4 * @brief The adacl (apply default acl) shared library.
8 /* Enables get_current_dir_name() in unistd.h */
11 #include <errno.h> /* ELOOP, EINVAL, etc. */
12 #include <fcntl.h> /* openat() */
13 #include <libgen.h> /* basename(), dirname() */
14 #include <limits.h> /* PATH_MAX */
15 #include <stdbool.h> /* the "bool" type */
16 #include <stdio.h> /* perror(), snprintf() */
17 #include <stdlib.h> /* free() */
18 #include <string.h> /* strdup() */
19 #include <sys/stat.h> /* fstat() */
20 #include <unistd.h> /* get_current_dir_name() */
23 #include <acl/libacl.h> /* acl_get_perm, not portable */
24 #include <sys/acl.h> /* all other acl_foo functions */
29 /* Even though most other library functions reliably return -1 for
30 * error, it feels a little wrong to re-use the ACL_ERROR constant.
32 #define CLOSE_ERROR -1
34 #define SNPRINTF_ERROR -1
39 * @brief The recursive portion of the @c safe_open function, used to
40 * open a file descriptor in a symlink-safe way when combined with
41 * the @c O_NOFOLLOW flag.
43 * The @c O_PATH flag is not used because we want to fail upon
44 * encountering any symlinks.
47 * A file descriptor relative to which @c pathname will be opened.
50 * The path to the file/directory/whatever whose descriptor you want.
53 * File status flags to be passed to @c openat.
55 * @return a file descriptor for @c pathname if everything goes well,
56 * and @c OPEN_ERROR if not.
58 int safe_open_ex(int at_fd
, char* pathname
, int flags
) {
59 /* We're only called by safe_open(), so pathname is guaranteed to be
61 if (strlen(pathname
) == 0) {
62 /* Oops, went one level to deep with nothing to do. */
66 char* firstslash
= strchr(pathname
, '/');
67 if (firstslash
== NULL
) {
68 /* No more slashes, this is the base case. */
69 int r
= openat(at_fd
, pathname
, flags
);
73 /* Temporarily disable the slash, so that the subsequent call to
74 openat() opens only the next directory (and doesn't recurse). */
76 int fd
= safe_open_ex(at_fd
, pathname
, flags
);
77 if (fd
== OPEN_ERROR
) {
79 /* Don't output anything if we ignore a symlink */
80 perror("safe_open_ex (safe_open_ex)");
85 /* The ++ is safe because there needs to be at least a null byte
86 after the first slash, even if it's the last real character in
88 int result
= safe_open_ex(fd
, firstslash
+1, flags
);
89 if (close(fd
) == CLOSE_ERROR
) {
90 perror("safe_open_ex (close)");
98 * @brief A version of @c open that is completely symlink-safe when
99 * used with the @c O_NOFOLLOW flag.
101 * The @c openat function exists to ensure that you can anchor one
102 * path to a particular directory while opening it; however, if you
103 * open "b/c/d" relative to "/a", then even the @c openat function will
104 * still follow symlinks in the "b" component. This can be exploited
105 * by an attacker to make you open the wrong path.
107 * To avoid that problem, this function uses a recursive
108 * implementation that opens every path from the root, one level at a
109 * time. So "a" is opened relative to "/", and then "b" is opened
110 * relative to "/a", and then "c" is opened relative to "/a/b",
111 * etc. When the @c O_NOFOLLOW flag is used, this approach ensures
112 * that no symlinks in any component are followed.
115 * The path to the file/directory/whatever whose descriptor you want.
118 * File status flags to be passed to @c openat.
120 * @return a file descriptor for @c pathname if everything goes well,
121 * and @c OPEN_ERROR if not.
123 int safe_open(const char* pathname
, int flags
) {
124 if (pathname
== NULL
|| strlen(pathname
) == 0 || pathname
[0] == '\0') {
126 perror("safe_open (args)");
130 char abspath
[PATH_MAX
];
131 int snprintf_result
= 0;
132 if (strchr(pathname
, '/') == pathname
) {
133 /* pathname is already absolute; just copy it. */
134 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s", pathname
);
137 /* Concatenate the current working directory and pathname into an
138 * absolute path. We use realpath() ONLY on the cwd part, and not
139 * on the pathname part, because realpath() resolves symlinks. And
140 * the whole point of all this crap is to avoid following symlinks
143 * Using realpath() on the cwd lets us operate on relative paths
144 * while we're sitting in a directory that happens to have a
145 * symlink in it; for example: cd /var/run && apply-default-acl foo.
147 char* cwd
= get_current_dir_name();
149 perror("safe_open (get_current_dir_name)");
153 char abs_cwd
[PATH_MAX
];
154 if (realpath(cwd
, abs_cwd
) == NULL
) {
155 perror("safe_open (realpath)");
159 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s/%s", abs_cwd
, pathname
);
162 if (snprintf_result
== SNPRINTF_ERROR
|| snprintf_result
> PATH_MAX
) {
163 perror("safe_open (snprintf)");
167 int fd
= open("/", flags
);
168 if (fd
== OPEN_ERROR
) {
169 perror("safe_open (open)");
173 if (strcmp(abspath
, "/") == 0) {
177 int result
= safe_open_ex(fd
, abspath
+1, flags
);
178 if (close(fd
) == CLOSE_ERROR
) {
179 perror("safe_open (close)");
189 * @brief Update (or create) an entry in an @b minimal ACL.
191 * This function will not work if @c aclp contains extended
192 * entries. This is fine for our purposes, since we call @c wipe_acls
193 * on each path before applying the default to it.
195 * The assumption that there are no extended entries makes things much
196 * simpler. For example, we only have to update the @c ACL_USER_OBJ,
197 * @c ACL_GROUP_OBJ, and @c ACL_OTHER entries -- all others can simply
198 * be created anew. This means we don't have to fool around comparing
199 * named-user/group entries.
202 * A pointer to the acl_t structure whose entry we want to modify.
205 * The new entry. If @c entry contains a user/group/other entry, we
206 * update the existing one. Otherwise we create a new entry.
208 * @return If there is an unexpected library error, @c ACL_ERROR is
209 * returned. Otherwise, @c ACL_SUCCESS.
212 int acl_set_entry(acl_t
* aclp
, acl_entry_t entry
) {
215 if (acl_get_tag_type(entry
, &entry_tag
) == ACL_ERROR
) {
216 perror("acl_set_entry (acl_get_tag_type)");
220 acl_permset_t entry_permset
;
221 if (acl_get_permset(entry
, &entry_permset
) == ACL_ERROR
) {
222 perror("acl_set_entry (acl_get_permset)");
226 acl_entry_t existing_entry
;
227 /* Loop through the given ACL looking for matching entries. */
228 int result
= acl_get_entry(*aclp
, ACL_FIRST_ENTRY
, &existing_entry
);
230 while (result
== ACL_SUCCESS
) {
231 acl_tag_t existing_tag
= ACL_UNDEFINED_TAG
;
233 if (acl_get_tag_type(existing_entry
, &existing_tag
) == ACL_ERROR
) {
234 perror("set_acl_tag_permset (acl_get_tag_type)");
238 if (existing_tag
== entry_tag
) {
239 if (entry_tag
== ACL_USER_OBJ
||
240 entry_tag
== ACL_GROUP_OBJ
||
241 entry_tag
== ACL_OTHER
) {
242 /* Only update for these three since all other tags will have
243 been wiped. These three are guaranteed to exist, so if we
244 match one of them, we're allowed to return ACL_SUCCESS
245 below and bypass the rest of the function. */
246 acl_permset_t existing_permset
;
247 if (acl_get_permset(existing_entry
, &existing_permset
) == ACL_ERROR
) {
248 perror("acl_set_entry (acl_get_permset)");
252 if (acl_set_permset(existing_entry
, entry_permset
) == ACL_ERROR
) {
253 perror("acl_set_entry (acl_set_permset)");
262 result
= acl_get_entry(*aclp
, ACL_NEXT_ENTRY
, &existing_entry
);
265 /* This catches both the initial acl_get_entry and the ones at the
267 if (result
== ACL_ERROR
) {
268 perror("acl_set_entry (acl_get_entry)");
272 /* If we've made it this far, we need to add a new entry to the
274 acl_entry_t new_entry
;
276 /* The acl_create_entry() function can allocate new memory and/or
277 * change the location of the ACL structure entirely. When that
278 * happens, the value pointed to by aclp is updated, which means
279 * that a new acl_t gets "passed out" to our caller, eventually to
280 * be fed to acl_free(). In other words, we should still be freeing
281 * the right thing, even if the value pointed to by aclp changes.
283 if (acl_create_entry(aclp
, &new_entry
) == ACL_ERROR
) {
284 perror("acl_set_entry (acl_create_entry)");
288 if (acl_set_tag_type(new_entry
, entry_tag
) == ACL_ERROR
) {
289 perror("acl_set_entry (acl_set_tag_type)");
293 if (acl_set_permset(new_entry
, entry_permset
) == ACL_ERROR
) {
294 perror("acl_set_entry (acl_set_permset)");
298 if (entry_tag
== ACL_USER
|| entry_tag
== ACL_GROUP
) {
299 /* We need to set the qualifier too. */
300 void* entry_qual
= acl_get_qualifier(entry
);
301 if (entry_qual
== (void*)NULL
) {
302 perror("acl_set_entry (acl_get_qualifier)");
306 if (acl_set_qualifier(new_entry
, entry_qual
) == ACL_ERROR
) {
307 perror("acl_set_entry (acl_set_qualifier)");
318 * @brief Determine the number of entries in the given ACL.
321 * The ACL to inspect.
323 * @return Either the non-negative number of entries in @c acl, or
324 * @c ACL_ERROR on error.
326 int acl_entry_count(acl_t acl
) {
330 int result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
332 while (result
== ACL_SUCCESS
) {
334 result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
337 if (result
== ACL_ERROR
) {
338 perror("acl_entry_count (acl_get_entry)");
348 * @brief Determine whether or not the given ACL is minimal.
350 * An ACL is minimal if it has fewer than four entries.
353 * The ACL whose minimality is in question.
356 * - @c ACL_SUCCESS - @c acl is minimal
357 * - @c ACL_FAILURE - @c acl is not minimal
358 * - @c ACL_ERROR - Unexpected library error
360 int acl_is_minimal(acl_t acl
) {
362 int ec
= acl_entry_count(acl
);
364 if (ec
== ACL_ERROR
) {
365 perror("acl_is_minimal (acl_entry_count)");
380 * @brief Determine whether the given ACL's mask denies execute.
383 * The ACL whose mask we want to check.
386 * - @c ACL_SUCCESS - The @c acl has a mask which denies execute.
387 * - @c ACL_FAILURE - The @c acl has a mask which does not deny execute.
388 * - @c ACL_ERROR - Unexpected library error.
390 int acl_execute_masked(acl_t acl
) {
393 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
395 while (ge_result
== ACL_SUCCESS
) {
396 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
398 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
399 perror("acl_execute_masked (acl_get_tag_type)");
403 if (tag
== ACL_MASK
) {
404 /* This is the mask entry, get its permissions, and see if
405 execute is specified. */
406 acl_permset_t permset
;
408 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
409 perror("acl_execute_masked (acl_get_permset)");
413 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
414 if (gp_result
== ACL_ERROR
) {
415 perror("acl_execute_masked (acl_get_perm)");
419 if (gp_result
== ACL_FAILURE
) {
420 /* No execute bit set in the mask; execute not allowed. */
425 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
434 * @brief Determine whether @c fd is executable by anyone.
437 * This is used as part of the heuristic to determine whether or not
438 * we should mask the execute bit when inheriting an ACL. If @c fd
439 * describes a file, we check the @a effective permissions, contrary
440 * to what setfacl does.
443 * The file descriptor to check.
446 * A pointer to a stat structure for @c fd.
449 * - @c ACL_SUCCESS - Someone has effective execute permissions on @c fd.
450 * - @c ACL_FAILURE - Nobody can execute @c fd.
451 * - @c ACL_ERROR - Unexpected library error.
453 int any_can_execute(int fd
, const struct stat
* sp
) {
454 acl_t acl
= acl_get_fd(fd
);
456 if (acl
== (acl_t
)NULL
) {
457 perror("any_can_execute (acl_get_file)");
461 /* Our return value. */
462 int result
= ACL_FAILURE
;
464 if (acl_is_minimal(acl
)) {
465 if (sp
->st_mode
& (S_IXUSR
| S_IXOTH
| S_IXGRP
)) {
466 result
= ACL_SUCCESS
;
470 result
= ACL_FAILURE
;
476 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
478 while (ge_result
== ACL_SUCCESS
) {
479 /* The first thing we do is check to see if this is a mask
480 entry. If it is, we skip it entirely. */
481 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
483 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
484 perror("any_can_execute_or (acl_get_tag_type)");
489 if (tag
== ACL_MASK
) {
490 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
494 /* Ok, so it's not a mask entry. Check the execute perms. */
495 acl_permset_t permset
;
497 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
498 perror("any_can_execute_or (acl_get_permset)");
503 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
504 if (gp_result
== ACL_ERROR
) {
505 perror("any_can_execute (acl_get_perm)");
510 if (gp_result
== ACL_SUCCESS
) {
511 /* Only return ACL_SUCCESS if this execute bit is not masked. */
512 if (acl_execute_masked(acl
) != ACL_SUCCESS
) {
513 result
= ACL_SUCCESS
;
518 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
521 if (ge_result
== ACL_ERROR
) {
522 perror("any_can_execute (acl_get_entry)");
535 * @brief Set @c acl as the default ACL on @c path.
537 * This overwrites any existing default ACL on @c path. If @c path is
538 * not a directory, we return ACL_ERROR and @c errno is set.
541 * The target directory whose ACL we wish to replace or create.
544 * The ACL to set as default on @c path.
547 * - @c ACL_SUCCESS - The default ACL was assigned successfully.
548 * - @c ACL_ERROR - Unexpected library error.
550 int assign_default_acl(const char* path
, acl_t acl
) {
554 perror("assign_default_acl (args)");
558 /* Our return value; success unless something bad happens. */
559 int result
= ACL_SUCCESS
;
560 acl_t path_acl
= acl_dup(acl
);
562 if (path_acl
== (acl_t
)NULL
) {
563 perror("assign_default_acl (acl_dup)");
564 return ACL_ERROR
; /* Nothing to clean up in this case. */
567 if (acl_set_file(path
, ACL_TYPE_DEFAULT
, path_acl
) == ACL_ERROR
) {
568 perror("assign_default_acl (acl_set_file)");
579 * @brief Remove all @c ACL_TYPE_ACCESS entries from the given file
580 * descriptor, leaving the UNIX permission bits.
583 * The file descriptor whose ACLs we want to wipe.
586 * - @c ACL_SUCCESS - The ACLs were wiped successfully, or none
587 * existed in the first place.
588 * - @c ACL_ERROR - Unexpected library error.
590 int wipe_acls(int fd
) {
591 /* Initialize an empty ACL, and then overwrite the one on "fd" with it. */
592 acl_t empty_acl
= acl_init(0);
594 if (empty_acl
== (acl_t
)NULL
) {
595 perror("wipe_acls (acl_init)");
599 if (acl_set_fd(fd
, empty_acl
) == ACL_ERROR
) {
600 perror("wipe_acls (acl_set_fd)");
612 * @brief Apply parent default ACL to a path.
614 * This overwrites any existing ACLs on @c path.
617 * The path whose ACL we would like to reset to its default.
620 * A pointer to a stat structure for @c path, or @c NULL if you don't
623 * @param no_exec_mask
624 * The value (either true or false) of the --no-exec-mask flag.
627 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
628 * - @c ACL_FAILURE - If symlinks or hard links are encountered.
629 * - @c ACL_ERROR - Unexpected library error.
631 int apply_default_acl_ex(const char* path
,
632 const struct stat
* sp
,
637 perror("apply_default_acl_ex (args)");
641 /* Define these next three variables here because we may have to
642 * jump to the cleanup routine which expects them to exist.
645 /* Our return value. */
646 int result
= ACL_SUCCESS
;
648 /* The default ACL on path's parent directory */
649 acl_t defacl
= (acl_t
)NULL
;
651 /* The file descriptor corresponding to "path" */
654 /* Get the parent directory of "path" with dirname(), which happens
655 * to murder its argument and necessitates a path_copy.
657 char* path_copy
= strdup(path
);
658 if (path_copy
== NULL
) {
659 perror("apply_default_acl_ex (strdup)");
662 char* parent
= dirname(path_copy
);
664 fd
= safe_open(path
, O_NOFOLLOW
);
665 if (fd
== OPEN_ERROR
) {
666 if (errno
== ELOOP
) {
667 result
= ACL_FAILURE
; /* hit a symlink */
671 perror("apply_default_acl_ex (open fd)");
678 /* Refuse to operate on hard links, which can be abused by an
679 * attacker to trick us into changing the ACL on a file we didn't
680 * intend to; namely the "target" of the hard link. There is TOCTOU
681 * race condition here, but the window is as small as possible
682 * between when we open the file descriptor (look above) and when we
685 * Note: we only need to call fstat ourselves if we weren't passed a
686 * valid pointer to a stat structure (nftw does that).
690 if (fstat(fd
, &s
) == STAT_ERROR
) {
691 perror("apply_default_acl_ex (fstat)");
698 if (!S_ISDIR(sp
->st_mode
)) {
699 /* If it's not a directory, make sure it's a regular,
700 non-hard-linked file. */
701 if (!S_ISREG(sp
->st_mode
) || sp
->st_nlink
!= 1) {
702 result
= ACL_FAILURE
;
708 /* Default to not masking the exec bit; i.e. applying the default
709 ACL literally. If --no-exec-mask was not specified, then we try
710 to "guess" whether or not to mask the exec bit. This behavior
711 is modeled after the capital 'X' perms of setfacl. */
712 bool allow_exec
= true;
715 /* Never mask the execute bit on directories. */
716 int ace_result
= any_can_execute(fd
,sp
) || S_ISDIR(sp
->st_mode
);
718 if (ace_result
== ACL_ERROR
) {
719 perror("apply_default_acl_ex (any_can_execute)");
724 allow_exec
= (bool)ace_result
;
727 defacl
= acl_get_file(parent
, ACL_TYPE_DEFAULT
);
729 if (defacl
== (acl_t
)NULL
) {
730 perror("apply_default_acl_ex (acl_get_file)");
735 if (wipe_acls(fd
) == ACL_ERROR
) {
736 perror("apply_default_acl_ex (wipe_acls)");
741 /* Do this after wipe_acls(), otherwise we'll overwrite the wiped
742 ACL with this one. */
743 acl_t acl
= acl_get_fd(fd
);
744 if (acl
== (acl_t
)NULL
) {
745 perror("apply_default_acl_ex (acl_get_fd)");
750 /* If it's a directory, inherit the parent's default. We sure hope
751 * that "path" still points to the same thing that "fd" and this
752 * "sp" describe. If not, we may wind up trying to set a default ACL
753 * on a file, and this will throw an error. I guess that's what we
756 if (S_ISDIR(sp
->st_mode
) && assign_default_acl(path
, defacl
) == ACL_ERROR
) {
757 perror("apply_default_acl_ex (assign_default_acl)");
763 int ge_result
= acl_get_entry(defacl
, ACL_FIRST_ENTRY
, &entry
);
765 while (ge_result
== ACL_SUCCESS
) {
766 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
768 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
769 perror("apply_default_acl_ex (acl_get_tag_type)");
775 /* We've got an entry/tag from the default ACL. Get its permset. */
776 acl_permset_t permset
;
777 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
778 perror("apply_default_acl_ex (acl_get_permset)");
783 /* If this is a default mask, fix it up. */
784 if (tag
== ACL_MASK
||
785 tag
== ACL_USER_OBJ
||
786 tag
== ACL_GROUP_OBJ
||
790 /* The mask doesn't affect acl_user_obj, acl_group_obj (in
791 minimal ACLs) or acl_other entries, so if execute should be
792 masked, we have to do it manually. */
793 if (acl_delete_perm(permset
, ACL_EXECUTE
) == ACL_ERROR
) {
794 perror("apply_default_acl_ex (acl_delete_perm)");
799 if (acl_set_permset(entry
, permset
) == ACL_ERROR
) {
800 perror("apply_default_acl_ex (acl_set_permset)");
807 /* Finally, add the permset to the access ACL. It's actually
808 * important that we pass in the address of "acl" here, and not
809 * "acl" itself. Why? The call to acl_create_entry() within
810 * acl_set_entry() can allocate new memory for the entry.
811 * Sometimes that can be done in-place, in which case everything
812 * is cool and the new memory gets released when we call
815 * But occasionally, the whole ACL structure will have to be moved
816 * in order to allocate the extra space. When that happens,
817 * acl_create_entry() modifies the pointer it was passed (in this
818 * case, &acl) to point to the new location. We want to call
819 * acl_free() on the new location, and since acl_free() gets
820 * called right here, we need acl_create_entry() to update the
821 * value of "acl". To do that, it needs the address of "acl".
823 if (acl_set_entry(&acl
, entry
) == ACL_ERROR
) {
824 perror("apply_default_acl_ex (acl_set_entry)");
829 ge_result
= acl_get_entry(defacl
, ACL_NEXT_ENTRY
, &entry
);
832 /* Catches the first acl_get_entry as well as the ones at the end of
834 if (ge_result
== ACL_ERROR
) {
835 perror("apply_default_acl_ex (acl_get_entry)");
840 if (acl_set_fd(fd
, acl
) == ACL_ERROR
) {
841 perror("apply_default_acl_ex (acl_set_fd)");
848 if (defacl
!= (acl_t
)NULL
) {
851 if (fd
>= 0 && close(fd
) == CLOSE_ERROR
) {
852 perror("apply_default_acl_ex (close)");
861 * @brief The friendly interface to @c apply_default_acl_ex.
863 * The @c apply_default_acl_ex function holds the real implementation
864 * of this function, but it takes a weird second argument that most
865 * people won't care about (a stat structure). But, we use that
866 * argument for the recursive mode of the CLI, so it's there.
868 * If you don't have a stat structure for your @c path, use this instead.
871 * The path whose ACL we would like to reset to its default.
873 * @param no_exec_mask
874 * The value (either true or false) of the --no-exec-mask flag.
877 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
878 * - @c ACL_FAILURE - If symlinks or hard links are encountered.
879 * or the parent of @c path is not a directory.
880 * - @c ACL_ERROR - Unexpected library error.
882 int apply_default_acl(const char* path
, bool no_exec_mask
) {
883 return apply_default_acl_ex(path
, NULL
, no_exec_mask
);