| blob | 165c5cebb08fcef4f3713f74f9becf79c423dcf1 |
1 /* copy.c -- core functions for copying files and directories
2 Copyright (C) 1989-2017 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <https://www.gnu.org/licenses/>. */
17 /* Extracted from cp.c and librarified by Jim Meyering. */
19 #include <config.h>
20 #include <stdio.h>
21 #include <assert.h>
22 #include <sys/ioctl.h>
23 #include <sys/types.h>
24 #include <selinux/selinux.h>
26 #if HAVE_HURD_H
27 # include <hurd.h>
28 #endif
29 #if HAVE_PRIV_H
30 # include <priv.h>
31 #endif
68 #if USE_XATTR
69 # include <attr/error_context.h>
70 # include <attr/libattr.h>
71 # include <stdarg.h>
73 #endif
75 #if HAVE_LINUX_FALLOC_H
76 # include <linux/falloc.h>
77 #endif
79 /* See HAVE_FALLOCATE workaround when including this file. */
80 #ifdef HAVE_LINUX_FS_H
81 # include <linux/fs.h>
82 #endif
84 #if !defined FICLONE && defined __linux__
85 # define FICLONE _IOW (0x94, 9, int)
86 #endif
88 #ifndef HAVE_FCHOWN
89 # define HAVE_FCHOWN false
90 # define fchown(fd, uid, gid) (-1)
91 #endif
93 #ifndef HAVE_LCHOWN
94 # define HAVE_LCHOWN false
95 # define lchown(name, uid, gid) chown (name, uid, gid)
96 #endif
98 #ifndef HAVE_MKFIFO
99 static int
101 {
104 }
105 # define mkfifo rpl_mkfifo
106 #endif
108 #ifndef USE_ACL
109 # define USE_ACL 0
110 #endif
112 #define SAME_OWNER(A, B) ((A).st_uid == (B).st_uid)
113 #define SAME_GROUP(A, B) ((A).st_gid == (B).st_gid)
114 #define SAME_OWNER_AND_GROUP(A, B) (SAME_OWNER (A, B) && SAME_GROUP (A, B))
116 /* LINK_FOLLOWS_SYMLINKS is tri-state; if it is -1, we don't know
117 how link() behaves, so assume we can't hardlink symlinks in that case. */
118 #if (defined HAVE_LINKAT && ! LINKAT_SYMLINK_NOTSUP) || ! LINK_FOLLOWS_SYMLINKS
119 # define CAN_HARDLINK_SYMLINKS 1
120 #else
121 # define CAN_HARDLINK_SYMLINKS 0
122 #endif
124 struct dir_list
125 {
127 ino_t ino;
128 dev_t dev;
129 };
131 /* Initial size of the cp.dest_info hash table. */
132 #define DEST_INFO_INITIAL_CAPACITY 61
144 /* Pointers to the file names: they're used in the diagnostic that is issued
145 when we detect the user is trying to copy a directory into itself. */
149 /* Set the timestamp of symlink, FILE, to TIMESPEC.
150 If this system lacks support for that, simply return 0. */
153 {
155 /* When configuring on a system with new headers and libraries, and
156 running on one with a kernel that is old enough to lack the syscall,
157 utimensat fails with ENOSYS. Ignore that. */
161 }
163 /* Attempt to punch a hole to avoid any permanent
164 speculative preallocation on file systems such as XFS.
165 Return values as per fallocate(2) except ENOSYS etc. are ignored. */
167 static int
169 {
171 /* +0 is to work around older <linux/fs.h> defining HAVE_FALLOCATE to empty. */
172 #if HAVE_FALLOCATE + 0
173 # if defined FALLOC_FL_PUNCH_HOLE && defined FALLOC_FL_KEEP_SIZE
178 # endif
179 #endif
181 }
183 /* Create a hole at the end of a file,
184 avoiding preallocation if requested. */
186 static bool
188 {
192 {
195 }
197 /* Some file systems (like XFS) preallocate when write extending a file.
198 I.e., a previous write() may have preallocated extra space
199 that the seek above will not discard. A subsequent write() could
200 then make this allocation permanent. */
202 {
205 }
208 }
211 /* Copy the regular file open on SRC_FD/SRC_NAME to DST_FD/DST_NAME,
212 honoring the MAKE_HOLES setting and using the BUF_SIZE-byte buffer
213 BUF for temporary storage. Copy no more than MAX_N_READ bytes.
214 Return true upon successful completion;
215 print a diagnostic and return false upon error.
216 Note that for best results, BUF should be "well"-aligned.
217 BUF must have sizeof(uintptr_t)-1 bytes of additional space
218 beyond BUF[BUF_SIZE-1].
219 Set *LAST_WRITE_MADE_HOLE to true if the final operation on
220 DEST_FD introduced a hole. Set *TOTAL_N_READ to the number of
221 bytes read. */
222 static bool
228 {
235 {
238 {
243 }
249 /* Loop over the input buffer in chunks of hole_size. */
255 {
266 {
271 {
273 {
277 }
278 }
279 else
280 {
283 }
289 {
295 else
297 }
298 }
300 {
303 else
304 {
307 }
308 }
312 }
316 /* It's tempting to break early here upon a short read from
317 a regular file. That would save the final read syscall
318 for each file. Unfortunately that doesn't work for
319 certain files in /proc or /sys with linux kernels. */
320 }
322 /* Ensure a trailing hole is created, so that subsequent
323 calls of sparse_copy() start at the correct offset. */
326 else
328 }
330 /* Perform the O(1) btrfs clone operation, if possible.
331 Upon success, return 0. Otherwise, return -1 and set errno. */
334 {
335 #ifdef FICLONE
337 #else
342 #endif
343 }
345 /* Write N_BYTES zero bytes to file descriptor FD. Return true if successful.
346 Upon write failure, set errno and return false. */
347 static bool
349 {
353 /* Attempt to use a relatively large calloc'd source buffer for
354 efficiency, but if that allocation fails, resort to a smaller
355 statically allocated one. */
357 {
361 {
364 }
365 }
368 {
373 }
376 }
378 /* Perform an efficient extent copy, if possible. This avoids
379 the overhead of detecting holes in hole-introducing/preserving
380 copy, and thus makes copying sparse files much more efficient.
381 Upon a successful copy, return true. If the initial extent scan
382 fails, set *NORMAL_COPY_REQUIRED to true and return false.
383 Upon any other failure, set *NORMAL_COPY_REQUIRED to false and
384 return false. */
385 static bool
391 {
396 /* Keep track of the output position.
397 We may need this at the end, for a final ftruncate. */
404 do
405 {
408 {
413 {
416 }
421 }
425 {
426 off_t ext_start;
427 off_t ext_len;
428 off_t ext_hole_size;
431 {
434 }
436 {
437 i--;
440 }
442 /* Truncate extent to EOF. Extents starting after EOF are
443 treated as zero length extents starting right after EOF.
444 Generally this will trigger with an extent starting after
445 src_total_size, and result in creating a hole or zeros until EOF.
446 Though in a file in which extents have changed since src_total_size
447 was determined, we might have an extent spanning that size,
448 in which case we'll only copy data up to that size. */
450 {
454 }
461 {
463 {
465 fail:
468 }
472 {
475 ext_hole_size))
478 }
479 else
480 {
481 /* When not inducing holes and when there is a hole between
482 the end of the previous extent and the beginning of the
483 current one, write zeros to the destination file. */
489 {
493 }
496 }
497 }
501 /* Treat an unwritten but allocated extent much like a hole.
502 I.e., don't read, but don't convert to a hole in the destination,
503 unless SPARSE_ALWAYS. */
504 /* For now, do not treat FIEMAP_EXTENT_UNWRITTEN specially,
505 because that (in combination with no sync) would lead to data
506 loss at least on XFS and ext4 when using 2.6.39-rc3 kernels. */
508 {
513 }
514 else
515 {
516 off_t n_read;
530 }
532 /* If the file ends with unwritten extents not accounted for in the
533 size, then skip processing them, and the associated redundant
534 read() calls which will always return 0. We will need to
535 remove this when we add fallocate() so that we can maintain
536 extents beyond the apparent size. */
538 {
541 }
542 }
544 /* Release the space allocated to scan->ext_info. */
547 }
550 /* When the source file ends with a hole, we have to do a little more work,
551 since the above copied only up to and including the final extent.
552 In order to complete the copy, we may have to insert a hole or write
553 zeros in the destination corresponding to the source file's hole-at-EOF.
555 In addition, if the final extent was a block of zeros at EOF and we've
556 just converted them to a hole in the destination, we must call ftruncate
557 here in order to record the proper length in the destination. */
562 {
565 }
569 {
572 }
575 }
577 /* FIXME: describe */
578 /* FIXME: rewrite this to use a hash table so we avoid the quadratic
579 performance hit that's probably noticeable only on trees deeper
580 than a few hundred levels. See use of active_dir_map in remove.c */
582 static bool _GL_ATTRIBUTE_PURE
584 {
586 {
590 }
592 }
594 static bool
596 {
598 }
600 #if USE_XATTR
601 static void
604 {
606 {
610 /* use verror module to print error message */
614 }
615 }
617 static void
620 {
624 /* use verror module to print error message */
628 }
632 {
634 }
636 static void
639 {
640 }
642 /* Exclude SELinux extended attributes that are otherwise handled,
643 and are problematic to copy again. Also honor attributes
644 configured for exclusion in /etc/xattr.conf.
645 FIXME: Should we handle POSIX ACLs similarly?
646 Return zero to skip. */
647 static int
649 {
652 }
654 /* If positive SRC_FD and DST_FD descriptors are passed,
655 then copy by fd, otherwise copy by name. */
657 static bool
660 {
666 {
670 };
675 else
681 }
684 static bool
690 {
692 }
695 /* Read the contents of the directory SRC_NAME_IN, and recursively
696 copy the contents to DST_NAME_IN. NEW_DST is true if
697 DST_NAME_IN is a directory that was created previously in the
698 recursion. SRC_SB and ANCESTORS describe SRC_NAME_IN.
699 Set *COPY_INTO_SELF if SRC_NAME_IN is a parent of
700 (or the same as) DST_NAME_IN; otherwise, clear it.
701 Propagate *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG from
702 caller to each invocation of copy_internal. Be careful to
703 pass the address of a temporary, and to update
704 *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG only upon completion.
705 Return true if successful. */
707 static bool
713 {
721 {
722 /* This diagnostic is a bit vague because savedir can fail in
723 several different ways. */
726 }
728 /* For cp's -H option, dereference command line arguments, but do not
729 dereference symlinks that are found via recursive traversal. */
736 {
751 /* If we're copying into self, there's no point in continuing,
752 and in fact, that would even infloop, now that we record only
753 the first created directory per command line argument. */
759 }
764 }
766 /* Set the owner and owning group of DEST_DESC to the st_uid and
767 st_gid fields of SRC_SB. If DEST_DESC is undefined (-1), set
768 the owner and owning group of DST_NAME instead; for
769 safety prefer lchown if the system supports it since no
770 symbolic links should be involved. DEST_DESC must
771 refer to the same file as DEST_NAME if defined.
772 Upon failure to set both UID and GID, try to set only the GID.
773 NEW_DST is true if the file was newly created; otherwise,
774 DST_SB is the status of the destination.
775 Return 1 if the initial syscall succeeds, 0 if it fails but it's OK
776 not to preserve ownership, -1 otherwise. */
778 static int
782 {
786 /* Naively changing the ownership of an already-existing file before
787 changing its permissions would create a window of vulnerability if
788 the file's old permissions are too generous for the new owner and
789 group. Avoid the window by first changing to a restrictive
790 temporary mode if necessary. */
793 {
795 mode_t new_mode =
803 {
808 }
809 }
812 {
816 {
817 /* We've failed to set *both*. Now, try to set just the group
818 ID, but ignore any failure here, and don't change errno. */
822 }
823 }
824 else
825 {
829 {
830 /* We've failed to set *both*. Now, try to set just the group
831 ID, but ignore any failure here, and don't change errno. */
835 }
836 }
839 {
844 }
847 }
849 /* Set the st_author field of DEST_DESC to the st_author field of
850 SRC_SB. If DEST_DESC is undefined (-1), set the st_author field
851 of DST_NAME instead. DEST_DESC must refer to the same file as
852 DEST_NAME if defined. */
854 static void
856 {
857 #if HAVE_STRUCT_STAT_ST_AUTHOR
858 /* FIXME: Modify the following code so that it does not
859 follow symbolic links. */
861 /* Preserve the st_author field. */
867 else
868 {
874 }
875 #else
879 #endif
880 }
882 /* Set the default security context for the process. New files will
883 have this security context set. Also existing files can have their
884 context adjusted based on this process context, by
885 set_file_security_ctx() called with PROCESS_LOCAL=true.
886 This should be called before files are created so there is no race
887 where a file may be present without an appropriate security context.
888 Based on CP_OPTIONS, diagnose warnings and fail when appropriate.
889 Return FALSE on failure, TRUE on success. */
891 bool
894 {
896 {
897 /* Set the default context for the process to match the source. */
903 {
905 {
911 {
914 }
915 }
917 }
918 else
919 {
921 {
925 }
928 }
929 }
931 {
932 /* With -Z, adjust the default context for the process
933 to have the type component adjusted as per the destination path. */
936 {
940 }
941 }
944 }
946 /* Reset the security context of DST_NAME, to that already set
947 as the process default if PROCESS_LOCAL is true. Otherwise
948 adjust the type component of DST_NAME's security context as
949 per the system default for that path. Issue warnings upon
950 failure, when allowed by various settings in CP_OPTIONS.
951 Return FALSE on failure, TRUE on success. */
953 bool
956 {
962 {
967 }
970 }
972 /* Change the file mode bits of the file identified by DESC or NAME to MODE.
973 Use DESC if DESC is valid and fchmod is available, NAME otherwise. */
975 static int
977 {
978 #if HAVE_FCHMOD
981 #endif
983 }
985 #ifndef HAVE_STRUCT_STAT_ST_BLOCKS
986 # define HAVE_STRUCT_STAT_ST_BLOCKS 0
987 #endif
989 /* Use a heuristic to determine whether stat buffer SB comes from a file
990 with sparse blocks. If the file has fewer blocks than would normally
991 be needed for a file of its size, then at least one of the blocks in
992 the file is a hole. In that case, return true. */
993 static bool
995 {
999 }
1002 /* Copy a regular file from SRC_NAME to DST_NAME.
1003 If the source file contains holes, copies holes and blocks of zeros
1004 in the source file as holes in the destination file.
1005 (Holes are read as zeroes by the 'read' system call.)
1006 When creating the destination, use DST_MODE & ~OMITTED_PERMISSIONS
1007 as the third argument in the call to open, adding
1008 OMITTED_PERMISSIONS after copying as needed.
1009 X provides many option settings.
1010 Return true if successful.
1011 *NEW_DST is as in copy_internal.
1012 SRC_SB is the result of calling XSTAT (aka stat) on SRC_NAME. */
1014 static bool
1019 {
1036 {
1039 }
1042 {
1046 }
1048 /* Compare the source dev/ino from the open file to the incoming,
1049 saved ones obtained via a previous call to stat. */
1051 {
1057 }
1059 /* The semantics of the following open calls are mandated
1060 by the specs for both cp and mv. */
1062 {
1068 /* When using cp --preserve=context to copy to an existing destination,
1069 reset the context as per the default context, which has already been
1070 set according to the src.
1071 When using the mutually exclusive -Z option, then adjust the type of
1072 the existing context according to the system default for the dest.
1073 Note we set the context here, _after_ the file is opened, lest the
1074 new context disallow that. */
1077 {
1080 {
1082 {
1085 }
1086 }
1087 }
1090 {
1092 {
1096 }
1100 /* Tell caller that the destination file was unlinked. */
1103 /* Ensure there is no race where a file may be left without
1104 an appropriate security context. */
1106 {
1109 {
1112 }
1113 }
1114 }
1115 }
1118 {
1119 open_with_O_CREAT:;
1126 /* When trying to copy through a dangling destination symlink,
1127 the above open fails with EEXIST. If that happens, and
1128 lstat'ing the DST_NAME shows that it is a symlink, then we
1129 have a problem: trying to resolve this dangling symlink to
1130 a directory/destination-entry pair is fundamentally racy,
1131 so punt. If x->open_dangling_dest_symlink is set (cp sets
1132 that when POSIXLY_CORRECT is set in the environment), simply
1133 call open again, but without O_EXCL (potentially dangerous).
1134 If not, fail with a diagnostic. These shenanigans are necessary
1135 only when copying, i.e., not in move_mode. */
1137 {
1141 {
1143 {
1147 }
1148 else
1149 {
1154 }
1155 }
1156 }
1158 /* Improve quality of diagnostic when a nonexistent dst_name
1159 ends in a slash and open fails with errno == EISDIR. */
1163 }
1164 else
1165 {
1167 }
1170 {
1171 /* If we've just failed due to ENOENT for an ostensibly preexisting
1172 destination (*new_dst was 0), that's a bit of a contradiction/race:
1173 the prior stat/lstat said the file existed (*new_dst was 0), yet
1174 the subsequent open-existing-file failed with ENOENT. With NFS,
1175 the race window is wider still, since its meta-data caching tends
1176 to make the stat succeed for a just-removed remote file, while the
1177 more-definitive initial open call will fail with ENOENT. When this
1178 situation arises, we attempt to open again, but this time with
1179 O_CREAT. Do this only when not in move-mode, since when handling
1180 a cross-device move, we must never open an existing destination. */
1182 {
1185 }
1187 /* Otherwise, it's an error. */
1192 }
1195 {
1199 }
1201 /* --attributes-only overrides --reflink. */
1203 {
1206 {
1208 {
1213 }
1215 }
1216 }
1219 {
1220 /* Choose a suitable buffer size; it may be adjusted later. */
1227 /* Deal with sparse files. */
1232 {
1233 /* Even with --sparse=always, try to create holes only
1234 if the destination is a regular file. */
1238 /* Use a heuristic to determine whether SRC_NAME contains any sparse
1239 blocks. If the file has fewer blocks than would normally be
1240 needed for a file of its size, then at least one of the blocks in
1241 the file is a hole. */
1244 }
1246 /* If not making a sparse file, try to use a more-efficient
1247 buffer size. */
1249 {
1250 /* Compute the least common multiple of the input and output
1251 buffer sizes, adjusting for outlandish values. */
1254 blcm_max);
1256 /* Do not bother with a buffer larger than the input file, plus one
1257 byte to make sure the file has not grown while reading it. */
1261 /* However, stick with a block size that is a positive multiple of
1262 blcm, overriding the above adjustments. Watch out for
1263 overflow. */
1268 }
1274 {
1277 /* Perform an efficient extent-based copy, falling back to the
1278 standard copy only if the initial extent scan fails. If the
1279 '--sparse=never' option is specified, write all data but use
1280 any extents to read more efficiently. */
1288 {
1291 }
1292 }
1294 off_t n_read;
1301 {
1304 }
1306 {
1310 }
1311 }
1313 preserve_metadata:
1315 {
1321 {
1324 {
1327 }
1328 }
1329 }
1331 /* Set ownership before xattrs as changing owners will
1332 clear capabilities. */
1334 {
1336 {
1344 }
1345 }
1347 /* To allow copying xattrs on read-only files, temporarily chmod u+rw.
1348 This workaround is required as an inode permission check is done
1349 by xattr_permission() in fs/xattr.c of the GNU/Linux kernel tree. */
1351 {
1363 }
1368 {
1372 }
1374 {
1377 }
1379 {
1382 }
1384 {
1388 {
1393 }
1394 }
1396 close_src_and_dst_desc:
1398 {
1401 }
1402 close_src_desc:
1404 {
1407 }
1412 }
1414 /* Return true if it's ok that the source and destination
1415 files are the 'same' by some measure. The goal is to avoid
1416 making the 'copy' operation remove both copies of the file
1417 in that case, while still allowing the user to e.g., move or
1418 copy a regular file onto a symlink that points to it.
1419 Try to minimize the cost of this function in the common case.
1420 Set *RETURN_NOW if we've determined that the caller has no more
1421 work to do and should return successfully, right away. */
1423 static bool
1427 {
1438 /* FIXME: this should (at the very least) be moved into the following
1439 if-block. More likely, it should be removed, because it inhibits
1440 making backups. But removing it will result in a change in behavior
1441 that will probably have to be documented -- and tests will have to
1442 be updated. */
1444 {
1447 }
1450 {
1453 /* If both the source and destination files are symlinks (and we'll
1454 know this here IFF preserving symlinks), then it's usually ok
1455 when they are distinct. */
1457 {
1460 {
1461 /* It's fine when we're making any type of backup. */
1465 /* Here we have two symlinks that are hard-linked together,
1466 and we're not making backups. In this unusual case, simply
1467 returning true would lead to mv calling "rename(A,B)",
1468 which would do nothing and return 0. */
1470 {
1473 }
1474 }
1477 }
1481 }
1482 else
1483 {
1496 /* If both are symlinks, then it's ok, but only if the destination
1497 will be unlinked before being opened. This is like the test
1498 above, but with the addition of the unlink_dest_before_opening
1499 conjunct because otherwise, with two symlinks to the same target,
1500 we'd end up truncating the source file. */
1504 }
1506 /* The backup code ensures there's a copy, so it's usually ok to
1507 remove any destination file. One exception is when both
1508 source and destination are the same directory entry. In that
1509 case, moving the destination file aside (in making the backup)
1510 would also rename the source file and result in an error. */
1512 {
1514 {
1515 /* In copy mode when dereferencing symlinks, if the source is a
1516 symlink and the dest is not, then backing up the destination
1517 (moving it aside) would make it a dangling symlink, and the
1518 subsequent attempt to open it in copy_reg would fail with
1519 a misleading diagnostic. Avoid that by returning zero in
1520 that case so the caller can make cp (or mv when it has to
1521 resort to reading the source file) fail now. */
1523 /* FIXME-note: even with the following kludge, we can still provoke
1524 the offending diagnostic. It's just a little harder to do :-)
1525 $ rm -f a b c; touch c; ln -s c b; ln -s b a; cp -b a b
1526 cp: cannot open 'a' for reading: No such file or directory
1527 That's misleading, since a subsequent 'ls' shows that 'a'
1528 is still there.
1529 One solution would be to open the source file *before* moving
1530 aside the destination, but that'd involve a big rewrite. */
1538 }
1540 /* FIXME: What about case insensitive file systems ? */
1542 }
1544 #if 0
1545 /* FIXME: use or remove */
1547 /* If we're making a backup, we'll detect the problem case in
1548 copy_reg because SRC_NAME will no longer exist. Allowing
1549 the test to be deferred lets cp do some useful things.
1550 But when creating hardlinks and SRC_NAME is a symlink
1551 but DST_NAME is not we must test anyway. */
1559 #endif
1562 {
1563 /* They may refer to the same file if we're in move mode and the
1564 target is a symlink. That is ok, since we remove any existing
1565 destination file before opening it -- via 'rename' if they're on
1566 the same file system, via 'unlink (DST_NAME)' otherwise. */
1570 /* It's not ok if they're distinct hard links to the same file as
1571 this causes a race condition and we may lose data in this case. */
1576 }
1578 /* If neither is a symlink, then it's ok as long as they aren't
1579 hard links to the same file. */
1581 {
1585 /* If they are the same file, it's ok if we're making hard links. */
1587 {
1590 }
1591 }
1593 /* At this point, it is normally an error (data loss) to move a symlink
1594 onto its referent, but in at least one narrow case, it is not:
1595 In move mode, when
1596 1) src is a symlink,
1597 2) dest has a link count of 2 or more and
1598 3) dest and the referent of src are not the same directory entry,
1599 then it's ok, since while we'll lose one of those hard links,
1600 src will still point to a remaining link.
1601 Note that technically, condition #3 obviates condition #2, but we
1602 retain the 1 < st_nlink condition because that means fewer invocations
1603 of the more expensive #3.
1605 Given this,
1606 $ touch f && ln f l && ln -s f s
1607 $ ls -og f l s
1608 -rw-------. 2 0 Jan 4 22:46 f
1609 -rw-------. 2 0 Jan 4 22:46 l
1610 lrwxrwxrwx. 1 1 Jan 4 22:46 s -> f
1611 this must fail: mv s f
1612 this must succeed: mv s l */
1616 {
1619 {
1623 }
1624 }
1626 /* It's ok to remove a destination symlink. But that works only
1627 when creating symbolic links, or when the source and destination
1628 are on the same file system and when creating hard links or when
1629 unlinking before opening the destination. */
1636 {
1650 /* FIXME: shouldn't this be testing whether we're making symlinks? */
1652 {
1655 }
1656 }
1659 }
1661 /* Return true if FILE, with mode MODE, is writable in the sense of 'mv'.
1662 Always consider a symbolic link to be writable. */
1663 static bool
1665 {
1669 }
1671 static bool
1674 {
1676 {
1688 }
1689 else
1690 {
1693 }
1696 }
1698 /* Initialize the hash table implementing a set of F_triple entries
1699 corresponding to destination files. */
1702 {
1703 x->dest_info
1705 NULL,
1706 triple_hash,
1707 triple_compare,
1708 triple_free);
1709 }
1711 /* Initialize the hash table implementing a set of F_triple entries
1712 corresponding to source files listed on the command line. */
1715 {
1717 /* Note that we use triple_hash_no_name here.
1718 Contrast with the use of triple_hash above.
1719 That is necessary because a source file may be specified
1720 in many different ways. We want to warn about this
1721 cp a a d/
1722 as well as this:
1723 cp a ./a d/
1724 */
1725 x->src_info
1727 NULL,
1728 triple_hash_no_name,
1729 triple_compare,
1730 triple_free);
1731 }
1733 /* When effecting a move (e.g., for mv(1)), and given the name DST_NAME
1734 of the destination and a corresponding stat buffer, DST_SB, return
1735 true if the logical 'move' operation should _not_ proceed.
1736 Otherwise, return false.
1737 Depending on options specified in X, this code may issue an
1738 interactive prompt asking whether it's ok to overwrite DST_NAME. */
1739 static bool
1743 {
1751 }
1753 /* Print --verbose output on standard output, e.g. 'new' -> 'old'.
1754 If BACKUP_DST_NAME is non-NULL, then also indicate that it is
1755 the name of a backup file. */
1756 static void
1758 {
1763 }
1765 /* A wrapper around "setfscreatecon (NULL)" that exits upon failure. */
1766 static void
1768 {
1772 }
1774 /* Create a hard link DST_NAME to SRC_NAME, honoring the REPLACE, VERBOSE and
1775 DEREFERENCE settings. Return true upon success. Otherwise, diagnose the
1776 failure and return false. If SRC_NAME is a symbolic link, then it will not
1777 be followed unless DEREFERENCE is true.
1778 If the system doesn't support hard links to symbolic links, then DST_NAME
1779 will be created as a symbolic link to SRC_NAME. */
1780 static bool
1783 {
1786 replace);
1788 {
1792 }
1796 }
1798 /* Return true if the current file should be (tried to be) dereferenced:
1799 either for DEREF_ALWAYS or for DEREF_COMMAND_LINE_ARGUMENTS in the case
1800 where the current file is a COMMAND_LINE_ARG; otherwise return false. */
1803 {
1807 }
1809 /* Return true if the source file with basename SRCBASE and status SRC_ST
1810 is likely to be the simple backup file for DST_NAME. */
1811 static bool
1814 {
1830 }
1832 /* Copy the file SRC_NAME to the file DST_NAME. The files may be of
1833 any type. NEW_DST should be true if the file DST_NAME cannot
1834 exist because its parent directory was just created; NEW_DST should
1835 be false if DST_NAME might already exist. A non-null PARENT describes the
1836 parent directory. ANCESTORS points to a linked, null terminated list of
1837 devices and inodes of parent directories of SRC_NAME. COMMAND_LINE_ARG
1838 is true iff SRC_NAME was specified on the command line.
1839 FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG is both input and output.
1840 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
1841 same as) DST_NAME; otherwise, clear it.
1842 Return true if successful. */
1843 static bool
1853 {
1856 mode_t src_mode;
1858 mode_t dst_mode_bits;
1859 mode_t omitted_permissions;
1874 {
1877 }
1882 {
1888 }
1890 /* Detect the case in which the same source file appears more than
1891 once on the command line and no backup option has been selected.
1892 If so, simply warn and don't copy it the second time.
1893 This check is enabled only if x->src_info is non-NULL. */
1895 {
1899 {
1903 }
1906 }
1911 {
1912 /* Regular files can be created by writing through symbolic
1913 links, but other files cannot. So use stat on the
1914 destination when copying a regular file, and lstat otherwise.
1915 However, if we intend to unlink or remove the destination
1916 first, use lstat, since a copy won't actually be made to the
1917 destination in that case. */
1929 {
1931 {
1934 }
1935 else
1936 {
1938 }
1939 }
1940 else
1942 that it is stat'able or lstat'able. */
1948 {
1952 }
1955 {
1956 /* When preserving timestamps (but not moving within a file
1957 system), don't worry if the destination timestamp is
1958 less than the source merely because of timestamp
1959 truncation. */
1963 ? UTIMECMP_TRUNCATE_SOURCE
1967 {
1968 /* We're using --update and the destination is not older
1969 than the source, so do not copy or move. Pretend the
1970 rename succeeded, so the caller (if it's mv) doesn't
1971 end up removing the source file. */
1975 /* However, we still must record that we've processed
1976 this src/dest pair, in case this source file is
1977 hard-linked to another one. In that case, we'll use
1978 the mapping information to link the corresponding
1979 destination names. */
1983 {
1984 /* Note we currently replace DST_NAME unconditionally,
1985 even if it was a newer separate file. */
1988 {
1990 }
1991 }
1994 }
1995 }
1997 /* When there is an existing destination file, we may end up
1998 returning early, and hence not copying/moving the file.
1999 This may be due to an interactive 'negative' reply to the
2000 prompt about the existing file. It may also be due to the
2001 use of the --no-clobber option.
2003 cp and mv treat -i and -f differently. */
2005 {
2007 {
2008 /* Pretend the rename succeeded, so the caller (mv)
2009 doesn't end up removing the source file. */
2013 }
2014 }
2015 else
2016 {
2022 }
2028 {
2030 {
2032 {
2033 /* Moving a directory onto an existing
2034 non-directory is ok only with --backup. */
2035 }
2036 else
2037 {
2042 }
2043 }
2045 /* Don't let the user destroy their data, even if they try hard:
2046 This mv command must fail (likewise for cp):
2047 rm -rf a b c; mkdir a b c; touch a/f b/f; mv a/f b/f c
2048 Otherwise, the contents of b/f would be lost.
2049 In the case of 'cp', b/f would be lost if the user simulated
2050 a move using cp and rm.
2051 Note that it works fine if you use --backup=numbered. */
2055 {
2060 }
2061 }
2064 {
2066 {
2068 {
2069 /* Moving a non-directory onto an existing
2070 directory is ok only with --backup. */
2071 }
2072 else
2073 {
2078 }
2079 }
2080 }
2083 {
2084 /* Don't allow user to move a directory onto a non-directory. */
2087 {
2092 }
2093 }
2097 /* Don't try to back up a destination if the last
2098 component of src_name is "." or "..". */
2100 /* Create a backup of each destination directory in move mode,
2101 but not in copy mode. FIXME: it might make sense to add an
2102 option to suppress backup creation also for move mode.
2103 That would let one use mv to merge new content into an
2104 existing hierarchy. */
2106 {
2107 /* Fail if creating the backup file would likely destroy
2108 the source file. Otherwise, the commands:
2109 cd /tmp; rm -f a a~; : > a; echo A > a~; cp --b=simple a~ a
2110 would leave two zero-length files: a and a~. */
2113 {
2122 }
2126 /* FIXME: use fts:
2127 Using alloca for a file name that may be arbitrarily
2128 long is not recommended. In fact, even forming such a name
2129 should be discouraged. Eventually, this code will be rewritten
2130 to use fts, so using alloca here will be less of a problem. */
2132 {
2135 }
2137 {
2140 }
2142 }
2144 /* Never unlink dst_name when in move mode. */
2150 ))
2151 {
2153 {
2156 }
2160 }
2161 }
2162 }
2164 /* Ensure we don't try to copy through a symlink that was
2165 created by a prior call to this function. */
2170 {
2175 /* If we called lstat above, good: use that data.
2176 Otherwise, call lstat here, in case dst_name is a symlink. */
2179 else
2180 {
2183 else
2185 }
2187 /* Never copy through a symlink we've just created. */
2191 {
2196 }
2197 }
2199 /* If the source is a directory, we don't always create the destination
2200 directory. So --verbose should not announce anything until we're
2201 sure we'll create a directory. Also don't announce yet when moving
2202 so we can distinguish renames versus copies. */
2206 /* Associate the destination file name with the source device and inode
2207 so that if we encounter a matching dev/ino pair in the source tree
2208 we can arrange to create a hard link between the corresponding names
2209 in the destination tree.
2211 When using the --link (-l) option, there is no need to take special
2212 measures, because (barring race conditions) files that are hard-linked
2213 in the source tree will also be hard-linked in the destination tree.
2215 Sometimes, when preserving links, we have to record dev/ino even
2216 though st_nlink == 1:
2217 - when in move_mode, since we may be moving a group of N hard-linked
2218 files (via two or more command line arguments) to a different
2219 partition; the links may be distributed among the command line
2220 arguments (possibly hierarchies) so that the link count of
2221 the final, once-linked source file is reduced to 1 when it is
2222 considered below. But in this case (for mv) we don't need to
2223 incur the expense of recording the dev/ino => name mapping; all we
2224 really need is a lookup, to see if the dev/ino pair has already
2225 been copied.
2226 - when using -H and processing a command line argument;
2227 that command line argument could be a symlink pointing to another
2228 command line argument. With 'cp -H --preserve=link', we hard-link
2229 those two destination files.
2230 - likewise for -L except that it applies to all files, not just
2231 command line arguments.
2233 Also, with --recursive, record dev/ino of each command-line directory.
2234 We'll use that info to detect this problem: cp -R dir dir. */
2237 {
2240 else
2242 }
2244 {
2246 }
2250 || (command_line_arg
2253 {
2255 }
2257 /* Did we copy this inode somewhere else (in this command line argument)
2258 and therefore this is a second hard link to the inode? */
2261 {
2262 /* Avoid damaging the destination file system by refusing to preserve
2263 hard-linked directories (which are found at least in Netapp snapshot
2264 directories). */
2266 {
2267 /* If src_name and earlier_file refer to the same directory entry,
2268 then warn about copying a directory into itself. */
2270 {
2276 }
2278 {
2282 /* In move mode, if a previous rename succeeded, then
2283 we won't be in this path as the source is missing. If the
2284 rename previously failed, then that has been handled, so
2285 pretend this attempt succeeded so the source isn't removed. */
2288 /* We only do backups in move mode, and for non directories.
2289 So just ignore this repeated entry. */
2291 }
2293 || (command_line_arg
2295 {
2296 /* This happens when e.g., encountering a directory for the
2297 second or subsequent time via symlinks when cp is invoked
2298 with -R and -L. E.g.,
2299 rm -rf a b c d; mkdir a b c d; ln -s ../c a; ln -s ../c b;
2300 cp -RL a b d
2301 */
2302 }
2303 else
2304 {
2308 }
2309 }
2310 else
2311 {
2313 dereference))
2317 }
2318 }
2321 {
2323 {
2325 {
2328 }
2331 {
2332 /* -Z failures are only warnings currently. */
2334 }
2340 {
2341 /* Record destination dev/ino/name, so that if we are asked
2342 to overwrite that file again, we can detect it and fail. */
2343 /* It's fine to use the _source_ stat buffer (src_sb) to get the
2344 _destination_ dev/ino, since the rename above can't have
2345 changed those, and 'mv' always uses lstat.
2346 We could limit it further by operating
2347 only on non-directories. */
2349 }
2352 }
2354 /* FIXME: someday, consider what to do when moving a directory into
2355 itself but when source and destination are on different devices. */
2357 /* This happens when attempting to rename a directory to a
2358 subdirectory of itself. */
2360 {
2361 /* FIXME: this is a little fragile in that it relies on rename(2)
2362 failing with a specific errno value. Expect problems on
2363 non-POSIX systems. */
2368 /* Note that there is no need to call forget_created here,
2369 (compare with the other calls in this file) since the
2370 destination directory didn't exist before. */
2373 /* FIXME-cleanup: Don't return true here; adjust mv.c accordingly.
2374 The only caller that uses this code (mv.c) ends up setting its
2375 exit status to nonzero when copy_into_self is nonzero. */
2377 }
2379 /* WARNING: there probably exist systems for which an inter-device
2380 rename fails with a value of errno not handled here.
2381 If/as those are reported, add them to the condition below.
2382 If this happens to you, please do the following and send the output
2383 to the bug-reporting address (e.g., in the output of cp --help):
2384 touch k; perl -e 'rename "k","/tmp/k" or print "$!(",$!+0,")\n"'
2385 where your current directory is on one partition and /tmp is the other.
2386 Also, please try to find the E* errno macro name corresponding to
2387 the diagnostic and parenthesized integer, and include that in your
2388 e-mail. One way to do that is to run a command like this
2389 find /usr/include/. -type f \
2390 | xargs grep 'define.*\<E[A-Z]*\>.*\<18\>' /dev/null
2391 where you'd replace '18' with the integer in parentheses that
2392 was output from the perl one-liner above.
2393 If necessary, of course, change '/tmp' to some other directory. */
2395 {
2396 /* There are many ways this can happen due to a race condition.
2397 When something happens between the initial XSTAT and the
2398 subsequent rename, we can get many different types of errors.
2399 For example, if the destination is initially a non-directory
2400 or non-existent, but it is created as a directory, the rename
2401 fails. If two 'mv' commands try to rename the same file at
2402 about the same time, one will succeed and the other will fail.
2403 If the permissions on the directory containing the source or
2404 destination file are made too restrictive, the rename will
2405 fail. Etc. */
2411 }
2413 /* The rename attempt has failed. Remove any existing destination
2414 file so that a cross-device 'mv' acts as if it were really using
2415 the rename syscall. Note both src and dst must both be directories
2416 or not, and this is enforced above. Therefore we check the src_mode
2417 and operate on dst_name here as a tighter constraint and also because
2418 src_mode is readily available here. */
2421 {
2427 }
2430 {
2433 }
2435 }
2437 /* If the ownership might change, or if it is a directory (whose
2438 special mode bits may change after the directory is created),
2439 omit some permissions at first, so unauthorized users cannot nip
2440 in before the file is ready. */
2442 omitted_permissions =
2443 (dst_mode_bits
2450 /* If required, set the default security context for new files.
2451 Also for existing files this is used as a reference
2452 when copying the context with --preserve=context.
2453 FIXME: Do we need to consider dst_mode_bits here? */
2458 {
2461 /* If this directory has been copied before during the
2462 recursion, there is a symbolic link to an ancestor
2463 directory of the symbolic link. It is impossible to
2464 continue to copy this, unless we've got an infinite disk. */
2467 {
2471 }
2473 /* Insert the current directory in the list of parents. */
2481 {
2482 /* POSIX says mkdir's behavior is implementation-defined when
2483 (src_mode & ~S_IRWXUGO) != 0. However, common practice is
2484 to ask mkdir to copy all the CHMOD_MODE_BITS, letting mkdir
2485 decide what to do with S_ISUID | S_ISGID | S_ISVTX. */
2487 {
2491 }
2493 /* We need search and write permissions to the new directory
2494 for writing the directory's contents. Check if these
2495 permissions are there. */
2498 {
2501 }
2503 {
2504 /* Make the new directory searchable and writable. */
2510 {
2514 }
2515 }
2517 /* Record the created directory's inode and device numbers into
2518 the search structure, so that we can avoid copying it again.
2519 Do this only for the first directory that is created for each
2520 source command line argument. */
2522 {
2525 }
2528 {
2531 else
2533 }
2534 }
2535 else
2536 {
2539 /* For directories, the process global context could be reset for
2540 descendents, so use it to set the context for existing dirs here.
2541 This will also give earlier indication of failure to set ctx. */
2545 {
2548 }
2549 }
2551 /* Decide whether to copy the contents of the directory. */
2553 {
2554 /* Here, we are crossing a file system boundary and cp's -x option
2555 is in effect: so don't copy the contents of this directory. */
2556 }
2557 else
2558 {
2559 /* Copy the contents of the directory. Don't just return if
2560 this fails -- otherwise, the failure to read a single file
2561 in a source directory would cause the containing destination
2562 directory not to have owner/perms set properly. */
2564 first_dir_created_per_command_line_arg,
2565 copy_into_self);
2566 }
2567 }
2569 {
2572 {
2573 /* Check that DST_NAME denotes a file in the current directory. */
2582 /* If either stat call fails, it's ok not to report
2583 the failure and say dst_name is in the current
2584 directory. Other things will fail later. */
2591 {
2596 }
2597 }
2601 {
2605 }
2606 }
2608 /* POSIX 2008 states that it is implementation-defined whether
2609 link() on a symlink creates a hard-link to the symlink, or only
2610 to the referent (effectively dereferencing the symlink) (POSIX
2611 2001 required the latter behavior, although many systems provided
2612 the former). Yet cp, invoked with '--link --no-dereference',
2613 should not follow the link. We can approximate the desired
2614 behavior by skipping this hard-link creating block and instead
2615 copying the symlink, via the 'S_ISLNK'- copying code below.
2617 Note gnulib's linkat module, guarantees that the symlink is not
2618 dereferenced. However its emulation currently doesn't maintain
2619 timestamps or ownership so we only call it when we know the
2620 emulation will not be needed. */
2624 {
2629 }
2632 {
2634 /* POSIX says the permission bits of the source file must be
2635 used as the 3rd argument in the open call. Historical
2636 practice passed all the source mode bits to 'open', but the extra
2637 bits were ignored, so it should be the same either way.
2639 This call uses DST_MODE_BITS, not SRC_MODE. These are
2640 normally the same, and the exception (where x->set_mode) is
2641 used only by 'install', which POSIX does not specify and
2642 where DST_MODE_BITS is what's wanted. */
2646 }
2648 {
2649 /* Use mknod, rather than mkfifo, because the former preserves
2650 the special mode bits of a fifo on Solaris 10, while mkfifo
2651 does not. But fall back on mkfifo, because on some BSD systems,
2652 mknod always fails when asked to create a FIFO. */
2655 {
2658 }
2659 }
2661 {
2664 {
2668 }
2669 }
2671 {
2675 {
2679 }
2686 {
2687 /* See if the destination is already the desired symlink.
2688 FIXME: This behavior isn't documented, and seems wrong
2689 in some cases, e.g., if the destination symlink has the
2690 wrong ownership, permissions, or timestamps. */
2694 {
2698 }
2699 }
2702 {
2706 }
2712 {
2713 /* Preserve the owner and group of the just-'copied'
2714 symbolic link, if possible. */
2718 {
2720 dst_name);
2723 }
2724 else
2725 {
2726 /* Can't preserve ownership of symlinks.
2727 FIXME: maybe give a warning or even error for symlinks
2728 in directories with the sticky bit set -- there, not
2729 preserving owner/group is a potential security problem. */
2730 }
2731 }
2732 }
2733 else
2734 {
2737 }
2739 /* With -Z or --preserve=context, set the context for existing files.
2740 Note this is done already for copy_reg() for reasons described therein. */
2743 {
2746 {
2749 }
2750 }
2753 {
2754 /* Now that the destination file is very likely to exist,
2755 add its info to the set. */
2759 }
2761 /* If we've just created a hard-link due to cp's --link option,
2762 we're done. */
2771 /* POSIX says that 'cp -p' must restore the following:
2772 - permission bits
2773 - setuid, setgid bits
2774 - owner and group
2775 If it fails to restore any of those, we may give a warning but
2776 the destination must not be removed.
2777 FIXME: implement the above. */
2779 /* Adjust the times (and if possible, ownership) for the copy.
2780 chown turns off set[ug]id bits for non-root,
2781 so do the chmod last. */
2784 {
2793 {
2797 }
2798 }
2800 /* Avoid calling chown if we know it's not necessary. */
2803 {
2805 {
2812 }
2813 }
2815 /* Set xattrs after ownership as changing owners will clear capabilities. */
2820 /* The operations beyond this point may dereference a symlink. */
2827 {
2831 }
2833 {
2836 }
2838 {
2841 }
2842 else
2843 {
2845 {
2849 {
2850 /* Permissions were deliberately omitted when the file
2851 was created due to security concerns. See whether
2852 they need to be re-added now. It'd be faster to omit
2853 the lstat, but deducing the current destination mode
2854 is tricky in the presence of implementation-defined
2855 rules for special mode bits. */
2857 {
2860 }
2864 }
2865 }
2868 {
2870 {
2875 }
2876 }
2877 }
2881 un_backup:
2886 /* We have failed to create the destination file.
2887 If we've just added a dev/ino entry via the remember_copied
2888 call above (i.e., unless we've just failed to create a hard link),
2889 remove the entry associating the source dev/ino with the
2890 destination file name, so we don't try to 'preserve' a link
2891 to a file we didn't create. */
2896 {
2899 else
2900 {
2904 }
2905 }
2907 }
2909 static bool _GL_ATTRIBUTE_PURE
2911 {
2921 }
2923 /* Copy the file SRC_NAME to the file DST_NAME. The files may be of
2924 any type. NONEXISTENT_DST should be true if the file DST_NAME
2925 is known not to exist (e.g., because its parent directory was just
2926 created); NONEXISTENT_DST should be false if DST_NAME might already
2927 exist. OPTIONS is ... FIXME-describe
2928 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
2929 same as) DST_NAME; otherwise, set clear it.
2930 Return true if successful. */
2936 {
2939 /* Record the file names: they're used in case of error, when copying
2940 a directory into itself. I don't like to make these tools do *any*
2941 extra work in the common case when that work is solely to handle
2942 exceptional cases, but in this case, I don't see a way to derive the
2943 top level source and destination directory names where they're used.
2944 An alternative is to use COPY_INTO_SELF and print the diagnostic
2945 from every caller -- but I don't want to do that. */
2954 }
2956 /* Set *X to the default options for a value of type struct cp_options. */
2960 {
2962 #ifdef PRIV_FILE_CHOWN
2963 {
2968 {
2971 }
2973 }
2974 #else
2976 #endif
2977 }
2979 /* Return true if it's OK for chown to fail, where errno is
2980 the error number that chown failed with and X is the copying
2981 option set. */
2985 {
2986 /* If non-root uses -p, it's ok if we can't preserve ownership.
2987 But root probably wants to know, e.g. if NFS disallows it,
2988 or if the target system doesn't support file ownership. */
2991 }
2993 /* Similarly, return true if it's OK for chmod and similar operations
2994 to fail, where errno is the error number that chmod failed with and
2995 X is the copying option set. */
2997 static bool
2999 {
3001 }
3003 /* Return the user's umask, caching the result.
3005 FIXME: If the destination's parent directory has has a default ACL,
3006 some operating systems (e.g., GNU/Linux's "POSIX" ACLs) use that
3007 ACL's mask rather than the process umask. Currently, the callers
3008 of cached_umask incorrectly assume that this situation cannot occur. */
3009 extern mode_t
3011 {
3014 {
3017 }
3019 }