X-Git-Url: https://gitweb.michael.orlitzky.com/?a=blobdiff_plain;f=src%2Fapply-default-acl.c;h=19505282c2acda17960281e966a9d347a5bc1611;hb=5a1f29cb6c306e9d8b19c4b3d964c4a05c0bc27d;hp=b279814df45d747f727a78ead4b8835edd0b447e;hpb=6c033a0444deb72dbe606b12a2c1c86b77275634;p=apply-default-acl.git diff --git a/src/apply-default-acl.c b/src/apply-default-acl.c index b279814..1950528 100644 --- a/src/apply-default-acl.c +++ b/src/apply-default-acl.c @@ -10,6 +10,7 @@ #define _GNU_SOURCE #include +#include /* AT_FOO constants */ #include /* nftw() et al. */ #include #include /* dirname() */ @@ -33,10 +34,6 @@ #define ACL_SUCCESS 1 -/* Command-line options */ -static bool no_exec_mask = false; - - /** * @brief Get the mode bits from the given path. @@ -54,13 +51,13 @@ mode_t get_mode(const char* path) { } struct stat s; - int result = stat(path, &s); + int result = lstat(path, &s); if (result == 0) { return s.st_mode; } else { - /* errno will be set already by stat() */ + /* errno will be set already by lstat() */ return result; } } @@ -81,7 +78,7 @@ bool is_regular_file(const char* path) { } struct stat s; - int result = stat(path, &s); + int result = lstat(path, &s); if (result == 0) { return S_ISREG(s.st_mode); } @@ -92,6 +89,42 @@ bool is_regular_file(const char* path) { +/** + * @brief Determine whether or not the given path is accessible. + * + * @param path + * The path to test. + * + * @return true if @c path is accessible to the current effective + * user/group, false otherwise. + */ +bool path_accessible(const char* path) { + if (path == NULL) { + return false; + } + + /* Test for access using the effective user and group rather than + the real one. */ + int flags = AT_EACCESS; + + /* Don't follow symlinks when checking for a path's existence, + since we won't follow them to set its ACLs either. */ + flags |= AT_SYMLINK_NOFOLLOW; + + /* If the path is relative, interpret it relative to the current + working directory (just like the access() system call). */ + int result = faccessat(AT_FDCWD, path, F_OK, flags); + + if (result == 0) { + return true; + } + else { + return false; + } +} + + + /** * @brief Determine whether or not the given path is a directory. * @@ -106,7 +139,7 @@ bool is_directory(const char* path) { } struct stat s; - int result = stat(path, &s); + int result = lstat(path, &s); if (result == 0) { return S_ISDIR(s.st_mode); } @@ -384,6 +417,7 @@ int acl_execute_masked(const char* path) { } + /** * @brief Determine whether @c path is executable (by anyone) or a * directory. @@ -439,6 +473,23 @@ int any_can_execute_or_dir(const char* path) { int ge_result = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); while (ge_result == ACL_SUCCESS) { + /* The first thing we do is check to see if this is a mask + entry. If it is, we skip it entirely. */ + acl_tag_t tag = ACL_UNDEFINED_TAG; + int tag_result = acl_get_tag_type(entry, &tag); + + if (tag_result == ACL_ERROR) { + perror("any_can_execute_or_dir (acl_get_tag_type)"); + result = ACL_ERROR; + goto cleanup; + } + + if (tag == ACL_MASK) { + ge_result = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry); + continue; + } + + /* Ok, so it's not a mask entry. Check the execute perms. */ acl_permset_t permset; int ps_result = acl_get_permset(entry, &permset); @@ -456,7 +507,7 @@ int any_can_execute_or_dir(const char* path) { } if (gp_result == ACL_SUCCESS) { - /* Only return one if this execute bit is not masked. */ + /* Only return ACL_SUCCESS if this execute bit is not masked. */ if (acl_execute_masked(path) != ACL_SUCCESS) { result = ACL_SUCCESS; goto cleanup; @@ -611,13 +662,16 @@ int wipe_acls(const char* path) { * @param path * The path whose ACL we would like to reset to its default. * + * @param no_exec_mask + * The value (either true or false) of the --no-exec-mask flag. + * * @return * - @c ACL_SUCCESS - The parent default ACL was inherited successfully. * - @c ACL_FAILURE - The target path is not a regular file/directory, * or the parent of @c path is not a directory. * - @c ACL_ERROR - Unexpected library error. */ -int apply_default_acl(const char* path) { +int apply_default_acl(const char* path, bool no_exec_mask) { if (path == NULL) { errno = ENOENT; @@ -777,7 +831,7 @@ int apply_default_acl(const char* path) { * The program name to use in the output. * */ -void usage(char* program_name) { +void usage(const char* program_name) { printf("Apply any applicable default ACLs to the given files or " "directories.\n\n"); printf("Usage: %s [flags] [ [ ...]]\n\n", @@ -807,7 +861,30 @@ int apply_default_acl_nftw(const char *target, int info, struct FTW *ftw) { - bool app_result = apply_default_acl(target); + bool app_result = apply_default_acl(target, false); + if (app_result) { + return FTW_CONTINUE; + } + else { + return FTW_STOP; + } +} + + + +/** + * @brief Wrapper around @c apply_default_acl() for use with @c nftw(). + * + * This is identical to @c apply_default_acl_nftw(), except it passes + * @c true to @c apply_default_acl() as its no_exec_mask argument. + * + */ +int apply_default_acl_nftw_x(const char *target, + const struct stat *s, + int info, + struct FTW *ftw) { + + bool app_result = apply_default_acl(target, true); if (app_result) { return FTW_CONTINUE; } @@ -827,6 +904,12 @@ int apply_default_acl_nftw(const char *target, * * We ignore symlinks for consistency with chmod -r. * + * @param target + * The root (path) of the recursive application. + * + * @param no_exec_mask + * The value (either true or false) of the --no-exec-mask flag. + * * @return * If @c target is not a directory, we return the result of * calling @c apply_default_acl() on @c target. Otherwise, we convert @@ -836,19 +919,24 @@ int apply_default_acl_nftw(const char *target, * If there is an error, it will be reported via @c perror, but * we still return @c false. */ -bool apply_default_acl_recursive(const char *target) { +bool apply_default_acl_recursive(const char *target, bool no_exec_mask) { if (!is_directory(target)) { - return apply_default_acl(target); + return apply_default_acl(target, no_exec_mask); } int max_levels = 256; int flags = FTW_PHYS; /* Don't follow links. */ - int nftw_result = nftw(target, - apply_default_acl_nftw, - max_levels, - flags); + /* There are two separate functions that could be passed to + nftw(). One passes no_exec_mask = true to apply_default_acl(), + and the other passes no_exec_mask = false. Since the function we + pass to nftw() cannot have parameters, we have to create separate + options and make the decision here. */ + int (*fn)(const char *, const struct stat *, int, struct FTW *) = NULL; + fn = no_exec_mask ? apply_default_acl_nftw_x : apply_default_acl_nftw; + + int nftw_result = nftw(target, fn, max_levels, flags); if (nftw_result == 0) { /* Success */ @@ -884,7 +972,7 @@ int main(int argc, char* argv[]) { } bool recursive = false; - /* bool no_exec_mask is declared static/global */ + bool no_exec_mask = false; struct option long_options[] = { /* These options set a flag. */ @@ -920,12 +1008,23 @@ int main(int argc, char* argv[]) { const char* target = argv[arg_index]; bool reapp_result = false; + /* Make sure we can access the given path before we go out of our + * way to please it. Doing this check outside of + * apply_default_acl() lets us spit out a better error message for + * typos, too. + */ + if (!path_accessible(target)) { + fprintf(stderr, "%s: %s: No such file or directory\n", argv[0], target); + result = EXIT_FAILURE; + continue; + } + if (recursive) { - reapp_result = apply_default_acl_recursive(target); + reapp_result = apply_default_acl_recursive(target, no_exec_mask); } else { - /* It's either normal file, or we're not operating recursively. */ - reapp_result = apply_default_acl(target); + /* It's either a normal file, or we're not operating recursively. */ + reapp_result = apply_default_acl(target, no_exec_mask); } if (!reapp_result) {