4 * @brief The adacl (apply default acl) shared library.
8 /* Enables get_current_dir_name() in unistd.h */
11 #include <errno.h> /* ELOOP, EINVAL, etc. */
12 #include <fcntl.h> /* openat() */
13 #include <libgen.h> /* basename(), dirname() */
14 #include <limits.h> /* PATH_MAX */
15 #include <stdbool.h> /* the "bool" type */
16 #include <stdio.h> /* perror(), snprintf() */
17 #include <stdlib.h> /* free() */
18 #include <string.h> /* strdup() */
19 #include <sys/stat.h> /* fstat() */
20 #include <unistd.h> /* get_current_dir_name() */
23 #include <acl/libacl.h> /* acl_get_perm, not portable */
24 #include <sys/acl.h> /* all other acl_foo functions */
29 /* Even though most other library functions reliably return -1 for
30 * error, it feels a little wrong to re-use the ACL_ERROR constant.
32 #define CLOSE_ERROR -1
34 #define SNPRINTF_ERROR -1
39 * @brief The recursive portion of the @c safe_open function, used to
40 * open a file descriptor in a symlink-safe way when combined with
41 * the @c O_NOFOLLOW flag.
44 * A file descriptor relative to which @c pathname will be opened.
47 * The path to the file/directory/whatever whose descriptor you want.
50 * File status flags to be passed to @c openat.
52 * @return a file descriptor for @c pathname if everything goes well,
53 * and @c OPEN_ERROR if not.
55 int safe_open_ex(int at_fd
, char* pathname
, int flags
) {
56 if (pathname
!= NULL
&& strlen(pathname
) == 0) {
57 /* Oops, went one level to deep with nothing to do. */
61 char* firstslash
= strchr(pathname
, '/');
62 if (firstslash
== NULL
) {
63 /* No more slashes, this is the base case. */
64 int r
= openat(at_fd
, pathname
, flags
);
68 /* Temporarily disable the slash, so that the subsequent call to
69 openat() opens only the next directory (and doesn't recurse). */
71 int fd
= safe_open_ex(at_fd
, pathname
, flags
);
72 if (fd
== OPEN_ERROR
) {
74 /* Don't output anything if we ignore a symlink */
75 perror("safe_open_ex (safe_open_ex)");
80 /* The ++ is safe because there needs to be at least a null byte
81 after the first slash, even if it's the last real character in
83 int result
= safe_open_ex(fd
, firstslash
+1, flags
);
84 if (close(fd
) == CLOSE_ERROR
) {
85 perror("safe_open_ex (close)");
93 * @brief A version of @c open that is completely symlink-safe when
94 * used with the @c O_NOFOLLOW flag.
96 * The @c openat function exists to ensure that you can anchor one
97 * path to a particular directory while opening it; however, if you
98 * open "b/c/d" relative to "/a", then even the @c openat function will
99 * still follow symlinks in the "b" component. This can be exploited
100 * by an attacker to make you open the wrong path.
102 * To avoid that problem, this function uses a recursive
103 * implementation that opens every path from the root, one level at a
104 * time. So "a" is opened relative to "/", and then "b" is opened
105 * relative to "/a", and then "c" is opened relative to "/a/b",
106 * etc. When the @c O_NOFOLLOW flag is used, this approach ensures
107 * that no symlinks in any component are followed.
110 * The path to the file/directory/whatever whose descriptor you want.
113 * File status flags to be passed to @c openat.
115 * @return a file descriptor for @c pathname if everything goes well,
116 * and @c OPEN_ERROR if not.
118 int safe_open(const char* pathname
, int flags
) {
119 if (pathname
== NULL
|| strlen(pathname
) == 0 || pathname
[0] == '\0') {
121 perror("safe_open (args)");
125 char abspath
[PATH_MAX
];
126 int snprintf_result
= 0;
127 if (strchr(pathname
, '/') == pathname
) {
128 /* pathname is already absolute; just copy it. */
129 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s", pathname
);
132 /* Concatenate the current working directory and pathname into an
133 * absolute path. We use realpath() ONLY on the cwd part, and not
134 * on the pathname part, because realpath() resolves symlinks. And
135 * the whole point of all this crap is to avoid following symlinks
138 * Using realpath() on the cwd lets us operate on relative paths
139 * while we're sitting in a directory that happens to have a
140 * symlink in it; for example: cd /var/run && apply-default-acl foo.
142 char* cwd
= get_current_dir_name();
144 perror("safe_open (get_current_dir_name)");
148 char abs_cwd
[PATH_MAX
];
149 if (realpath(cwd
, abs_cwd
) == NULL
) {
150 perror("safe_open (realpath)");
154 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s/%s", abs_cwd
, pathname
);
157 if (snprintf_result
== SNPRINTF_ERROR
|| snprintf_result
> PATH_MAX
) {
158 perror("safe_open (snprintf)");
162 int fd
= open("/", flags
);
163 if (strcmp(abspath
, "/") == 0) {
167 int result
= safe_open_ex(fd
, abspath
+1, flags
);
168 if (close(fd
) == CLOSE_ERROR
) {
169 perror("safe_open (close)");
179 * @brief Update (or create) an entry in an @b minimal ACL.
181 * This function will not work if @c aclp contains extended
182 * entries. This is fine for our purposes, since we call @c wipe_acls
183 * on each path before applying the default to it.
185 * The assumption that there are no extended entries makes things much
186 * simpler. For example, we only have to update the @c ACL_USER_OBJ,
187 * @c ACL_GROUP_OBJ, and @c ACL_OTHER entries -- all others can simply
188 * be created anew. This means we don't have to fool around comparing
189 * named-user/group entries.
192 * A pointer to the acl_t structure whose entry we want to modify.
195 * The new entry. If @c entry contains a user/group/other entry, we
196 * update the existing one. Otherwise we create a new entry.
198 * @return If there is an unexpected library error, @c ACL_ERROR is
199 * returned. Otherwise, @c ACL_SUCCESS.
202 int acl_set_entry(acl_t
* aclp
, acl_entry_t entry
) {
205 if (acl_get_tag_type(entry
, &entry_tag
) == ACL_ERROR
) {
206 perror("acl_set_entry (acl_get_tag_type)");
210 acl_permset_t entry_permset
;
211 if (acl_get_permset(entry
, &entry_permset
) == ACL_ERROR
) {
212 perror("acl_set_entry (acl_get_permset)");
216 acl_entry_t existing_entry
;
217 /* Loop through the given ACL looking for matching entries. */
218 int result
= acl_get_entry(*aclp
, ACL_FIRST_ENTRY
, &existing_entry
);
220 while (result
== ACL_SUCCESS
) {
221 acl_tag_t existing_tag
= ACL_UNDEFINED_TAG
;
223 if (acl_get_tag_type(existing_entry
, &existing_tag
) == ACL_ERROR
) {
224 perror("set_acl_tag_permset (acl_get_tag_type)");
228 if (existing_tag
== entry_tag
) {
229 if (entry_tag
== ACL_USER_OBJ
||
230 entry_tag
== ACL_GROUP_OBJ
||
231 entry_tag
== ACL_OTHER
) {
232 /* Only update for these three since all other tags will have
233 been wiped. These three are guaranteed to exist, so if we
234 match one of them, we're allowed to return ACL_SUCCESS
235 below and bypass the rest of the function. */
236 acl_permset_t existing_permset
;
237 if (acl_get_permset(existing_entry
, &existing_permset
) == ACL_ERROR
) {
238 perror("acl_set_entry (acl_get_permset)");
242 if (acl_set_permset(existing_entry
, entry_permset
) == ACL_ERROR
) {
243 perror("acl_set_entry (acl_set_permset)");
252 result
= acl_get_entry(*aclp
, ACL_NEXT_ENTRY
, &existing_entry
);
255 /* This catches both the initial acl_get_entry and the ones at the
257 if (result
== ACL_ERROR
) {
258 perror("acl_set_entry (acl_get_entry)");
262 /* If we've made it this far, we need to add a new entry to the
264 acl_entry_t new_entry
;
266 /* The acl_create_entry() function can allocate new memory and/or
267 * change the location of the ACL structure entirely. When that
268 * happens, the value pointed to by aclp is updated, which means
269 * that a new acl_t gets "passed out" to our caller, eventually to
270 * be fed to acl_free(). In other words, we should still be freeing
271 * the right thing, even if the value pointed to by aclp changes.
273 if (acl_create_entry(aclp
, &new_entry
) == ACL_ERROR
) {
274 perror("acl_set_entry (acl_create_entry)");
278 if (acl_set_tag_type(new_entry
, entry_tag
) == ACL_ERROR
) {
279 perror("acl_set_entry (acl_set_tag_type)");
283 if (acl_set_permset(new_entry
, entry_permset
) == ACL_ERROR
) {
284 perror("acl_set_entry (acl_set_permset)");
288 if (entry_tag
== ACL_USER
|| entry_tag
== ACL_GROUP
) {
289 /* We need to set the qualifier too. */
290 void* entry_qual
= acl_get_qualifier(entry
);
291 if (entry_qual
== (void*)NULL
) {
292 perror("acl_set_entry (acl_get_qualifier)");
296 if (acl_set_qualifier(new_entry
, entry_qual
) == ACL_ERROR
) {
297 perror("acl_set_entry (acl_set_qualifier)");
308 * @brief Determine the number of entries in the given ACL.
311 * The ACL to inspect.
313 * @return Either the non-negative number of entries in @c acl, or
314 * @c ACL_ERROR on error.
316 int acl_entry_count(acl_t acl
) {
320 int result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
322 while (result
== ACL_SUCCESS
) {
324 result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
327 if (result
== ACL_ERROR
) {
328 perror("acl_entry_count (acl_get_entry)");
338 * @brief Determine whether or not the given ACL is minimal.
340 * An ACL is minimal if it has fewer than four entries.
343 * The ACL whose minimality is in question.
346 * - @c ACL_SUCCESS - @c acl is minimal
347 * - @c ACL_FAILURE - @c acl is not minimal
348 * - @c ACL_ERROR - Unexpected library error
350 int acl_is_minimal(acl_t acl
) {
352 int ec
= acl_entry_count(acl
);
354 if (ec
== ACL_ERROR
) {
355 perror("acl_is_minimal (acl_entry_count)");
370 * @brief Determine whether the given ACL's mask denies execute.
373 * The ACL whose mask we want to check.
376 * - @c ACL_SUCCESS - The @c acl has a mask which denies execute.
377 * - @c ACL_FAILURE - The @c acl has a mask which does not deny execute.
378 * - @c ACL_ERROR - Unexpected library error.
380 int acl_execute_masked(acl_t acl
) {
383 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
385 while (ge_result
== ACL_SUCCESS
) {
386 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
388 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
389 perror("acl_execute_masked (acl_get_tag_type)");
393 if (tag
== ACL_MASK
) {
394 /* This is the mask entry, get its permissions, and see if
395 execute is specified. */
396 acl_permset_t permset
;
398 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
399 perror("acl_execute_masked (acl_get_permset)");
403 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
404 if (gp_result
== ACL_ERROR
) {
405 perror("acl_execute_masked (acl_get_perm)");
409 if (gp_result
== ACL_FAILURE
) {
410 /* No execute bit set in the mask; execute not allowed. */
415 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
424 * @brief Determine whether @c fd is executable by anyone.
427 * This is used as part of the heuristic to determine whether or not
428 * we should mask the execute bit when inheriting an ACL. If @c fd
429 * describes a file, we check the @a effective permissions, contrary
430 * to what setfacl does.
433 * The file descriptor to check.
436 * A pointer to a stat structure for @c fd.
439 * - @c ACL_SUCCESS - Someone has effective execute permissions on @c fd.
440 * - @c ACL_FAILURE - Nobody can execute @c fd.
441 * - @c ACL_ERROR - Unexpected library error.
443 int any_can_execute(int fd
, const struct stat
* sp
) {
444 acl_t acl
= acl_get_fd(fd
);
446 if (acl
== (acl_t
)NULL
) {
447 perror("any_can_execute (acl_get_file)");
451 /* Our return value. */
452 int result
= ACL_FAILURE
;
454 if (acl_is_minimal(acl
)) {
455 if (sp
->st_mode
& (S_IXUSR
| S_IXOTH
| S_IXGRP
)) {
456 result
= ACL_SUCCESS
;
460 result
= ACL_FAILURE
;
466 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
468 while (ge_result
== ACL_SUCCESS
) {
469 /* The first thing we do is check to see if this is a mask
470 entry. If it is, we skip it entirely. */
471 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
473 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
474 perror("any_can_execute_or (acl_get_tag_type)");
479 if (tag
== ACL_MASK
) {
480 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
484 /* Ok, so it's not a mask entry. Check the execute perms. */
485 acl_permset_t permset
;
487 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
488 perror("any_can_execute_or (acl_get_permset)");
493 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
494 if (gp_result
== ACL_ERROR
) {
495 perror("any_can_execute (acl_get_perm)");
500 if (gp_result
== ACL_SUCCESS
) {
501 /* Only return ACL_SUCCESS if this execute bit is not masked. */
502 if (acl_execute_masked(acl
) != ACL_SUCCESS
) {
503 result
= ACL_SUCCESS
;
508 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
511 if (ge_result
== ACL_ERROR
) {
512 perror("any_can_execute (acl_get_entry)");
525 * @brief Set @c acl as the default ACL on @c path.
527 * This overwrites any existing default ACL on @c path. If @c path is
528 * not a directory, we return ACL_ERROR and @c errno is set.
531 * The target directory whose ACL we wish to replace or create.
534 * The ACL to set as default on @c path.
537 * - @c ACL_SUCCESS - The default ACL was assigned successfully.
538 * - @c ACL_ERROR - Unexpected library error.
540 int assign_default_acl(const char* path
, acl_t acl
) {
544 perror("assign_default_acl (args)");
548 /* Our return value; success unless something bad happens. */
549 int result
= ACL_SUCCESS
;
550 acl_t path_acl
= acl_dup(acl
);
552 if (path_acl
== (acl_t
)NULL
) {
553 perror("assign_default_acl (acl_dup)");
554 return ACL_ERROR
; /* Nothing to clean up in this case. */
557 if (acl_set_file(path
, ACL_TYPE_DEFAULT
, path_acl
) == ACL_ERROR
) {
558 perror("assign_default_acl (acl_set_file)");
569 * @brief Remove all @c ACL_TYPE_ACCESS entries from the given file
570 * descriptor, leaving the UNIX permission bits.
573 * The file descriptor whose ACLs we want to wipe.
576 * - @c ACL_SUCCESS - The ACLs were wiped successfully, or none
577 * existed in the first place.
578 * - @c ACL_ERROR - Unexpected library error.
580 int wipe_acls(int fd
) {
581 /* Initialize an empty ACL, and then overwrite the one on "fd" with it. */
582 acl_t empty_acl
= acl_init(0);
584 if (empty_acl
== (acl_t
)NULL
) {
585 perror("wipe_acls (acl_init)");
589 if (acl_set_fd(fd
, empty_acl
) == ACL_ERROR
) {
590 perror("wipe_acls (acl_set_fd)");
602 * @brief Apply parent default ACL to a path.
604 * This overwrites any existing ACLs on @c path.
607 * The path whose ACL we would like to reset to its default.
610 * A pointer to a stat structure for @c path, or @c NULL if you don't
613 * @param no_exec_mask
614 * The value (either true or false) of the --no-exec-mask flag.
617 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
618 * - @c ACL_FAILURE - If symlinks or hard links are encountered.
619 * - @c ACL_ERROR - Unexpected library error.
621 int apply_default_acl_ex(const char* path
,
622 const struct stat
* sp
,
627 perror("apply_default_acl_ex (args)");
631 /* Define these next three variables here because we may have to
632 * jump to the cleanup routine which expects them to exist.
635 /* Our return value. */
636 int result
= ACL_SUCCESS
;
638 /* The default ACL on path's parent directory */
639 acl_t defacl
= (acl_t
)NULL
;
641 /* The file descriptor corresponding to "path" */
644 /* Get the parent directory of "path" with dirname(), which happens
645 * to murder its argument and necessitates a path_copy.
647 char* path_copy
= strdup(path
);
648 if (path_copy
== NULL
) {
649 perror("apply_default_acl_ex (strdup)");
652 char* parent
= dirname(path_copy
);
654 fd
= safe_open(path
, O_NOFOLLOW
);
655 if (fd
== OPEN_ERROR
) {
656 if (errno
== ELOOP
) {
657 result
= ACL_FAILURE
; /* hit a symlink */
661 perror("apply_default_acl_ex (open fd)");
668 /* Refuse to operate on hard links, which can be abused by an
669 * attacker to trick us into changing the ACL on a file we didn't
670 * intend to; namely the "target" of the hard link. There is TOCTOU
671 * race condition here, but the window is as small as possible
672 * between when we open the file descriptor (look above) and when we
675 * Note: we only need to call fstat ourselves if we weren't passed a
676 * valid pointer to a stat structure (nftw does that).
680 if (fstat(fd
, &s
) == STAT_ERROR
) {
681 perror("apply_default_acl_ex (fstat)");
688 if (!S_ISDIR(sp
->st_mode
)) {
689 /* If it's not a directory, make sure it's a regular,
690 non-hard-linked file. */
691 if (!S_ISREG(sp
->st_mode
) || sp
->st_nlink
!= 1) {
692 result
= ACL_FAILURE
;
698 /* Default to not masking the exec bit; i.e. applying the default
699 ACL literally. If --no-exec-mask was not specified, then we try
700 to "guess" whether or not to mask the exec bit. This behavior
701 is modeled after the capital 'X' perms of setfacl. */
702 bool allow_exec
= true;
705 /* Never mask the execute bit on directories. */
706 int ace_result
= any_can_execute(fd
,sp
) || S_ISDIR(sp
->st_mode
);
708 if (ace_result
== ACL_ERROR
) {
709 perror("apply_default_acl_ex (any_can_execute)");
714 allow_exec
= (bool)ace_result
;
717 defacl
= acl_get_file(parent
, ACL_TYPE_DEFAULT
);
719 if (defacl
== (acl_t
)NULL
) {
720 perror("apply_default_acl_ex (acl_get_file)");
725 if (wipe_acls(fd
) == ACL_ERROR
) {
726 perror("apply_default_acl_ex (wipe_acls)");
731 /* Do this after wipe_acls(), otherwise we'll overwrite the wiped
732 ACL with this one. */
733 acl_t acl
= acl_get_fd(fd
);
734 if (acl
== (acl_t
)NULL
) {
735 perror("apply_default_acl_ex (acl_get_fd)");
740 /* If it's a directory, inherit the parent's default. We sure hope
741 * that "path" still points to the same thing that "fd" and this
742 * "sp" describe. If not, we may wind up trying to set a default ACL
743 * on a file, and this will throw an error. I guess that's what we
746 if (S_ISDIR(sp
->st_mode
) && assign_default_acl(path
, defacl
) == ACL_ERROR
) {
747 perror("apply_default_acl_ex (assign_default_acl)");
753 int ge_result
= acl_get_entry(defacl
, ACL_FIRST_ENTRY
, &entry
);
755 while (ge_result
== ACL_SUCCESS
) {
756 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
758 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
759 perror("apply_default_acl_ex (acl_get_tag_type)");
765 /* We've got an entry/tag from the default ACL. Get its permset. */
766 acl_permset_t permset
;
767 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
768 perror("apply_default_acl_ex (acl_get_permset)");
773 /* If this is a default mask, fix it up. */
774 if (tag
== ACL_MASK
||
775 tag
== ACL_USER_OBJ
||
776 tag
== ACL_GROUP_OBJ
||
780 /* The mask doesn't affect acl_user_obj, acl_group_obj (in
781 minimal ACLs) or acl_other entries, so if execute should be
782 masked, we have to do it manually. */
783 if (acl_delete_perm(permset
, ACL_EXECUTE
) == ACL_ERROR
) {
784 perror("apply_default_acl_ex (acl_delete_perm)");
789 if (acl_set_permset(entry
, permset
) == ACL_ERROR
) {
790 perror("apply_default_acl_ex (acl_set_permset)");
797 /* Finally, add the permset to the access ACL. It's actually
798 * important that we pass in the address of "acl" here, and not
799 * "acl" itself. Why? The call to acl_create_entry() within
800 * acl_set_entry() can allocate new memory for the entry.
801 * Sometimes that can be done in-place, in which case everything
802 * is cool and the new memory gets released when we call
805 * But occasionally, the whole ACL structure will have to be moved
806 * in order to allocate the extra space. When that happens,
807 * acl_create_entry() modifies the pointer it was passed (in this
808 * case, &acl) to point to the new location. We want to call
809 * acl_free() on the new location, and since acl_free() gets
810 * called right here, we need acl_create_entry() to update the
811 * value of "acl". To do that, it needs the address of "acl".
813 if (acl_set_entry(&acl
, entry
) == ACL_ERROR
) {
814 perror("apply_default_acl_ex (acl_set_entry)");
819 ge_result
= acl_get_entry(defacl
, ACL_NEXT_ENTRY
, &entry
);
822 /* Catches the first acl_get_entry as well as the ones at the end of
824 if (ge_result
== ACL_ERROR
) {
825 perror("apply_default_acl_ex (acl_get_entry)");
830 if (acl_set_fd(fd
, acl
) == ACL_ERROR
) {
831 perror("apply_default_acl_ex (acl_set_fd)");
838 if (defacl
!= (acl_t
)NULL
) {
841 if (fd
>= 0 && close(fd
) == CLOSE_ERROR
) {
842 perror("apply_default_acl_ex (close)");
851 * @brief The friendly interface to @c apply_default_acl_ex.
853 * The @c apply_default_acl_ex function holds the real implementation
854 * of this function, but it takes a weird second argument that most
855 * people won't care about (a stat structure). But, we use that
856 * argument for the recursive mode of the CLI, so it's there.
858 * If you don't have a stat structure for your @c path, use this instead.
861 * The path whose ACL we would like to reset to its default.
863 * @param no_exec_mask
864 * The value (either true or false) of the --no-exec-mask flag.
867 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
868 * - @c ACL_FAILURE - If symlinks or hard links are encountered.
869 * or the parent of @c path is not a directory.
870 * - @c ACL_ERROR - Unexpected library error.
872 int apply_default_acl(const char* path
, bool no_exec_mask
) {
873 return apply_default_acl_ex(path
, NULL
, no_exec_mask
);