4 * @brief The adacl (apply default acl) shared library.
8 /* Enables get_current_dir_name() in unistd.h */
11 #include <errno.h> /* ELOOP, EINVAL, etc. */
12 #include <fcntl.h> /* openat() */
13 #include <libgen.h> /* basename(), dirname() */
14 #include <limits.h> /* PATH_MAX */
15 #include <stdbool.h> /* the "bool" type */
16 #include <stdio.h> /* perror(), snprintf() */
17 #include <stdlib.h> /* free() */
18 #include <string.h> /* strdup() */
19 #include <sys/stat.h> /* fstat() */
20 #include <unistd.h> /* get_current_dir_name() */
23 #include <acl/libacl.h> /* acl_get_perm, not portable */
24 #include <sys/acl.h> /* all other acl_foo functions */
29 /* Even though most other library functions reliably return -1 for
30 * error, it feels a little wrong to re-use the ACL_ERROR constant.
32 #define CLOSE_ERROR -1
34 #define SNPRINTF_ERROR -1
39 * @brief The recursive portion of the @c safe_open function, used to
40 * open a file descriptor in a symlink-safe way when combined with
41 * the @c O_NOFOLLOW flag.
43 * The @c O_PATH flag is not used because we want to fail upon
44 * encountering any symlinks.
47 * A file descriptor relative to which @c pathname will be opened.
50 * The path to the file/directory/whatever whose descriptor you want.
53 * File status flags to be passed to @c openat.
55 * @return a file descriptor for @c pathname if everything goes well,
56 * and @c OPEN_ERROR if not.
58 int safe_open_ex(int at_fd
, char* pathname
, int flags
) {
59 if (pathname
== NULL
) {
61 perror("safe_open_ex (args)");
65 if (strlen(pathname
) == 0) {
66 /* Oops, went one level to deep with nothing to do. */
70 char* firstslash
= strchr(pathname
, '/');
71 if (firstslash
== NULL
) {
72 /* No more slashes, this is the base case. */
73 int r
= openat(at_fd
, pathname
, flags
);
77 /* Temporarily disable the slash, so that the subsequent call to
78 openat() opens only the next directory (and doesn't recurse). */
80 int fd
= safe_open_ex(at_fd
, pathname
, flags
);
81 if (fd
== OPEN_ERROR
) {
83 /* Don't output anything if we ignore a symlink */
84 perror("safe_open_ex (safe_open_ex)");
89 /* The ++ is safe because there needs to be at least a null byte
90 after the first slash, even if it's the last real character in
92 int result
= safe_open_ex(fd
, firstslash
+1, flags
);
93 if (close(fd
) == CLOSE_ERROR
) {
94 perror("safe_open_ex (close)");
102 * @brief A version of @c open that is completely symlink-safe when
103 * used with the @c O_NOFOLLOW flag.
105 * The @c openat function exists to ensure that you can anchor one
106 * path to a particular directory while opening it; however, if you
107 * open "b/c/d" relative to "/a", then even the @c openat function will
108 * still follow symlinks in the "b" component. This can be exploited
109 * by an attacker to make you open the wrong path.
111 * To avoid that problem, this function uses a recursive
112 * implementation that opens every path from the root, one level at a
113 * time. So "a" is opened relative to "/", and then "b" is opened
114 * relative to "/a", and then "c" is opened relative to "/a/b",
115 * etc. When the @c O_NOFOLLOW flag is used, this approach ensures
116 * that no symlinks in any component are followed.
119 * The path to the file/directory/whatever whose descriptor you want.
122 * File status flags to be passed to @c openat.
124 * @return a file descriptor for @c pathname if everything goes well,
125 * and @c OPEN_ERROR if not.
127 int safe_open(const char* pathname
, int flags
) {
128 if (pathname
== NULL
|| strlen(pathname
) == 0 || pathname
[0] == '\0') {
130 perror("safe_open (args)");
134 char abspath
[PATH_MAX
];
135 int snprintf_result
= 0;
136 if (strchr(pathname
, '/') == pathname
) {
137 /* pathname is already absolute; just copy it. */
138 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s", pathname
);
141 /* Concatenate the current working directory and pathname into an
142 * absolute path. We use realpath() ONLY on the cwd part, and not
143 * on the pathname part, because realpath() resolves symlinks. And
144 * the whole point of all this crap is to avoid following symlinks
147 * Using realpath() on the cwd lets us operate on relative paths
148 * while we're sitting in a directory that happens to have a
149 * symlink in it; for example: cd /var/run && apply-default-acl foo.
151 char* cwd
= get_current_dir_name();
153 perror("safe_open (get_current_dir_name)");
157 char abs_cwd
[PATH_MAX
];
158 if (realpath(cwd
, abs_cwd
) == NULL
) {
159 perror("safe_open (realpath)");
163 snprintf_result
= snprintf(abspath
, PATH_MAX
, "%s/%s", abs_cwd
, pathname
);
166 if (snprintf_result
== SNPRINTF_ERROR
|| snprintf_result
> PATH_MAX
) {
167 perror("safe_open (snprintf)");
171 int fd
= open("/", flags
);
172 if (fd
== OPEN_ERROR
) {
173 perror("safe_open (open)");
177 if (strcmp(abspath
, "/") == 0) {
181 int result
= safe_open_ex(fd
, abspath
+1, flags
);
182 if (close(fd
) == CLOSE_ERROR
) {
183 perror("safe_open (close)");
193 * @brief Update (or create) an entry in an @b minimal ACL.
195 * This function will not work if @c aclp contains extended
196 * entries. This is fine for our purposes, since we call @c wipe_acls
197 * on each path before applying the default to it.
199 * The assumption that there are no extended entries makes things much
200 * simpler. For example, we only have to update the @c ACL_USER_OBJ,
201 * @c ACL_GROUP_OBJ, and @c ACL_OTHER entries -- all others can simply
202 * be created anew. This means we don't have to fool around comparing
203 * named-user/group entries.
206 * A pointer to the acl_t structure whose entry we want to modify.
209 * The new entry. If @c entry contains a user/group/other entry, we
210 * update the existing one. Otherwise we create a new entry.
212 * @return If there is an unexpected library error, @c ACL_ERROR is
213 * returned. Otherwise, @c ACL_SUCCESS.
216 int acl_set_entry(acl_t
* aclp
, acl_entry_t entry
) {
217 if (aclp
== NULL
|| entry
== NULL
) {
219 perror("acl_set_entry (args)");
224 if (acl_get_tag_type(entry
, &entry_tag
) == ACL_ERROR
) {
225 perror("acl_set_entry (acl_get_tag_type)");
229 acl_permset_t entry_permset
;
230 if (acl_get_permset(entry
, &entry_permset
) == ACL_ERROR
) {
231 perror("acl_set_entry (acl_get_permset)");
235 acl_entry_t existing_entry
;
236 /* Loop through the given ACL looking for matching entries. */
237 int result
= acl_get_entry(*aclp
, ACL_FIRST_ENTRY
, &existing_entry
);
239 while (result
== ACL_SUCCESS
) {
240 acl_tag_t existing_tag
= ACL_UNDEFINED_TAG
;
242 if (acl_get_tag_type(existing_entry
, &existing_tag
) == ACL_ERROR
) {
243 perror("set_acl_tag_permset (acl_get_tag_type)");
247 if (existing_tag
== entry_tag
) {
248 if (entry_tag
== ACL_USER_OBJ
||
249 entry_tag
== ACL_GROUP_OBJ
||
250 entry_tag
== ACL_OTHER
) {
251 /* Only update for these three since all other tags will have
252 been wiped. These three are guaranteed to exist, so if we
253 match one of them, we're allowed to return ACL_SUCCESS
254 below and bypass the rest of the function. */
255 acl_permset_t existing_permset
;
256 if (acl_get_permset(existing_entry
, &existing_permset
) == ACL_ERROR
) {
257 perror("acl_set_entry (acl_get_permset)");
261 if (acl_set_permset(existing_entry
, entry_permset
) == ACL_ERROR
) {
262 perror("acl_set_entry (acl_set_permset)");
271 result
= acl_get_entry(*aclp
, ACL_NEXT_ENTRY
, &existing_entry
);
274 /* This catches both the initial acl_get_entry and the ones at the
276 if (result
== ACL_ERROR
) {
277 perror("acl_set_entry (acl_get_entry)");
281 /* If we've made it this far, we need to add a new entry to the
283 acl_entry_t new_entry
;
285 /* The acl_create_entry() function can allocate new memory and/or
286 * change the location of the ACL structure entirely. When that
287 * happens, the value pointed to by aclp is updated, which means
288 * that a new acl_t gets "passed out" to our caller, eventually to
289 * be fed to acl_free(). In other words, we should still be freeing
290 * the right thing, even if the value pointed to by aclp changes.
292 if (acl_create_entry(aclp
, &new_entry
) == ACL_ERROR
) {
293 perror("acl_set_entry (acl_create_entry)");
297 if (acl_set_tag_type(new_entry
, entry_tag
) == ACL_ERROR
) {
298 perror("acl_set_entry (acl_set_tag_type)");
302 if (acl_set_permset(new_entry
, entry_permset
) == ACL_ERROR
) {
303 perror("acl_set_entry (acl_set_permset)");
307 if (entry_tag
== ACL_USER
|| entry_tag
== ACL_GROUP
) {
308 /* We need to set the qualifier too. */
309 void* entry_qual
= acl_get_qualifier(entry
);
310 if (entry_qual
== (void*)NULL
) {
311 perror("acl_set_entry (acl_get_qualifier)");
315 if (acl_set_qualifier(new_entry
, entry_qual
) == ACL_ERROR
) {
316 perror("acl_set_entry (acl_set_qualifier)");
327 * @brief Determine the number of entries in the given ACL.
330 * The ACL to inspect.
332 * @return Either the non-negative number of entries in @c acl, or
333 * @c ACL_ERROR on error.
335 int acl_entry_count(acl_t acl
) {
339 int result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
341 while (result
== ACL_SUCCESS
) {
343 result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
346 if (result
== ACL_ERROR
) {
347 perror("acl_entry_count (acl_get_entry)");
357 * @brief Determine whether or not the given ACL is minimal.
359 * An ACL is minimal if it has fewer than four entries.
362 * The ACL whose minimality is in question.
365 * - @c ACL_SUCCESS - @c acl is minimal
366 * - @c ACL_FAILURE - @c acl is not minimal
367 * - @c ACL_ERROR - Unexpected library error
369 int acl_is_minimal(acl_t acl
) {
372 perror("acl_is_minimal (args)");
376 int ec
= acl_entry_count(acl
);
378 if (ec
== ACL_ERROR
) {
379 perror("acl_is_minimal (acl_entry_count)");
394 * @brief Determine whether the given ACL's mask denies execute.
397 * The ACL whose mask we want to check.
400 * - @c ACL_SUCCESS - The @c acl has a mask which denies execute.
401 * - @c ACL_FAILURE - The @c acl has a mask which does not deny execute.
402 * - @c ACL_ERROR - Unexpected library error.
404 int acl_execute_masked(acl_t acl
) {
407 perror("acl_execute_masked (args)");
412 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
414 while (ge_result
== ACL_SUCCESS
) {
415 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
417 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
418 perror("acl_execute_masked (acl_get_tag_type)");
422 if (tag
== ACL_MASK
) {
423 /* This is the mask entry, get its permissions, and see if
424 execute is specified. */
425 acl_permset_t permset
;
427 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
428 perror("acl_execute_masked (acl_get_permset)");
432 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
433 if (gp_result
== ACL_ERROR
) {
434 perror("acl_execute_masked (acl_get_perm)");
438 if (gp_result
== ACL_FAILURE
) {
439 /* No execute bit set in the mask; execute not allowed. */
444 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
453 * @brief Determine whether @c fd is executable by anyone.
456 * This is used as part of the heuristic to determine whether or not
457 * we should mask the execute bit when inheriting an ACL. If @c fd
458 * describes a file, we check the @a effective permissions, contrary
459 * to what setfacl does.
462 * The file descriptor to check.
465 * A pointer to a stat structure for @c fd.
468 * - @c ACL_SUCCESS - Someone has effective execute permissions on @c fd.
469 * - @c ACL_FAILURE - Nobody can execute @c fd.
470 * - @c ACL_ERROR - Unexpected library error.
472 int any_can_execute(int fd
, const struct stat
* sp
) {
475 perror("any_can_execute (args)");
479 acl_t acl
= acl_get_fd(fd
);
481 if (acl
== (acl_t
)NULL
) {
482 perror("any_can_execute (acl_get_file)");
486 /* Our return value. */
487 int result
= ACL_FAILURE
;
489 if (acl_is_minimal(acl
)) {
490 if (sp
->st_mode
& (S_IXUSR
| S_IXOTH
| S_IXGRP
)) {
491 result
= ACL_SUCCESS
;
495 result
= ACL_FAILURE
;
501 int ge_result
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &entry
);
503 while (ge_result
== ACL_SUCCESS
) {
504 /* The first thing we do is check to see if this is a mask
505 entry. If it is, we skip it entirely. */
506 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
508 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
509 perror("any_can_execute_or (acl_get_tag_type)");
514 if (tag
== ACL_MASK
) {
515 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
519 /* Ok, so it's not a mask entry. Check the execute perms. */
520 acl_permset_t permset
;
522 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
523 perror("any_can_execute_or (acl_get_permset)");
528 int gp_result
= acl_get_perm(permset
, ACL_EXECUTE
);
529 if (gp_result
== ACL_ERROR
) {
530 perror("any_can_execute (acl_get_perm)");
535 if (gp_result
== ACL_SUCCESS
) {
536 /* Only return ACL_SUCCESS if this execute bit is not masked. */
537 if (acl_execute_masked(acl
) != ACL_SUCCESS
) {
538 result
= ACL_SUCCESS
;
543 ge_result
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &entry
);
546 if (ge_result
== ACL_ERROR
) {
547 perror("any_can_execute (acl_get_entry)");
560 * @brief Set @c acl as the default ACL on @c path.
562 * This overwrites any existing default ACL on @c path. If @c path is
563 * not a directory, we return ACL_ERROR and @c errno is set.
566 * The target directory whose ACL we wish to replace or create.
569 * The ACL to set as default on @c path.
572 * - @c ACL_SUCCESS - The default ACL was assigned successfully.
573 * - @c ACL_ERROR - Unexpected library error.
575 int assign_default_acl(const char* path
, acl_t acl
) {
576 if (path
== NULL
|| acl
== NULL
) {
578 perror("assign_default_acl (args)");
582 /* Our return value; success unless something bad happens. */
583 int result
= ACL_SUCCESS
;
584 acl_t path_acl
= acl_dup(acl
);
586 if (path_acl
== (acl_t
)NULL
) {
587 perror("assign_default_acl (acl_dup)");
588 return ACL_ERROR
; /* Nothing to clean up in this case. */
591 if (acl_set_file(path
, ACL_TYPE_DEFAULT
, path_acl
) == ACL_ERROR
) {
592 perror("assign_default_acl (acl_set_file)");
603 * @brief Remove all @c ACL_TYPE_ACCESS entries from the given file
604 * descriptor, leaving the UNIX permission bits.
607 * The file descriptor whose ACLs we want to wipe.
610 * - @c ACL_SUCCESS - The ACLs were wiped successfully, or none
611 * existed in the first place.
612 * - @c ACL_ERROR - Unexpected library error.
614 int wipe_acls(int fd
) {
615 /* Initialize an empty ACL, and then overwrite the one on "fd" with it. */
616 acl_t empty_acl
= acl_init(0);
618 if (empty_acl
== (acl_t
)NULL
) {
619 perror("wipe_acls (acl_init)");
623 if (acl_set_fd(fd
, empty_acl
) == ACL_ERROR
) {
624 perror("wipe_acls (acl_set_fd)");
636 * @brief Apply parent default ACL to a path.
638 * This overwrites any existing ACLs on @c path.
641 * The path whose ACL we would like to reset to its default.
644 * A pointer to a stat structure for @c path, or @c NULL if you don't
647 * @param no_exec_mask
648 * The value (either true or false) of the --no-exec-mask flag.
651 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
652 * - @c ACL_FAILURE - If symlinks or hard links are encountered.
653 * - @c ACL_ERROR - Unexpected library error.
655 int apply_default_acl_ex(const char* path
,
656 const struct stat
* sp
,
661 perror("apply_default_acl_ex (args)");
665 /* Define these next three variables here because we may have to
666 * jump to the cleanup routine which expects them to exist.
669 /* Our return value. */
670 int result
= ACL_SUCCESS
;
672 /* The default ACL on path's parent directory */
673 acl_t defacl
= (acl_t
)NULL
;
675 /* The file descriptor corresponding to "path" */
678 /* Get the parent directory of "path" with dirname(), which happens
679 * to murder its argument and necessitates a path_copy.
681 char* path_copy
= strdup(path
);
682 if (path_copy
== NULL
) {
683 perror("apply_default_acl_ex (strdup)");
686 char* parent
= dirname(path_copy
);
688 fd
= safe_open(path
, O_NOFOLLOW
);
689 if (fd
== OPEN_ERROR
) {
690 if (errno
== ELOOP
) {
691 result
= ACL_FAILURE
; /* hit a symlink */
695 perror("apply_default_acl_ex (open fd)");
702 /* Refuse to operate on hard links, which can be abused by an
703 * attacker to trick us into changing the ACL on a file we didn't
704 * intend to; namely the "target" of the hard link. There is TOCTOU
705 * race condition here, but the window is as small as possible
706 * between when we open the file descriptor (look above) and when we
709 * Note: we only need to call fstat ourselves if we weren't passed a
710 * valid pointer to a stat structure (nftw does that).
714 if (fstat(fd
, &s
) == STAT_ERROR
) {
715 perror("apply_default_acl_ex (fstat)");
722 if (!S_ISDIR(sp
->st_mode
)) {
723 /* If it's not a directory, make sure it's a regular,
724 non-hard-linked file. */
725 if (!S_ISREG(sp
->st_mode
) || sp
->st_nlink
!= 1) {
726 result
= ACL_FAILURE
;
732 /* Default to not masking the exec bit; i.e. applying the default
733 ACL literally. If --no-exec-mask was not specified, then we try
734 to "guess" whether or not to mask the exec bit. This behavior
735 is modeled after the capital 'X' perms of setfacl. */
736 bool allow_exec
= true;
739 /* Never mask the execute bit on directories. */
740 int ace_result
= any_can_execute(fd
,sp
) || S_ISDIR(sp
->st_mode
);
742 if (ace_result
== ACL_ERROR
) {
743 perror("apply_default_acl_ex (any_can_execute)");
748 allow_exec
= (bool)ace_result
;
751 defacl
= acl_get_file(parent
, ACL_TYPE_DEFAULT
);
753 if (defacl
== (acl_t
)NULL
) {
754 perror("apply_default_acl_ex (acl_get_file)");
759 if (wipe_acls(fd
) == ACL_ERROR
) {
760 perror("apply_default_acl_ex (wipe_acls)");
765 /* Do this after wipe_acls(), otherwise we'll overwrite the wiped
766 ACL with this one. */
767 acl_t acl
= acl_get_fd(fd
);
768 if (acl
== (acl_t
)NULL
) {
769 perror("apply_default_acl_ex (acl_get_fd)");
774 /* If it's a directory, inherit the parent's default. We sure hope
775 * that "path" still points to the same thing that "fd" and this
776 * "sp" describe. If not, we may wind up trying to set a default ACL
777 * on a file, and this will throw an error. I guess that's what we
780 if (S_ISDIR(sp
->st_mode
) && assign_default_acl(path
, defacl
) == ACL_ERROR
) {
781 perror("apply_default_acl_ex (assign_default_acl)");
787 int ge_result
= acl_get_entry(defacl
, ACL_FIRST_ENTRY
, &entry
);
789 while (ge_result
== ACL_SUCCESS
) {
790 acl_tag_t tag
= ACL_UNDEFINED_TAG
;
792 if (acl_get_tag_type(entry
, &tag
) == ACL_ERROR
) {
793 perror("apply_default_acl_ex (acl_get_tag_type)");
799 /* We've got an entry/tag from the default ACL. Get its permset. */
800 acl_permset_t permset
;
801 if (acl_get_permset(entry
, &permset
) == ACL_ERROR
) {
802 perror("apply_default_acl_ex (acl_get_permset)");
807 /* If this is a default mask, fix it up. */
808 if (tag
== ACL_MASK
||
809 tag
== ACL_USER_OBJ
||
810 tag
== ACL_GROUP_OBJ
||
814 /* The mask doesn't affect acl_user_obj, acl_group_obj (in
815 minimal ACLs) or acl_other entries, so if execute should be
816 masked, we have to do it manually. */
817 if (acl_delete_perm(permset
, ACL_EXECUTE
) == ACL_ERROR
) {
818 perror("apply_default_acl_ex (acl_delete_perm)");
823 if (acl_set_permset(entry
, permset
) == ACL_ERROR
) {
824 perror("apply_default_acl_ex (acl_set_permset)");
831 /* Finally, add the permset to the access ACL. It's actually
832 * important that we pass in the address of "acl" here, and not
833 * "acl" itself. Why? The call to acl_create_entry() within
834 * acl_set_entry() can allocate new memory for the entry.
835 * Sometimes that can be done in-place, in which case everything
836 * is cool and the new memory gets released when we call
839 * But occasionally, the whole ACL structure will have to be moved
840 * in order to allocate the extra space. When that happens,
841 * acl_create_entry() modifies the pointer it was passed (in this
842 * case, &acl) to point to the new location. We want to call
843 * acl_free() on the new location, and since acl_free() gets
844 * called right here, we need acl_create_entry() to update the
845 * value of "acl". To do that, it needs the address of "acl".
847 if (acl_set_entry(&acl
, entry
) == ACL_ERROR
) {
848 perror("apply_default_acl_ex (acl_set_entry)");
853 ge_result
= acl_get_entry(defacl
, ACL_NEXT_ENTRY
, &entry
);
856 /* Catches the first acl_get_entry as well as the ones at the end of
858 if (ge_result
== ACL_ERROR
) {
859 perror("apply_default_acl_ex (acl_get_entry)");
864 if (acl_set_fd(fd
, acl
) == ACL_ERROR
) {
865 perror("apply_default_acl_ex (acl_set_fd)");
872 if (defacl
!= (acl_t
)NULL
) {
875 if (fd
>= 0 && close(fd
) == CLOSE_ERROR
) {
876 perror("apply_default_acl_ex (close)");
885 * @brief The friendly interface to @c apply_default_acl_ex.
887 * The @c apply_default_acl_ex function holds the real implementation
888 * of this function, but it takes a weird second argument that most
889 * people won't care about (a stat structure). But, we use that
890 * argument for the recursive mode of the CLI, so it's there.
892 * If you don't have a stat structure for your @c path, use this instead.
895 * The path whose ACL we would like to reset to its default.
897 * @param no_exec_mask
898 * The value (either true or false) of the --no-exec-mask flag.
901 * - @c ACL_SUCCESS - The parent default ACL was inherited successfully.
902 * - @c ACL_FAILURE - If symlinks or hard links are encountered.
903 * or the parent of @c path is not a directory.
904 * - @c ACL_ERROR - Unexpected library error.
906 int apply_default_acl(const char* path
, bool no_exec_mask
) {
907 return apply_default_acl_ex(path
, NULL
, no_exec_mask
);