search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
all: replace most uses of quotearg_colon() with quote()
[coreutils.git] / src / chown-core.c
blobe8a7d528936b0d258501f0b910d86ce7462d907a
1 /* chown-core.c -- core functions for changing ownership.
2 Copyright (C) 2000-2015 Free Software Foundation, Inc.
3
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>. */
16
17 /* Extracted from chown.c/chgrp.c and librarified by Jim Meyering. */
18
19 #include <config.h>
20 #include <stdio.h>
21 #include <sys/types.h>
22 #include <pwd.h>
23 #include <grp.h>
24
25 #include "system.h"
26 #include "chown-core.h"
27 #include "error.h"
28 #include "ignore-value.h"
29 #include "quote.h"
30 #include "root-dev-ino.h"
31 #include "xfts.h"
32
33 #define FTSENT_IS_DIRECTORY(E) \
34 ((E)->fts_info == FTS_D \
35 || (E)->fts_info == FTS_DC \
36 || (E)->fts_info == FTS_DP \
37 || (E)->fts_info == FTS_DNR)
38
39 enum RCH_status
40 {
41 /* we called fchown and close, and both succeeded */
42 RC_ok = 2,
43
44 /* required_uid and/or required_gid are specified, but don't match */
45 RC_excluded,
46
47 /* SAME_INODE check failed */
48 RC_inode_changed,
49
50 /* open/fchown isn't needed, isn't safe, or doesn't work due to
51 permissions problems; fall back on chown */
52 RC_do_ordinary_chown,
53
54 /* open, fstat, fchown, or close failed */
55 RC_error
56 };
57
58 extern void
59 chopt_init (struct Chown_option *chopt)
60 {
61 chopt->verbosity = V_off;
62 chopt->root_dev_ino = NULL;
63 chopt->affect_symlink_referent = true;
64 chopt->recurse = false;
65 chopt->force_silent = false;
66 chopt->user_name = NULL;
67 chopt->group_name = NULL;
68 }
69
70 extern void
71 chopt_free (struct Chown_option *chopt _GL_UNUSED)
72 {
73 /* Deliberately do not free chopt->user_name or ->group_name.
74 They're not always allocated. */
75 }
76
77 /* Convert the numeric group-id, GID, to a string stored in xmalloc'd memory,
78 and return it. If there's no corresponding group name, use the decimal
79 representation of the ID. */
80
81 extern char *
82 gid_to_name (gid_t gid)
83 {
84 char buf[INT_BUFSIZE_BOUND (intmax_t)];
85 struct group *grp = getgrgid (gid);
86 return xstrdup (grp ? grp->gr_name
87 : TYPE_SIGNED (gid_t) ? imaxtostr (gid, buf)
88 : umaxtostr (gid, buf));
89 }
90
91 /* Convert the numeric user-id, UID, to a string stored in xmalloc'd memory,
92 and return it. If there's no corresponding user name, use the decimal
93 representation of the ID. */
94
95 extern char *
96 uid_to_name (uid_t uid)
97 {
98 char buf[INT_BUFSIZE_BOUND (intmax_t)];
99 struct passwd *pwd = getpwuid (uid);
100 return xstrdup (pwd ? pwd->pw_name
101 : TYPE_SIGNED (uid_t) ? imaxtostr (uid, buf)
102 : umaxtostr (uid, buf));
103 }
104
105 /* Allocate a string representing USER and GROUP. */
106
107 static char *
108 user_group_str (char const *user, char const *group)
109 {
110 char *spec = NULL;
111
112 if (user)
113 {
114 if (group)
115 {
116 spec = xmalloc (strlen (user) + 1 + strlen (group) + 1);
117 stpcpy (stpcpy (stpcpy (spec, user), ":"), group);
118 }
119 else
120 {
121 spec = xstrdup (user);
122 }
123 }
124 else if (group)
125 {
126 spec = xstrdup (group);
127 }
128
129 return spec;
130 }
131
132 /* Tell the user how/if the user and group of FILE have been changed.
133 If USER is NULL, give the group-oriented messages.
134 CHANGED describes what (if anything) has happened. */
135
136 static void
137 describe_change (const char *file, enum Change_status changed,
138 char const *old_user, char const *old_group,
139 char const *user, char const *group)
140 {
141 const char *fmt;
142 char *old_spec;
143 char *spec;
144
145 if (changed == CH_NOT_APPLIED)
146 {
147 printf (_("neither symbolic link %s nor referent has been changed\n"),
148 quote (file));
149 return;
150 }
151
152 spec = user_group_str (user, group);
153 old_spec = user_group_str (user ? old_user : NULL, group ? old_group : NULL);
154
155 switch (changed)
156 {
157 case CH_SUCCEEDED:
158 fmt = (user ? _("changed ownership of %s from %s to %s\n")
159 : group ? _("changed group of %s from %s to %s\n")
160 : _("no change to ownership of %s\n"));
161 break;
162 case CH_FAILED:
163 if (old_spec)
164 {
165 fmt = (user ? _("failed to change ownership of %s from %s to %s\n")
166 : group ? _("failed to change group of %s from %s to %s\n")
167 : _("failed to change ownership of %s\n"));
168 }
169 else
170 {
171 fmt = (user ? _("failed to change ownership of %s to %s\n")
172 : group ? _("failed to change group of %s to %s\n")
173 : _("failed to change ownership of %s\n"));
174 free (old_spec);
175 old_spec = spec;
176 spec = NULL;
177 }
178 break;
179 case CH_NO_CHANGE_REQUESTED:
180 fmt = (user ? _("ownership of %s retained as %s\n")
181 : group ? _("group of %s retained as %s\n")
182 : _("ownership of %s retained\n"));
183 break;
184 default:
185 abort ();
186 }
187
188 printf (fmt, quote (file), old_spec, spec);
189
190 free (old_spec);
191 free (spec);
192 }
193
194 /* Change the owner and/or group of the FILE to UID and/or GID (safely)
195 only if REQUIRED_UID and REQUIRED_GID match the owner and group IDs
196 of FILE. ORIG_ST must be the result of 'stat'ing FILE.
197
198 The 'safely' part above means that we can't simply use chown(2),
199 since FILE might be replaced with some other file between the time
200 of the preceding stat/lstat and this chown call. So here we open
201 FILE and do everything else via the resulting file descriptor.
202 We first call fstat and verify that the dev/inode match those from
203 the preceding stat call, and only then, if appropriate (given the
204 required_uid and required_gid constraints) do we call fchown.
205
206 Return RC_do_ordinary_chown if we can't open FILE, or if FILE is a
207 special file that might have undesirable side effects when opening.
208 In this case the caller can use the less-safe ordinary chown.
209
210 Return one of the RCH_status values. */
211
212 static enum RCH_status
213 restricted_chown (int cwd_fd, char const *file,
214 struct stat const *orig_st,
215 uid_t uid, gid_t gid,
216 uid_t required_uid, gid_t required_gid)
217 {
218 enum RCH_status status = RC_ok;
219 struct stat st;
220 int open_flags = O_NONBLOCK | O_NOCTTY;
221 int fd;
222
223 if (required_uid == (uid_t) -1 && required_gid == (gid_t) -1)
224 return RC_do_ordinary_chown;
225
226 if (! S_ISREG (orig_st->st_mode))
227 {
228 if (S_ISDIR (orig_st->st_mode))
229 open_flags |= O_DIRECTORY;
230 else
231 return RC_do_ordinary_chown;
232 }
233
234 fd = openat (cwd_fd, file, O_RDONLY | open_flags);
235 if (! (0 <= fd
236 || (errno == EACCES && S_ISREG (orig_st->st_mode)
237 && 0 <= (fd = openat (cwd_fd, file, O_WRONLY | open_flags)))))
238 return (errno == EACCES ? RC_do_ordinary_chown : RC_error);
239
240 if (fstat (fd, &st) != 0)
241 status = RC_error;
242 else if (! SAME_INODE (*orig_st, st))
243 status = RC_inode_changed;
244 else if ((required_uid == (uid_t) -1 || required_uid == st.st_uid)
245 && (required_gid == (gid_t) -1 || required_gid == st.st_gid))
246 {
247 if (fchown (fd, uid, gid) == 0)
248 {
249 status = (close (fd) == 0
250 ? RC_ok : RC_error);
251 return status;
252 }
253 else
254 {
255 status = RC_error;
256 }
257 }
258
259 int saved_errno = errno;
260 close (fd);
261 errno = saved_errno;
262 return status;
263 }
264
265 /* Change the owner and/or group of the file specified by FTS and ENT
266 to UID and/or GID as appropriate.
267 If REQUIRED_UID is not -1, then skip files with any other user ID.
268 If REQUIRED_GID is not -1, then skip files with any other group ID.
269 CHOPT specifies additional options.
270 Return true if successful. */
271 static bool
272 change_file_owner (FTS *fts, FTSENT *ent,
273 uid_t uid, gid_t gid,
274 uid_t required_uid, gid_t required_gid,
275 struct Chown_option const *chopt)
276 {
277 char const *file_full_name = ent->fts_path;
278 char const *file = ent->fts_accpath;
279 struct stat const *file_stats;
280 struct stat stat_buf;
281 bool ok = true;
282 bool do_chown;
283 bool symlink_changed = true;
284
285 switch (ent->fts_info)
286 {
287 case FTS_D:
288 if (chopt->recurse)
289 {
290 if (ROOT_DEV_INO_CHECK (chopt->root_dev_ino, ent->fts_statp))
291 {
292 /* This happens e.g., with "chown -R --preserve-root 0 /"
293 and with "chown -RH --preserve-root 0 symlink-to-root". */
294 ROOT_DEV_INO_WARN (file_full_name);
295 /* Tell fts not to traverse into this hierarchy. */
296 fts_set (fts, ent, FTS_SKIP);
297 /* Ensure that we do not process "/" on the second visit. */
298 ignore_value (fts_read (fts));
299 return false;
300 }
301 return true;
302 }
303 break;
304
305 case FTS_DP:
306 if (! chopt->recurse)
307 return true;
308 break;
309
310 case FTS_NS:
311 /* For a top-level file or directory, this FTS_NS (stat failed)
312 indicator is determined at the time of the initial fts_open call.
313 With programs like chmod, chown, and chgrp, that modify
314 permissions, it is possible that the file in question is
315 accessible when control reaches this point. So, if this is
316 the first time we've seen the FTS_NS for this file, tell
317 fts_read to stat it "again". */
318 if (ent->fts_level == 0 && ent->fts_number == 0)
319 {
320 ent->fts_number = 1;
321 fts_set (fts, ent, FTS_AGAIN);
322 return true;
323 }
324 if (! chopt->force_silent)
325 error (0, ent->fts_errno, _("cannot access %s"),
326 quote (file_full_name));
327 ok = false;
328 break;
329
330 case FTS_ERR:
331 if (! chopt->force_silent)
332 error (0, ent->fts_errno, "%s", quote (file_full_name));
333 ok = false;
334 break;
335
336 case FTS_DNR:
337 if (! chopt->force_silent)
338 error (0, ent->fts_errno, _("cannot read directory %s"),
339 quote (file_full_name));
340 ok = false;
341 break;
342
343 case FTS_DC: /* directory that causes cycles */
344 if (cycle_warning_required (fts, ent))
345 {
346 emit_cycle_warning (file_full_name);
347 return false;
348 }
349 break;
350
351 default:
352 break;
353 }
354
355 if (!ok)
356 {
357 do_chown = false;
358 file_stats = NULL;
359 }
360 else if (required_uid == (uid_t) -1 && required_gid == (gid_t) -1
361 && chopt->verbosity == V_off
362 && ! chopt->root_dev_ino
363 && ! chopt->affect_symlink_referent)
364 {
365 do_chown = true;
366 file_stats = ent->fts_statp;
367 }
368 else
369 {
370 file_stats = ent->fts_statp;
371
372 /* If this is a symlink and we're dereferencing them,
373 stat it to get info on the referent. */
374 if (chopt->affect_symlink_referent && S_ISLNK (file_stats->st_mode))
375 {
376 if (fstatat (fts->fts_cwd_fd, file, &stat_buf, 0) != 0)
377 {
378 if (! chopt->force_silent)
379 error (0, errno, _("cannot dereference %s"),
380 quote (file_full_name));
381 ok = false;
382 }
383
384 file_stats = &stat_buf;
385 }
386
387 do_chown = (ok
388 && (required_uid == (uid_t) -1
389 || required_uid == file_stats->st_uid)
390 && (required_gid == (gid_t) -1
391 || required_gid == file_stats->st_gid));
392 }
393
394 /* This happens when chown -LR --preserve-root encounters a symlink-to-/. */
395 if (ok
396 && FTSENT_IS_DIRECTORY (ent)
397 && ROOT_DEV_INO_CHECK (chopt->root_dev_ino, file_stats))
398 {
399 ROOT_DEV_INO_WARN (file_full_name);
400 return false;
401 }
402
403 if (do_chown)
404 {
405 if ( ! chopt->affect_symlink_referent)
406 {
407 ok = (lchownat (fts->fts_cwd_fd, file, uid, gid) == 0);
408
409 /* Ignore any error due to lack of support; POSIX requires
410 this behavior for top-level symbolic links with -h, and
411 implies that it's required for all symbolic links. */
412 if (!ok && errno == EOPNOTSUPP)
413 {
414 ok = true;
415 symlink_changed = false;
416 }
417 }
418 else
419 {
420 /* If possible, avoid a race condition with --from=O:G and without the
421 (-h) --no-dereference option. If fts's stat call determined
422 that the uid/gid of FILE matched the --from=O:G-selected
423 owner and group IDs, blindly using chown(2) here could lead
424 chown(1) or chgrp(1) mistakenly to dereference a *symlink*
425 to an arbitrary file that an attacker had moved into the
426 place of FILE during the window between the stat and
427 chown(2) calls. If FILE is a regular file or a directory
428 that can be opened, this race condition can be avoided safely. */
429
430 enum RCH_status err
431 = restricted_chown (fts->fts_cwd_fd, file, file_stats, uid, gid,
432 required_uid, required_gid);
433 switch (err)
434 {
435 case RC_ok:
436 break;
437
438 case RC_do_ordinary_chown:
439 ok = (chownat (fts->fts_cwd_fd, file, uid, gid) == 0);
440 break;
441
442 case RC_error:
443 ok = false;
444 break;
445
446 case RC_inode_changed:
447 /* FIXME: give a diagnostic in this case? */
448 case RC_excluded:
449 do_chown = false;
450 ok = false;
451 break;
452
453 default:
454 abort ();
455 }
456 }
457
458 /* On some systems (e.g., GNU/Linux 2.4.x),
459 the chown function resets the 'special' permission bits.
460 Do *not* restore those bits; doing so would open a window in
461 which a malicious user, M, could subvert a chown command run
462 by some other user and operating on files in a directory
463 where M has write access. */
464
465 if (do_chown && !ok && ! chopt->force_silent)
466 error (0, errno, (uid != (uid_t) -1
467 ? _("changing ownership of %s")
468 : _("changing group of %s")),
469 quote (file_full_name));
470 }
471
472 if (chopt->verbosity != V_off)
473 {
474 bool changed =
475 ((do_chown && ok && symlink_changed)
476 && ! ((uid == (uid_t) -1 || uid == file_stats->st_uid)
477 && (gid == (gid_t) -1 || gid == file_stats->st_gid)));
478
479 if (changed || chopt->verbosity == V_high)
480 {
481 enum Change_status ch_status =
482 (!ok ? CH_FAILED
483 : !symlink_changed ? CH_NOT_APPLIED
484 : !changed ? CH_NO_CHANGE_REQUESTED
485 : CH_SUCCEEDED);
486 char *old_usr = file_stats ? uid_to_name (file_stats->st_uid) : NULL;
487 char *old_grp = file_stats ? gid_to_name (file_stats->st_gid) : NULL;
488 describe_change (file_full_name, ch_status,
489 old_usr, old_grp,
490 chopt->user_name, chopt->group_name);
491 free (old_usr);
492 free (old_grp);
493 }
494 }
495
496 if ( ! chopt->recurse)
497 fts_set (fts, ent, FTS_SKIP);
498
499 return ok;
500 }
501
502 /* Change the owner and/or group of the specified FILES.
503 BIT_FLAGS specifies how to treat each symlink-to-directory
504 that is encountered during a recursive traversal.
505 CHOPT specifies additional options.
506 If UID is not -1, then change the owner id of each file to UID.
507 If GID is not -1, then change the group id of each file to GID.
508 If REQUIRED_UID and/or REQUIRED_GID is not -1, then change only
509 files with user ID and group ID that match the non-(-1) value(s).
510 Return true if successful. */
511 extern bool
512 chown_files (char **files, int bit_flags,
513 uid_t uid, gid_t gid,
514 uid_t required_uid, gid_t required_gid,
515 struct Chown_option const *chopt)
516 {
517 bool ok = true;
518
519 /* Use lstat and stat only if they're needed. */
520 int stat_flags = ((required_uid != (uid_t) -1 || required_gid != (gid_t) -1
521 || chopt->affect_symlink_referent
522 || chopt->verbosity != V_off)
523 ? 0
524 : FTS_NOSTAT);
525
526 FTS *fts = xfts_open (files, bit_flags | stat_flags, NULL);
527
528 while (1)
529 {
530 FTSENT *ent;
531
532 ent = fts_read (fts);
533 if (ent == NULL)
534 {
535 if (errno != 0)
536 {
537 /* FIXME: try to give a better message */
538 if (! chopt->force_silent)
539 error (0, errno, _("fts_read failed"));
540 ok = false;
541 }
542 break;
543 }
544
545 ok &= change_file_owner (fts, ent, uid, gid,
546 required_uid, required_gid, chopt);
547 }
548
549 if (fts_close (fts) != 0)
550 {
551 error (0, errno, _("fts_close failed"));
552 ok = false;
553 }
554
555 return ok;
556 }
GNU core utilities