#include <errno.h> /* EINVAL, ELOOP, ENOTDIR, etc. */
#include <fcntl.h> /* openat() */
#include <libgen.h> /* basename(), dirname() */
+#include <limits.h> /* PATH_MAX */
#include <stdbool.h> /* the "bool" type */
#include <stdio.h> /* perror(), asprintf() */
#include <stdlib.h> /* free() */
#define XATTR_ERROR -1
+/* Prototypes */
+int safe_open_ex(int at_fd, char* pathname, int flags);
+int safe_open(const char* pathname, int flags);
+int acl_update_entry(acl_t aclp, acl_entry_t updated_entry);
+int acl_entry_count(acl_t acl);
+int acl_is_minimal(acl_t acl);
+int acl_execute_masked(acl_t acl);
+int any_can_execute(int fd, const struct stat* sp);
+int acl_copy_xattr(int src_fd,
+ acl_type_t src_type,
+ int dst_fd,
+ acl_type_t dst_type);
+int has_default_acl_fd(int fd);
+int apply_default_acl_fds(int parent_fd, int fd, bool recursive);
+int apply_default_acl(const char* path, bool recursive);
+
+
+
/**
* @brief The recursive portion of the @c safe_open function, used to
* open a file descriptor in a symlink-safe way when combined with
* @param aclp
* A pointer to the acl_t structure whose entry we want to update.
*
- * @param entry
- * The new entry.
+ * @param updated_entry
+ * An updated copy of an existing entry in @c aclp.
*
* @return
* - @c ACL_SUCCESS - If we update an existing entry.
* - @c ACL_FAILURE - If we don't find an entry to update.
* - @c ACL_ERROR - Unexpected library error.
*/
-int acl_update_entry(acl_t aclp, acl_entry_t entry) {
- if (aclp == NULL || entry == NULL) {
+int acl_update_entry(acl_t aclp, acl_entry_t updated_entry) {
+ if (aclp == NULL || updated_entry == NULL) {
errno = EINVAL;
perror("acl_update_entry (args)");
return ACL_ERROR;
}
- acl_tag_t entry_tag;
- if (acl_get_tag_type(entry, &entry_tag) == ACL_ERROR) {
+ acl_tag_t updated_tag;
+ if (acl_get_tag_type(updated_entry, &updated_tag) == ACL_ERROR) {
perror("acl_update_entry (acl_get_tag_type)");
return ACL_ERROR;
}
- acl_permset_t entry_permset;
- if (acl_get_permset(entry, &entry_permset) == ACL_ERROR) {
+ acl_permset_t updated_permset;
+ if (acl_get_permset(updated_entry, &updated_permset) == ACL_ERROR) {
perror("acl_update_entry (acl_get_permset)");
return ACL_ERROR;
}
+ /* This can allocate memory, so from here on out we have to jump to
+ the "cleanup" label to exit. */
+ void* updated_qualifier = acl_get_qualifier(updated_entry);
+ if (updated_qualifier == NULL &&
+ (updated_tag == ACL_USER || updated_tag == ACL_GROUP)) {
+ /* acl_get_qualifier() can return NULL, but it shouldn't for
+ ACL_USER or ACL_GROUP entries. */
+ perror("acl_update_entry (acl_get_qualifier)");
+ return ACL_ERROR;
+ }
+
+ /* Our return value. Default to failure, and change to success if we
+ actually update something. */
+ int result = ACL_FAILURE;
+
acl_entry_t existing_entry;
/* Loop through the given ACL looking for matching entries. */
- int result = acl_get_entry(aclp, ACL_FIRST_ENTRY, &existing_entry);
+ int get_entry_result = acl_get_entry(aclp, ACL_FIRST_ENTRY, &existing_entry);
- while (result == ACL_SUCCESS) {
+ while (get_entry_result == ACL_SUCCESS) {
acl_tag_t existing_tag = ACL_UNDEFINED_TAG;
if (acl_get_tag_type(existing_entry, &existing_tag) == ACL_ERROR) {
perror("set_acl_tag_permset (acl_get_tag_type)");
- return ACL_ERROR;
+ result = ACL_ERROR;
+ goto cleanup;
}
- if (existing_tag == entry_tag) {
- /* If we update something, we're done and return ACL_SUCCESS */
- if (acl_set_permset(existing_entry, entry_permset) == ACL_ERROR) {
- perror("acl_update_entry (acl_set_permset)");
- return ACL_ERROR;
+ if (existing_tag == updated_tag) {
+ /* Our tag types match, but if we have a named user or group
+ entry, then we need to check that the user/group (that is,
+ the qualifier) matches too. */
+ bool qualifiers_match = false;
+
+ /* There are three ways the qualifiers can match... */
+ void* existing_qualifier = acl_get_qualifier(existing_entry);
+ if (existing_qualifier == NULL) {
+ if (existing_tag == ACL_USER || existing_tag == ACL_GROUP) {
+ perror("acl_update_entry (acl_get_qualifier)");
+ result = ACL_ERROR;
+ goto cleanup;
+ }
+ else {
+ /* First, we could be dealing with an entry that isn't a
+ named user or group, in which case they "match
+ vacuously." */
+ qualifiers_match = true;
+ }
+ }
+
+ /* Second, they could have matching UIDs. We don't really need to
+ check both tags here, since we know that they're equal. However,
+ clang-tidy can't figure that out, and the redundant equality
+ check prevents it from complaining about a potential null pointer
+ dereference. */
+ if (updated_tag == ACL_USER && existing_tag == ACL_USER) {
+ qualifiers_match = ( *((uid_t*)existing_qualifier)
+ ==
+ *((uid_t*)updated_qualifier) );
+ }
+
+ /* Third, they could have matching GIDs. See above for why
+ we check the redundant condition existing_tag == ACL_GROUP. */
+ if (updated_tag == ACL_GROUP && existing_tag == ACL_GROUP) {
+ qualifiers_match = ( *((gid_t*)existing_qualifier)
+ ==
+ *((gid_t*)updated_qualifier) );
}
- return ACL_SUCCESS;
+ /* Be sure to free this inside the loop, where memory is allocated. */
+ acl_free(existing_qualifier);
+
+ if (qualifiers_match) {
+ /* If we update something, we're done and return ACL_SUCCESS */
+ if (acl_set_permset(existing_entry, updated_permset) == ACL_ERROR) {
+ perror("acl_update_entry (acl_set_permset)");
+ result = ACL_ERROR;
+ goto cleanup;
+ }
+
+ result = ACL_SUCCESS;
+ goto cleanup;
+ }
}
- result = acl_get_entry(aclp, ACL_NEXT_ENTRY, &existing_entry);
+ get_entry_result = acl_get_entry(aclp, ACL_NEXT_ENTRY, &existing_entry);
}
/* This catches both the initial acl_get_entry and the ones at the
end of the loop. */
- if (result == ACL_ERROR) {
+ if (get_entry_result == ACL_ERROR) {
perror("acl_update_entry (acl_get_entry)");
- return ACL_ERROR;
+ result = ACL_ERROR;
}
- return ACL_FAILURE;
+ cleanup:
+ acl_free(updated_qualifier);
+ return result;
}
return ACL_ERROR;
}
char* src_acl_p = alloca(src_size_guess);
- /* The actual size may be smaller than our guess? I don't know. */
- ssize_t src_size = fgetxattr(src_fd, src_name, src_acl_p, src_size_guess);
+ /* The actual size may be smaller than our guess? I don't know. The
+ return value from fgetxattr() will either be nonnegative, or
+ XATTR_ERROR (which we've already ruled out), so it's safe to cast
+ it to an unsigned size_t here to avoid a compiler warning. */
+ ssize_t src_size = fgetxattr(src_fd,
+ src_name,
+ src_acl_p,
+ (size_t)src_size_guess);
if (src_size == XATTR_ERROR) {
if (errno == ENODATA) {
/* A missing ACL isn't an error. */
return ACL_ERROR;
}
- if (fsetxattr(dst_fd, dst_name, src_acl_p, src_size, 0) == XATTR_ERROR) {
+ /* See above: src_size must be nonnegative at this point,so we cast
+ it to size_t to avoid a compiler warning. */
+ if (fsetxattr(dst_fd,
+ dst_name,
+ src_acl_p,
+ (size_t)src_size,
+ 0)
+ == XATTR_ERROR) {
perror("acl_copy_xattr (fsetxattr)");
return ACL_ERROR;
}
* @param fd
* The file descriptor that should inherit its parent's default ACL.
*
- * @param no_exec_mask
- * The value (either true or false) of the --no-exec-mask flag.
- *
* @param recursive
* Should we recurse into subdirectories?
*
* - @c ACL_FAILURE - If symlinks or hard links are encountered.
* - @c ACL_ERROR - Unexpected library error.
*/
-int apply_default_acl_fds(int parent_fd,
- int fd,
- bool no_exec_mask,
- bool recursive) {
+int apply_default_acl_fds(int parent_fd, int fd, bool recursive) {
int result = ACL_SUCCESS;
/* The new ACL for this path */
}
- /* Default to not masking the exec bit; i.e. applying the default
- ACL literally. If --no-exec-mask was not specified, then we try
- to "guess" whether or not to mask the exec bit. This behavior
- is modeled after the capital 'X' perms of setfacl. */
- bool allow_exec = true;
+ /* Next We try to guess whether or not to strip the execute bits.
+ * This behavior is modeled after the capital 'X' perms of setfacl.
+ */
+ int ace_result = any_can_execute(fd, &s);
- if (!no_exec_mask) {
- /* Never mask the execute bit on directories. */
- int ace_result = any_can_execute(fd,&s) || S_ISDIR(s.st_mode);
+ if (ace_result == ACL_ERROR) {
+ perror("apply_default_acl_fds (any_can_execute)");
+ result = ACL_ERROR;
+ goto cleanup;
+ }
- if (ace_result == ACL_ERROR) {
- perror("apply_default_acl_fds (any_can_execute)");
- result = ACL_ERROR;
- goto cleanup;
- }
+ /* Never mask the execute bit on directories. */
+ bool allow_exec = (bool)ace_result || S_ISDIR(s.st_mode);
- allow_exec = (bool)ace_result;
- }
/* If it's a directory, inherit the parent's default. */
if (S_ISDIR(s.st_mode)) {
continue;
}
}
- switch (apply_default_acl_fds(fd, new_fd, no_exec_mask, recursive)) {
+ switch (apply_default_acl_fds(fd, new_fd, recursive)) {
/* Don't overwrite an error result with success/failure. */
case ACL_FAILURE:
if (result == ACL_SUCCESS) {
* @param path
* The path whose ACL we would like to reset to its default.
*
- * @param no_exec_mask
- * The value (either true or false) of the --no-exec-mask flag.
- *
* @param recursive
* Should we recurse into subdirectories?
*
* - @c ACL_FAILURE - If symlinks or hard links are encountered.
* - @c ACL_ERROR - Unexpected library error.
*/
-int apply_default_acl(const char* path, bool no_exec_mask, bool recursive) {
+int apply_default_acl(const char* path, bool recursive) {
if (path == NULL) {
errno = EINVAL;
return ACL_ERROR;
}
char* parent = dirname(dirname_path_copy);
+
+ basename_path_copy = strdup(path);
+ if (basename_path_copy == NULL) {
+ perror("apply_default_acl (strdup)");
+ result = ACL_ERROR;
+ goto cleanup;
+ }
+ char* child = basename(basename_path_copy);
+
+ /* Just kidding, if the path is "." or "..", then dirname will do
+ * the wrong thing and give us "." as its parent, too. So, we handle
+ * those as special cases. We use "child" instead of "path" here to
+ * catch things like "./" and "../"
+ */
+ bool path_is_dots = strcmp(child, ".") == 0 || strcmp(child, "..") == 0;
+ char dots_parent[6] = "../";
+ if (path_is_dots) {
+ /* We know that "child" contains no more than two characters here, and
+ using strncat to enforce that belief keeps clang-tidy happy. */
+ parent = strncat(dots_parent, child, 2);
+ }
+
parent_fd = safe_open(parent, O_DIRECTORY | O_NOFOLLOW);
+
if (parent_fd == OPEN_ERROR) {
if (errno == ELOOP || errno == ENOTDIR) {
/* We hit a symlink, either in the last path component (ELOOP)
}
/* We already obtained the parent fd safely, so if we use the
- basename of path here instead of the full thing, then we can get
- away with using openat() and spare ourselves the slowness of
- another safe_open(). */
- basename_path_copy = strdup(path);
- if (basename_path_copy == NULL) {
- perror("apply_default_acl (strdup)");
- return ACL_ERROR;
+ * basename of path here instead of the full thing, then we can get
+ * away with using openat() and spare ourselves the slowness of
+ * another safe_open().
+ *
+ * Note that if the basename is "." or "..", then we don't want to
+ * open it relative to the parent_fd, so we need another special
+ * case for those paths here.
+ */
+ if (path_is_dots) {
+ fd = open(child, O_NOFOLLOW);
+ }
+ else {
+ fd = openat(parent_fd, child, O_NOFOLLOW);
}
- fd = openat(parent_fd, basename(basename_path_copy), O_NOFOLLOW);
if (fd == OPEN_ERROR) {
if (errno == ELOOP || errno == ENOTDIR) {
/* We hit a symlink, either in the last path component (ELOOP)
}
}
- result = apply_default_acl_fds(parent_fd, fd, no_exec_mask, recursive);
+ result = apply_default_acl_fds(parent_fd, fd, recursive);
cleanup:
free(dirname_path_copy);