4 * @brief The adacl (apply default acl) shared library.
8 /* Enables get_current_dir_name() in unistd.h */
11 #include <errno.h> /* ELOOP, EINVAL, etc. */
12 #include <fcntl.h> /* openat() */
13 #include <libgen.h> /* basename(), dirname() */
14 #include <limits.h> /* PATH_MAX */
15 #include <stdbool.h> /* the "bool" type */
16 #include <stdio.h> /* perror(), snprintf() */
17 #include <stdlib.h> /* free() */
18 #include <string.h> /* strdup() */
19 #include <sys/stat.h> /* fstat() */
20 #include <unistd.h> /* get_current_dir_name() */
23 #include <acl/libacl.h> /* acl_get_perm, not portable */
24 #include <sys/acl.h> /* all other acl_foo functions */
29 /* Even though most other library functions reliably return -1 for
30 * error, it feels a little wrong to re-use the ACL_ERROR constant.
32 #define CLOSE_ERROR -1
34 #define SNPRINTF_ERROR -1
39 * @brief The recursive portion of the @c safe_open function, used to
40 * open a file descriptor in a symlink-safe way when combined with
41 * the @c O_NOFOLLOW flag.
44 * A file descriptor relative to which @c pathname will be opened.
47 * The path to the file/directory/whatever whose descriptor you want.
49 * @return a file descriptor for @c pathname if everything goes well,
50 * and @c OPEN_ERROR if not.
52 int safe_open_ex(int at_fd
, char* pathname
, int flags
) {
53 if (pathname
!= NULL
&& strlen(pathname
) == 0) {
54 /* Oops, went one level to deep with nothing to do. */
58 char* firstslash
= strchr(pathname
, '/');
59 if (firstslash
== NULL
) {
60 /* No more slashes, this is the base case. */
61 int r
= openat(at_fd
, pathname
, flags
);
65 /* Temporarily disable the slash, so that the subsequent call to
66 openat() opens only the next directory (and doesn't recurse). */
68 int fd
= safe_open_ex(at_fd
, pathname
, flags
);
69 if (fd
== OPEN_ERROR
) {
71 /* Don't output anything if we ignore a symlink */
72 perror("safe_open_ex (safe_open_ex)");
77 /* The ++ is safe because there needs to be at least a null byte
78 after the first slash, even if it's the last real character in
80 int result
= safe_open_ex(fd
, firstslash
+1, flags
);
81 if (close(fd
) == CLOSE_ERROR
) {
82 perror("safe_open_ex (close)");
90 * @brief A version of @c open that is completely symlink-safe when
91 * used with the @c O_NOFOLLOW flag.
93 * The @c openat function exists to ensure that you can anchor one
94 * path to a particular directory while opening it; however, if you
95 * open "b/c/d" relative to "/a", then even the @c openat function will
96 * still follow symlinks in the "b" component. This can be exploited
97 * by an attacker to make you open the wrong path.
99 * To avoid that problem, this function uses a recursive
100 * implementation that opens every path from the root, one level at a
101 * time. So "a" is opened relative to "/", and then "b" is opened
102 * relative to "/a", and then "c" is opened relative to "/a/b",
103 * etc. When the @c O_NOFOLLOW flag is used, this approach ensures
104 * that no symlinks in any component are followed.
107 * The path to the file/directory/whatever whose descriptor you want.
109 * @return a file descriptor for @c pathname if everything goes well,
110 * and @c OPEN_ERROR if not.
112 int safe_open(const char* pathname
, int flags
) {
113 if (pathname
== NULL
|| strlen(pathname
) == 0 || pathname
[0] == '\0') {
115 perror("safe_open (args)");
119 char abspath
[PATH_MAX
];
120 int snprintf_result
= 0;
121 if (strchr(pathname
, '/') == pathname
) {
122 /* pathname is already absolute; just copy it. */
123 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s", pathname
);
126 /* Concatenate the current working directory and pathname into an
127 * absolute path. We use realpath() ONLY on the cwd part, and not
128 * on the pathname part, because realpath() resolves symlinks. And
129 * the whole point of all this crap is to avoid following symlinks
132 * Using realpath() on the cwd lets us operate on relative paths
133 * while we're sitting in a directory that happens to have a
134 * symlink in it; for example: cd /var/run && apply-default-acl foo.
136 char* cwd
= get_current_dir_name();
138 perror("safe_open (get_current_dir_name)");
142 char abs_cwd
[PATH_MAX
];
143 if (realpath(cwd
, abs_cwd
) == NULL
) {
144 perror("safe_open (realpath)");
148 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s/%s", abs_cwd
, pathname
);
151 if (snprintf_result
== SNPRINTF_ERROR
|| snprintf_result
> PATH_MAX
) {
152 perror("safe_open (snprintf)");
156 int fd
= open("/", flags
);
157 if (strcmp(abspath
, "/") == 0) {
161 int result
= safe_open_ex(fd
, abspath
+1, flags
);
162 if (close(fd
) == CLOSE_ERROR
) {
163 perror("safe_open (close)");
173 * @brief Update (or create) an entry in an @b minimal ACL.
175 * This function will not work if @c aclp contains extended
176 * entries. This is fine for our purposes, since we call @c wipe_acls
177 * on each path before applying the default to it.
179 * The assumption that there are no extended entries makes things much
180 * simpler. For example, we only have to update the @c ACL_USER_OBJ,
181 * @c ACL_GROUP_OBJ, and @c ACL_OTHER entries -- all others can simply
182 * be created anew. This means we don't have to fool around comparing
183 * named-user/group entries.
186 * A pointer to the acl_t structure whose entry we want to modify.
189 * The new entry. If @c entry contains a user/group/other entry, we
190 * update the existing one. Otherwise we create a new entry.
192 * @return If there is an unexpected library error, @c ACL_ERROR is
193 * returned. Otherwise, @c ACL_SUCCESS.
196 int acl_set_entry(acl_t
* aclp
, acl_entry_t entry
) {
199 if (acl_get_tag_type(entry
, &entry_tag
) == ACL_ERROR
) {
200 perror("acl_set_entry (acl_get_tag_type)");
204 acl_permset_t entry_permset
;
205 if (acl_get_permset(entry
, &entry_permset
) == ACL_ERROR
) {
206 perror("acl_set_entry (acl_get_permset)");
210 acl_entry_t existing_entry
;
211 /* Loop through the given ACL looking for matching entries. */
212 int result
= acl_get_entry(*aclp
, ACL_FIRST_ENTRY
, &existing_entry
);
214 while (result
== ACL_SUCCESS
) {
215 acl_tag_t existing_tag
= ACL_UNDEFINED_TAG
;
217 if (acl_get_tag_type(existing_entry
, &existing_tag
) == ACL_ERROR
) {
218 perror("set_acl_tag_permset (acl_get_tag_type)");
222 if (existing_tag
== entry_tag
) {
223 if (entry_tag
== ACL_USER_OBJ
||
224 entry_tag
== ACL_GROUP_OBJ
||
225 entry_tag
== ACL_OTHER
) {
226 /* Only update for these three since all other tags will have
227 been wiped. These three are guaranteed to exist, so if we
228 match one of them, we're allowed to return ACL_SUCCESS
229 below and bypass the rest of the function. */
230 acl_permset_t existing_permset
;
231 if (acl_get_permset(existing_entry
, &existing_permset
) == ACL_ERROR
) {
232 perror("acl_set_entry (acl_get_permset)");
236 if (acl_set_permset(existing_entry
, entry_permset
) == ACL_ERROR
) {
237 perror("acl_set_entry (acl_set_permset)");
246 result
= acl_get_entry(*aclp
, ACL_NEXT_ENTRY
, &existing_entry
);
249 /* This catches both the initial acl_get_entry and the ones at the
251 if (result
== ACL_ERROR
) {
252 perror("acl_set_entry (acl_get_entry)");
256 /* If we've made it this far, we need to add a new entry to the
258 acl_entry_t new_entry
;
260 /* The acl_create_entry() function can allocate new memory and/or
261 * change the location of the ACL structure entirely. When that
262 * happens, the value pointed to by aclp is updated, which means
263 * that a new acl_t gets "passed out" to our caller, eventually to
264 * be fed to acl_free(). In other words, we should still be freeing
265 * the right thing, even if the value pointed to by aclp changes.
267 if (acl_create_entry(aclp
, &new_entry
) == ACL_ERROR
) {
268 perror("acl_set_entry (acl_create_entry)");
272 if (acl_set_tag_type(new_entry
, entry_tag
) == ACL_ERROR
) {
273 perror("acl_set_entry (acl_set_tag_type)");
277 if (acl_set_permset(new_entry
, entry_permset
) == ACL_ERROR
) {
278 perror("acl_set_entry (acl_set_permset)");
282 if (entry_tag
== ACL_USER
|| entry_tag
== ACL_GROUP
) {
283 /* We need to set the qualifier too. */
284 void* entry_qual
= acl_get_qualifier(entry
);
285 if (entry_qual
== (void*)NULL
) {
286 perror("acl_set_entry (acl_get_qualifier)");
290 if (acl_set_qualifier(new_entry
, entry_qual
) == ACL_ERROR
) {
291 perror("acl_set_entry (acl_set_qualifier)");
302 * @brief Determine the number of entries in the given ACL.
305 * The ACL to inspect.
307 * @return Either the non-negative number of entries in @c acl, or
308 * @c ACL_ERROR on error.
310 int acl_entry_count(acl_t acl
) {
314 int result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
316 while (result
== ACL_SUCCESS
) {
318 result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
321 if (result
== ACL_ERROR
) {
322 perror("acl_entry_count (acl_get_entry)");
332 * @brief Determine whether or not the given ACL is minimal.
334 * An ACL is minimal if it has fewer than four entries.
337 * The ACL whose minimality is in question.
340 * - @c ACL_SUCCESS - @c acl is minimal
341 * - @c ACL_FAILURE - @c acl is not minimal
342 * - @c ACL_ERROR - Unexpected library error
344 int acl_is_minimal(acl_t acl
) {
346 int ec
= acl_entry_count(acl
);
348 if (ec
== ACL_ERROR
) {
349 perror("acl_is_minimal (acl_entry_count)");
364 * @brief Determine whether the given ACL's mask denies execute.
367 * The ACL whose mask we want to check.
370 * - @c ACL_SUCCESS - The @c acl has a mask which denies execute.
371 * - @c ACL_FAILURE - The @c acl has a mask which does not deny execute.
372 * - @c ACL_ERROR - Unexpected library error.
374 int acl_execute_masked(acl_t acl
) {
377 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
379 while (ge_result
== ACL_SUCCESS
) {
380 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
382 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
383 perror("acl_execute_masked (acl_get_tag_type)");
387 if (tag
== ACL_MASK
) {
388 /* This is the mask entry, get its permissions, and see if
389 execute is specified. */
390 acl_permset_t permset
;
392 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
393 perror("acl_execute_masked (acl_get_permset)");
397 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
398 if (gp_result
== ACL_ERROR
) {
399 perror("acl_execute_masked (acl_get_perm)");
403 if (gp_result
== ACL_FAILURE
) {
404 /* No execute bit set in the mask; execute not allowed. */
409 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
418 * @brief Determine whether @c fd is executable by anyone.
421 * This is used as part of the heuristic to determine whether or not
422 * we should mask the execute bit when inheriting an ACL. If @c fd
423 * describes a file, we check the @a effective permissions, contrary
424 * to what setfacl does.
427 * The file descriptor to check.
430 * A pointer to a stat structure for @c fd.
433 * - @c ACL_SUCCESS - Someone has effective execute permissions on @c fd.
434 * - @c ACL_FAILURE - Nobody can execute @c fd.
435 * - @c ACL_ERROR - Unexpected library error.
437 int any_can_execute(int fd
, const struct stat
* sp
) {
438 acl_t acl
= acl_get_fd(fd
);
440 if (acl
== (acl_t
)NULL
) {
441 perror("any_can_execute (acl_get_file)");
445 /* Our return value. */
446 int result
= ACL_FAILURE
;
448 if (acl_is_minimal(acl
)) {
449 if (sp
->st_mode
& (S_IXUSR
| S_IXOTH
| S_IXGRP
)) {
450 result
= ACL_SUCCESS
;
454 result
= ACL_FAILURE
;
460 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
462 while (ge_result
== ACL_SUCCESS
) {
463 /* The first thing we do is check to see if this is a mask
464 entry. If it is, we skip it entirely. */
465 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
467 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
468 perror("any_can_execute_or (acl_get_tag_type)");
473 if (tag
== ACL_MASK
) {
474 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
478 /* Ok, so it's not a mask entry. Check the execute perms. */
479 acl_permset_t permset
;
481 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
482 perror("any_can_execute_or (acl_get_permset)");
487 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
488 if (gp_result
== ACL_ERROR
) {
489 perror("any_can_execute (acl_get_perm)");
494 if (gp_result
== ACL_SUCCESS
) {
495 /* Only return ACL_SUCCESS if this execute bit is not masked. */
496 if (acl_execute_masked(acl
) != ACL_SUCCESS
) {
497 result
= ACL_SUCCESS
;
502 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
505 if (ge_result
== ACL_ERROR
) {
506 perror("any_can_execute (acl_get_entry)");
519 * @brief Set @c acl as the default ACL on @c path.
521 * This overwrites any existing default ACL on @c path. If @c path is
522 * not a directory, we return ACL_ERROR and @c errno is set.
525 * The target directory whose ACL we wish to replace or create.
528 * The ACL to set as default on @c path.
531 * - @c ACL_SUCCESS - The default ACL was assigned successfully.
532 * - @c ACL_ERROR - Unexpected library error.
534 int assign_default_acl(const char* path
, acl_t acl
) {
538 perror("assign_default_acl (args)");
542 /* Our return value; success unless something bad happens. */
543 int result
= ACL_SUCCESS
;
544 acl_t path_acl
= acl_dup(acl
);
546 if (path_acl
== (acl_t
)NULL
) {
547 perror("assign_default_acl (acl_dup)");
548 return ACL_ERROR
; /* Nothing to clean up in this case. */
551 if (acl_set_file(path
, ACL_TYPE_DEFAULT
, path_acl
) == ACL_ERROR
) {
552 perror("assign_default_acl (acl_set_file)");
563 * @brief Remove all @c ACL_TYPE_ACCESS entries from the given file
564 * descriptor, leaving the UNIX permission bits.
567 * The file descriptor whose ACLs we want to wipe.
570 * - @c ACL_SUCCESS - The ACLs were wiped successfully, or none
571 * existed in the first place.
572 * - @c ACL_ERROR - Unexpected library error.
574 int wipe_acls(int fd
) {
575 /* Initialize an empty ACL, and then overwrite the one on "fd" with it. */
576 acl_t empty_acl
= acl_init(0);
578 if (empty_acl
== (acl_t
)NULL
) {
579 perror("wipe_acls (acl_init)");
583 if (acl_set_fd(fd
, empty_acl
) == ACL_ERROR
) {
584 perror("wipe_acls (acl_set_fd)");
596 * @brief Apply parent default ACL to a path.
598 * This overwrites any existing ACLs on @c path.
601 * The path whose ACL we would like to reset to its default.
604 * A pointer to a stat structure for @c path, or @c NULL if you don't
607 * @param no_exec_mask
608 * The value (either true or false) of the --no-exec-mask flag.
611 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
612 * - @c ACL_FAILURE - If symlinks or hard links are encountered.
613 * - @c ACL_ERROR - Unexpected library error.
615 int apply_default_acl_ex(const char* path
,
616 const struct stat
* sp
,
621 perror("apply_default_acl_ex (args)");
625 /* Define these next three variables here because we may have to
626 * jump to the cleanup routine which expects them to exist.
629 /* Our return value. */
630 int result
= ACL_SUCCESS
;
632 /* The default ACL on path's parent directory */
633 acl_t defacl
= (acl_t
)NULL
;
635 /* The file descriptor corresponding to "path" */
638 /* Get the parent directory of "path" with dirname(), which happens
639 * to murder its argument and necessitates a path_copy.
641 char* path_copy
= strdup(path
);
642 if (path_copy
== NULL
) {
643 perror("apply_default_acl_ex (strdup)");
646 char* parent
= dirname(path_copy
);
648 fd
= safe_open(path
, O_NOFOLLOW
);
649 if (fd
== OPEN_ERROR
) {
650 if (errno
== ELOOP
) {
651 result
= ACL_FAILURE
; /* hit a symlink */
655 perror("apply_default_acl_ex (open fd)");
662 /* Refuse to operate on hard links, which can be abused by an
663 * attacker to trick us into changing the ACL on a file we didn't
664 * intend to; namely the "target" of the hard link. There is TOCTOU
665 * race condition here, but the window is as small as possible
666 * between when we open the file descriptor (look above) and when we
669 * Note: we only need to call fstat ourselves if we weren't passed a
670 * valid pointer to a stat structure (nftw does that).
674 if (fstat(fd
, &s
) == STAT_ERROR
) {
675 perror("apply_default_acl_ex (fstat)");
682 if (!S_ISDIR(sp
->st_mode
)) {
683 /* If it's not a directory, make sure it's a regular,
684 non-hard-linked file. */
685 if (!S_ISREG(sp
->st_mode
) || sp
->st_nlink
!= 1) {
686 result
= ACL_FAILURE
;
692 /* Default to not masking the exec bit; i.e. applying the default
693 ACL literally. If --no-exec-mask was not specified, then we try
694 to "guess" whether or not to mask the exec bit. This behavior
695 is modeled after the capital 'X' perms of setfacl. */
696 bool allow_exec
= true;
699 /* Never mask the execute bit on directories. */
700 int ace_result
= any_can_execute(fd
,sp
) || S_ISDIR(sp
->st_mode
);
702 if (ace_result
== ACL_ERROR
) {
703 perror("apply_default_acl_ex (any_can_execute)");
708 allow_exec
= (bool)ace_result
;
711 defacl
= acl_get_file(parent
, ACL_TYPE_DEFAULT
);
713 if (defacl
== (acl_t
)NULL
) {
714 perror("apply_default_acl_ex (acl_get_file)");
719 if (wipe_acls(fd
) == ACL_ERROR
) {
720 perror("apply_default_acl_ex (wipe_acls)");
725 /* Do this after wipe_acls(), otherwise we'll overwrite the wiped
726 ACL with this one. */
727 acl_t acl
= acl_get_fd(fd
);
728 if (acl
== (acl_t
)NULL
) {
729 perror("apply_default_acl_ex (acl_get_fd)");
734 /* If it's a directory, inherit the parent's default. We sure hope
735 * that "path" still points to the same thing that "fd" and this
736 * "sp" describe. If not, we may wind up trying to set a default ACL
737 * on a file, and this will throw an error. I guess that's what we
740 if (S_ISDIR(sp
->st_mode
) && assign_default_acl(path
, defacl
) == ACL_ERROR
) {
741 perror("apply_default_acl_ex (assign_default_acl)");
747 int ge_result
= acl_get_entry(defacl
, ACL_FIRST_ENTRY
, &entry
);
749 while (ge_result
== ACL_SUCCESS
) {
750 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
752 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
753 perror("apply_default_acl_ex (acl_get_tag_type)");
759 /* We've got an entry/tag from the default ACL. Get its permset. */
760 acl_permset_t permset
;
761 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
762 perror("apply_default_acl_ex (acl_get_permset)");
767 /* If this is a default mask, fix it up. */
768 if (tag
== ACL_MASK
||
769 tag
== ACL_USER_OBJ
||
770 tag
== ACL_GROUP_OBJ
||
774 /* The mask doesn't affect acl_user_obj, acl_group_obj (in
775 minimal ACLs) or acl_other entries, so if execute should be
776 masked, we have to do it manually. */
777 if (acl_delete_perm(permset
, ACL_EXECUTE
) == ACL_ERROR
) {
778 perror("apply_default_acl_ex (acl_delete_perm)");
783 if (acl_set_permset(entry
, permset
) == ACL_ERROR
) {
784 perror("apply_default_acl_ex (acl_set_permset)");
791 /* Finally, add the permset to the access ACL. It's actually
792 * important that we pass in the address of "acl" here, and not
793 * "acl" itself. Why? The call to acl_create_entry() within
794 * acl_set_entry() can allocate new memory for the entry.
795 * Sometimes that can be done in-place, in which case everything
796 * is cool and the new memory gets released when we call
799 * But occasionally, the whole ACL structure will have to be moved
800 * in order to allocate the extra space. When that happens,
801 * acl_create_entry() modifies the pointer it was passed (in this
802 * case, &acl) to point to the new location. We want to call
803 * acl_free() on the new location, and since acl_free() gets
804 * called right here, we need acl_create_entry() to update the
805 * value of "acl". To do that, it needs the address of "acl".
807 if (acl_set_entry(&acl
, entry
) == ACL_ERROR
) {
808 perror("apply_default_acl_ex (acl_set_entry)");
813 ge_result
= acl_get_entry(defacl
, ACL_NEXT_ENTRY
, &entry
);
816 /* Catches the first acl_get_entry as well as the ones at the end of
818 if (ge_result
== ACL_ERROR
) {
819 perror("apply_default_acl_ex (acl_get_entry)");
824 if (acl_set_fd(fd
, acl
) == ACL_ERROR
) {
825 perror("apply_default_acl_ex (acl_set_fd)");
832 if (defacl
!= (acl_t
)NULL
) {
835 if (fd
>= 0 && close(fd
) == CLOSE_ERROR
) {
836 perror("apply_default_acl_ex (close)");
845 * @brief The friendly interface to @c apply_default_acl_ex.
847 * The @c apply_default_acl_ex function holds the real implementation
848 * of this function, but it takes a weird second argument that most
849 * people won't care about (a stat structure). But, we use that
850 * argument for the recursive mode of the CLI, so it's there.
852 * If you don't have a stat structure for your @c path, use this instead.
855 * The path whose ACL we would like to reset to its default.
857 * @param no_exec_mask
858 * The value (either true or false) of the --no-exec-mask flag.
861 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
862 * - @c ACL_FAILURE - If symlinks or hard links are encountered.
863 * or the parent of @c path is not a directory.
864 * - @c ACL_ERROR - Unexpected library error.
866 int apply_default_acl(const char* path
, bool no_exec_mask
) {
867 return apply_default_acl_ex(path
, NULL
, no_exec_mask
);