptor for @c pathname if everything goes well,
41 * and @c OPEN_ERROR if not.
43 int safe_open_ex(int at_fd
, char* pathname
, int flags
) {
44 if (pathname
!= NULL
&& strlen(pathname
) == 0) {
45 /* Oops, went one level to deep with nothing to do. */
49 char* firstslash
= strchr(pathname
, '/');
50 if (firstslash
== NULL
) {
51 /* No more slashes, this is the base case. */
52 int r
= openat(at_fd
, pathname
, flags
);
56 /* Temporarily disable the slash, so that the subsequent call to
57 openat() opens only the next directory (and doesn't recurse). */
59 int fd
= safe_open_ex(at_fd
, pathname
, flags
);
60 if (fd
== OPEN_ERROR
) {
62 /* Don't output anything if we ignore a symlink */
63 perror("safe_open_ex (safe_open_ex)");
68 /* The ++ is safe because there needs to be at least a null byte
69 after the first slash, even if it's the last real character in
71 int result
= safe_open_ex(fd
, firstslash
+1, flags
);
72 if (close(fd
) == CLOSE_ERROR
) {
73 perror("safe_open_ex (close)");
81 * @brief A version of @c open that is completely symlink-safe when
82 * used with the @c O_NOFOLLOW flag.
84 * The @c openat function exists to ensure that you can anchor one
85 * path to a particular directory while opening it; however, if you
86 * open "b/c/d" relative to "/a", then even the @c openat function will
87 * still follow symlinks in the "b" component. This can be exploited
88 * by an attacker to make you open the wrong path.
90 * To avoid that problem, this function uses a recursive
91 * implementation that opens every path from the root, one level at a
92 * time. So "a" is opened relative to "/", and then "b" is opened
93 * relative to "/a", and then "c" is opened relative to "/a/b",
94 * etc. When the @c O_NOFOLLOW flag is used, this approach ensures
95 * that no symlinks in any component are followed.
98 * The path to the file/directory/whatever whose descriptor you want.
100 * @return a file descriptor for @c pathname if everything goes well,
101 * and @c OPEN_ERROR if not.
103 int safe_open(const char* pathname
, int flags
) {
104 if (pathname
== NULL
|| strlen(pathname
) == 0 || pathname
[0] == '\0') {
109 char abspath
[PATH_MAX
];
110 int snprintf_result
= 0;
111 if (strchr(pathname
, '/') == pathname
) {
112 /* pathname is already absolute; just copy it. */
113 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s", pathname
);
116 /* Concatenate the current working directory and pathname into an
117 * absolute path. We use realpath() ONLY on the cwd part, and not
118 * on the pathname part, because realpath() resolves symlinks. And
119 * the whole point of all this crap is to avoid following symlinks
122 * Using realpath() on the cwd lets us operate on relative paths
123 * while we're sitting in a directory that happens to have a
124 * symlink in it; for example: cd /var/run && apply-default-acl foo.
126 char* cwd
= get_current_dir_name();
128 perror("safe_open (get_current_dir_name)");
132 char abs_cwd
[PATH_MAX
];
133 if (realpath(cwd
, abs_cwd
) == NULL
) {
134 perror("safe_open (realpath)");
138 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s/%s", abs_cwd
, pathname
);
141 if (snprintf_result
== SNPRINTF_ERROR
|| snprintf_result
> PATH_MAX
) {
142 perror("safe_open (snprintf)");
146 int fd
= open("/", flags
);
147 if (strcmp(abspath
, "/") == 0) {
151 int result
= safe_open_ex(fd
, abspath
+1, flags
);
152 if (close(fd
) == CLOSE_ERROR
) {
153 perror("safe_open (close)");
163 * @brief Update (or create) an entry in an @b minimal ACL.
165 * This function will not work if @c aclp contains extended
166 * entries. This is fine for our purposes, since we call @c wipe_acls
167 * on each path before applying the default to it.
169 * The assumption that there are no extended entries makes things much
170 * simpler. For example, we only have to update the @c ACL_USER_OBJ,
171 * @c ACL_GROUP_OBJ, and @c ACL_OTHER entries -- all others can simply
172 * be created anew. This means we don't have to fool around comparing
173 * named-user/group entries.
176 * A pointer to the acl_t structure whose entry we want to modify.
179 * The new entry. If @c entry contains a user/group/other entry, we
180 * update the existing one. Otherwise we create a new entry.
182 * @return If there is an unexpected library error, @c ACL_ERROR is
183 * returned. Otherwise, @c ACL_SUCCESS.
186 int acl_set_entry(acl_t
* aclp
, acl_entry_t entry
) {
189 if (acl_get_tag_type(entry
, &entry_tag
) == ACL_ERROR
) {
190 perror("acl_set_entry (acl_get_tag_type)");
194 acl_permset_t entry_permset
;
195 if (acl_get_permset(entry
, &entry_permset
) == ACL_ERROR
) {
196 perror("acl_set_entry (acl_get_permset)");
200 acl_entry_t existing_entry
;
201 /* Loop through the given ACL looking for matching entries. */
202 int result
= acl_get_entry(*aclp
, ACL_FIRST_ENTRY
, &existing_entry
);
204 while (result
== ACL_SUCCESS
) {
205 acl_tag_t existing_tag
= ACL_UNDEFINED_TAG
;
207 if (acl_get_tag_type(existing_entry
, &existing_tag
) == ACL_ERROR
) {
208 perror("set_acl_tag_permset (acl_get_tag_type)");
212 if (existing_tag
== entry_tag
) {
213 if (entry_tag
== ACL_USER_OBJ
||
214 entry_tag
== ACL_GROUP_OBJ
||
215 entry_tag
== ACL_OTHER
) {
216 /* Only update for these three since all other tags will have
217 been wiped. These three are guaranteed to exist, so if we
218 match one of them, we're allowed to return ACL_SUCCESS
219 below and bypass the rest of the function. */
220 acl_permset_t existing_permset
;
221 if (acl_get_permset(existing_entry
, &existing_permset
) == ACL_ERROR
) {
222 perror("acl_set_entry (acl_get_permset)");
226 if (acl_set_permset(existing_entry
, entry_permset
) == ACL_ERROR
) {
227 perror("acl_set_entry (acl_set_permset)");
236 result
= acl_get_entry(*aclp
, ACL_NEXT_ENTRY
, &existing_entry
);
239 /* This catches both the initial acl_get_entry and the ones at the
241 if (result
== ACL_ERROR
) {
242 perror("acl_set_entry (acl_get_entry)");
246 /* If we've made it this far, we need to add a new entry to the
248 acl_entry_t new_entry
;
250 /* The acl_create_entry() function can allocate new memory and/or
251 * change the location of the ACL structure entirely. When that
252 * happens, the value pointed to by aclp is updated, which means
253 * that a new acl_t gets "passed out" to our caller, eventually to
254 * be fed to acl_free(). In other words, we should still be freeing
255 * the right thing, even if the value pointed to by aclp changes.
257 if (acl_create_entry(aclp
, &new_entry
) == ACL_ERROR
) {
258 perror("acl_set_entry (acl_create_entry)");
262 if (acl_set_tag_type(new_entry
, entry_tag
) == ACL_ERROR
) {
263 perror("acl_set_entry (acl_set_tag_type)");
267 if (acl_set_permset(new_entry
, entry_permset
) == ACL_ERROR
) {
268 perror("acl_set_entry (acl_set_permset)");
272 if (entry_tag
== ACL_USER
|| entry_tag
== ACL_GROUP
) {
273 /* We need to set the qualifier too. */
274 void* entry_qual
= acl_get_qualifier(entry
);
275 if (entry_qual
== (void*)NULL
) {
276 perror("acl_set_entry (acl_get_qualifier)");
280 if (acl_set_qualifier(new_entry
, entry_qual
) == ACL_ERROR
) {
281 perror("acl_set_entry (acl_set_qualifier)");
292 * @brief Determine the number of entries in the given ACL.
295 * The ACL to inspect.
297 * @return Either the non-negative number of entries in @c acl, or
298 * @c ACL_ERROR on error.
300 int acl_entry_count(acl_t acl
) {
304 int result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
306 while (result
== ACL_SUCCESS
) {
308 result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
311 if (result
== ACL_ERROR
) {
312 perror("acl_entry_count (acl_get_entry)");
322 * @brief Determine whether or not the given ACL is minimal.
324 * An ACL is minimal if it has fewer than four entries.
327 * The ACL whose minimality is in question.
330 * - @c ACL_SUCCESS - @c acl is minimal
331 * - @c ACL_FAILURE - @c acl is not minimal
332 * - @c ACL_ERROR - Unexpected library error
334 int acl_is_minimal(acl_t acl
) {
336 int ec
= acl_entry_count(acl
);
338 if (ec
== ACL_ERROR
) {
339 perror("acl_is_minimal (acl_entry_count)");
354 * @brief Determine whether the given ACL's mask denies execute.
357 * The ACL whose mask we want to check.
360 * - @c ACL_SUCCESS - The @c acl has a mask which denies execute.
361 * - @c ACL_FAILURE - The @c acl has a mask which does not deny execute.
362 * - @c ACL_ERROR - Unexpected library error.
364 int acl_execute_masked(acl_t acl
) {
367 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
369 while (ge_result
== ACL_SUCCESS
) {
370 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
372 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
373 perror("acl_execute_masked (acl_get_tag_type)");
377 if (tag
== ACL_MASK
) {
378 /* This is the mask entry, get its permissions, and see if
379 execute is specified. */
380 acl_permset_t permset
;
382 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
383 perror("acl_execute_masked (acl_get_permset)");
387 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
388 if (gp_result
== ACL_ERROR
) {
389 perror("acl_execute_masked (acl_get_perm)");
393 if (gp_result
== ACL_FAILURE
) {
394 /* No execute bit set in the mask; execute not allowed. */
399 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
408 * @brief Determine whether @c fd is executable by anyone.
411 * This is used as part of the heuristic to determine whether or not
412 * we should mask the execute bit when inheriting an ACL. If @c fd
413 * describes a file, we check the @a effective permissions, contrary
414 * to what setfacl does.
417 * The file descriptor to check.
420 * A pointer to a stat structure for @c fd.
423 * - @c ACL_SUCCESS - Someone has effective execute permissions on @c fd.
424 * - @c ACL_FAILURE - Nobody can execute @c fd.
425 * - @c ACL_ERROR - Unexpected library error.
427 int any_can_execute(int fd
, const struct stat
* sp
) {
428 acl_t acl
= acl_get_fd(fd
);
430 if (acl
== (acl_t
)NULL
) {
431 perror("any_can_execute (acl_get_file)");
435 /* Our return value. */
436 int result
= ACL_FAILURE
;
438 if (acl_is_minimal(acl
)) {
439 if (sp
->st_mode
& (S_IXUSR
| S_IXOTH
| S_IXGRP
)) {
440 result
= ACL_SUCCESS
;
444 result
= ACL_FAILURE
;
450 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
452 while (ge_result
== ACL_SUCCESS
) {
453 /* The first thing we do is check to see if this is a mask
454 entry. If it is, we skip it entirely. */
455 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
457 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
458 perror("any_can_execute_or (acl_get_tag_type)");
463 if (tag
== ACL_MASK
) {
464 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
468 /* Ok, so it's not a mask entry. Check the execute perms. */
469 acl_permset_t permset
;
471 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
472 perror("any_can_execute_or (acl_get_permset)");
477 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
478 if (gp_result
== ACL_ERROR
) {
479 perror("any_can_execute (acl_get_perm)");
484 if (gp_result
== ACL_SUCCESS
) {
485 /* Only return ACL_SUCCESS if this execute bit is not masked. */
486 if (acl_execute_masked(acl
) != ACL_SUCCESS
) {
487 result
= ACL_SUCCESS
;
492 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
495 if (ge_result
== ACL_ERROR
) {
496 perror("any_can_execute (acl_get_entry)");
509 * @brief Set @c acl as the default ACL on @c path.
511 * This overwrites any existing default ACL on @c path. If @c path is
512 * not a directory, we return ACL_ERROR and @c errno is set.
515 * The target directory whose ACL we wish to replace or create.
518 * The ACL to set as default on @c path.
521 * - @c ACL_SUCCESS - The default ACL was assigned successfully.
522 * - @c ACL_ERROR - Unexpected library error.
524 int assign_default_acl(const char* path
, acl_t acl
) {
528 perror("assign_default_acl (args)");
532 /* Our return value; success unless something bad happens. */
533 int result
= ACL_SUCCESS
;
534 acl_t path_acl
= acl_dup(acl
);
536 if (path_acl
== (acl_t
)NULL
) {
537 perror("assign_default_acl (acl_dup)");
538 return ACL_ERROR
; /* Nothing to clean up in this case. */
541 if (acl_set_file(path
, ACL_TYPE_DEFAULT
, path_acl
) == ACL_ERROR
) {
542 perror("assign_default_acl (acl_set_file)");
553 * @brief Remove all @c ACL_TYPE_ACCESS entries from the given file
554 * descriptor, leaving the UNIX permission bits.
557 * The file descriptor whose ACLs we want to wipe.
560 * - @c ACL_SUCCESS - The ACLs were wiped successfully, or none
561 * existed in the first place.
562 * - @c ACL_ERROR - Unexpected library error.
564 int wipe_acls(int fd
) {
565 /* Initialize an empty ACL, and then overwrite the one on "fd" with it. */
566 acl_t empty_acl
= acl_init(0);
568 if (empty_acl
== (acl_t
)NULL
) {
569 perror("wipe_acls (acl_init)");
573 if (acl_set_fd(fd
, empty_acl
) == ACL_ERROR
) {
574 perror("wipe_acls (acl_set_fd)");
586 * @brief Apply parent default ACL to a path.
588 * This overwrites any existing ACLs on @c path.
591 * The path whose ACL we would like to reset to its default.
594 * A pointer to a stat structure for @c path, or @c NULL if you don't
597 * @param no_exec_mask
598 * The value (either true or false) of the --no-exec-mask flag.
601 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
602 * - @c ACL_FAILURE - The target path is not a regular file/directory,
603 * or the parent of @c path is not a directory.
604 * - @c ACL_ERROR - Unexpected library error.
606 int apply_default_acl(const char* path
,
607 const struct stat
* sp
,
612 perror("apply_default_acl (args)");
616 /* Define these next three variables here because we may have to
617 * jump to the cleanup routine which expects them to exist.
620 /* Our return value. */
621 int result
= ACL_SUCCESS
;
623 /* The default ACL on path's parent directory */
624 acl_t defacl
= (acl_t
)NULL
;
626 /* The file descriptor corresponding to "path" */
629 /* Get the parent directory of "path" with dirname(), which happens
630 * to murder its argument and necessitates a path_copy.
632 char* path_copy
= strdup(path
);
633 if (path_copy
== NULL
) {
634 perror("apply_default_acl (strdup)");
637 char* parent
= dirname(path_copy
);
639 fd
= safe_open(path
, O_NOFOLLOW
);
640 if (fd
== OPEN_ERROR
) {
641 if (errno
== ELOOP
) {
642 result
= ACL_FAILURE
; /* hit a symlink */
646 perror("apply_default_acl (open fd)");
653 /* Refuse to operate on hard links, which can be abused by an
654 * attacker to trick us into changing the ACL on a file we didn't
655 * intend to; namely the "target" of the hard link. There is TOCTOU
656 * race condition here, but the window is as small as possible
657 * between when we open the file descriptor (look above) and when we
660 * Note: we only need to call fstat ourselves if we weren't passed a
661 * valid pointer to a stat structure (nftw does that).
665 if (fstat(fd
, &s
) == STAT_ERROR
) {
666 perror("apply_default_acl (fstat)");
673 if (!S_ISDIR(sp
->st_mode
)) {
674 /* If it's not a directory, make sure it's a regular,
675 non-hard-linked file. */
676 if (!S_ISREG(sp
->st_mode
) || sp
->st_nlink
!= 1) {
677 result
= ACL_FAILURE
;
683 /* Default to not masking the exec bit; i.e. applying the default
684 ACL literally. If --no-exec-mask was not specified, then we try
685 to "guess" whether or not to mask the exec bit. This behavior
686 is modeled after the capital 'X' perms of setfacl. */
687 bool allow_exec
= true;
690 /* Never mask the execute bit on directories. */
691 int ace_result
= any_can_execute(fd
,sp
) || S_ISDIR(sp
->st_mode
);
693 if (ace_result
== ACL_ERROR
) {
694 perror("apply_default_acl (any_can_execute)");
699 allow_exec
= (bool)ace_result
;
702 defacl
= acl_get_file(parent
, ACL_TYPE_DEFAULT
);
704 if (defacl
== (acl_t
)NULL
) {
705 perror("apply_default_acl (acl_get_file)");
710 if (wipe_acls(fd
) == ACL_ERROR
) {
711 perror("apply_default_acl (wipe_acls)");
716 /* Do this after wipe_acls(), otherwise we'll overwrite the wiped
717 ACL with this one. */
718 acl_t acl
= acl_get_fd(fd
);
719 if (acl
== (acl_t
)NULL
) {
720 perror("apply_default_acl (acl_get_fd)");
725 /* If it's a directory, inherit the parent's default. We sure hope
726 * that "path" still points to the same thing that "fd" and this
727 * "sp" describe. If not, we may wind up trying to set a default ACL
728 * on a file, and this will throw an error. I guess that's what we
731 if (S_ISDIR(sp
->st_mode
) && assign_default_acl(path
, defacl
) == ACL_ERROR
) {
732 perror("apply_default_acl (assign_default_acl)");
738 int ge_result
= acl_get_entry(defacl
, ACL_FIRST_ENTRY
, &entry
);
740 while (ge_result
== ACL_SUCCESS
) {
741 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
743 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
744 perror("apply_default_acl (acl_get_tag_type)");
750 /* We've got an entry/tag from the default ACL. Get its permset. */
751 acl_permset_t permset
;
752 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
753 perror("apply_default_acl (acl_get_permset)");
758 /* If this is a default mask, fix it up. */
759 if (tag
== ACL_MASK
||
760 tag
== ACL_USER_OBJ
||
761 tag
== ACL_GROUP_OBJ
||
765 /* The mask doesn't affect acl_user_obj, acl_group_obj (in
766 minimal ACLs) or acl_other entries, so if execute should be
767 masked, we have to do it manually. */
768 if (acl_delete_perm(permset
, ACL_EXECUTE
) == ACL_ERROR
) {
769 perror("apply_default_acl (acl_delete_perm)");
774 if (acl_set_permset(entry
, permset
) == ACL_ERROR
) {
775 perror("apply_default_acl (acl_set_permset)");
782 /* Finally, add the permset to the access ACL. It's actually
783 * important that we pass in the address of "acl" here, and not
784 * "acl" itself. Why? The call to acl_create_entry() within
785 * acl_set_entry() can allocate new memory for the entry.
786 * Sometimes that can be done in-place, in which case everything
787 * is cool and the new memory gets released when we call
790 * But occasionally, the whole ACL structure will have to be moved
791 * in order to allocate the extra space. When that happens,
792 * acl_create_entry() modifies the pointer it was passed (in this
793 * case, &acl) to point to the new location. We want to call
794 * acl_free() on the new location, and since acl_free() gets
795 * called right here, we need acl_create_entry() to update the
796 * value of "acl". To do that, it needs the address of "acl".
798 if (acl_set_entry(&acl
, entry
) == ACL_ERROR
) {
799 perror("apply_default_acl (acl_set_entry)");
804 ge_result
= acl_get_entry(defacl
, ACL_NEXT_ENTRY
, &entry
);
807 /* Catches the first acl_get_entry as well as the ones at the end of
809 if (ge_result
== ACL_ERROR
) {
810 perror("apply_default_acl (acl_get_entry)");
815 if (acl_set_fd(fd
, acl
) == ACL_ERROR
) {
816 perror("apply_default_acl (acl_set_fd)");
823 if (defacl
!= (acl_t
)NULL
) {
826 if (fd
>= 0 && close(fd
) == CLOSE_ERROR
) {
827 perror("apply_default_acl (close)");