2 * Copyright (c) 1993, 1994
3 * The Regents of the University of California. All rights reserved.
4 * Copyright (c) 1993, 1994, 1995, 1996
5 * Keith Bostic. All rights reserved.
7 * See the LICENSE file for redistribution information.
13 static const char sccsid
[] = "$Id: recover.c,v 10.28 2001/11/01 09:56:58 skimo Exp $ (Berkeley) $Date: 2001/11/01 09:56:58 $";
16 #include <sys/param.h>
17 #include <sys/types.h> /* XXX: param.h may not have included types.h */
18 #include <sys/queue.h>
22 * We include <sys/file.h>, because the open #defines were found there
23 * on historical systems. We also include <fcntl.h> because the open(2)
24 * #defines are found there on newer systems.
28 #include <bitstring.h>
41 #include "pathnames.h"
46 * The basic scheme is as follows. In the EXF structure, we maintain full
47 * paths of a b+tree file and a mail recovery file. The former is the file
48 * used as backing store by the DB package. The latter is the file that
49 * contains an email message to be sent to the user if we crash. The two
50 * simple states of recovery are:
52 * + first starting the edit session:
53 * the b+tree file exists and is mode 700, the mail recovery
55 * + after the file has been modified:
56 * the b+tree file exists and is mode 600, the mail recovery
57 * file exists, and is exclusively locked.
59 * In the EXF structure we maintain a file descriptor that is the locked
60 * file descriptor for the mail recovery file. NOTE: we sometimes have to
61 * do locking with fcntl(2). This is a problem because if you close(2) any
62 * file descriptor associated with the file, ALL of the locks go away. Be
63 * sure to remember that if you have to modify the recovery code. (It has
64 * been rhetorically asked of what the designers could have been thinking
65 * when they did that interface. The answer is simple: they weren't.)
67 * To find out if a recovery file/backing file pair are in use, try to get
68 * a lock on the recovery file.
70 * To find out if a backing file can be deleted at boot time, check for an
71 * owner execute bit. (Yes, I know it's ugly, but it's either that or put
72 * special stuff into the backing file itself, or correlate the files at
73 * boot time, neither of which looks like fun.) Note also that there's a
74 * window between when the file is created and the X bit is set. It's small,
75 * but it's there. To fix the window, check for 0 length files as well.
77 * To find out if a file can be recovered, check the F_RCV_ON bit. Note,
78 * this DOES NOT mean that any initialization has been done, only that we
79 * haven't yet failed at setting up or doing recovery.
81 * To preserve a recovery file/backing file pair, set the F_RCV_NORM bit.
82 * If that bit is not set when ending a file session:
83 * If the EXF structure paths (rcv_path and rcv_mpath) are not NULL,
84 * they are unlink(2)'d, and free(3)'d.
85 * If the EXF file descriptor (rcv_fd) is not -1, it is closed.
87 * The backing b+tree file is set up when a file is first edited, so that
88 * the DB package can use it for on-disk caching and/or to snapshot the
89 * file. When the file is first modified, the mail recovery file is created,
90 * the backing file permissions are updated, the file is sync(2)'d to disk,
91 * and the timer is started. Then, at RCV_PERIOD second intervals, the
92 * b+tree file is synced to disk. RCV_PERIOD is measured using SIGALRM, which
93 * means that the data structures (SCR, EXF, the underlying tree structures)
94 * must be consistent when the signal arrives.
96 * The recovery mail file contains normal mail headers, with two additions,
97 * which occur in THIS order, as the FIRST TWO headers:
99 * X-vi-recover-file: file_name
100 * X-vi-recover-path: recover_path
102 * Since newlines delimit the headers, this means that file names cannot have
103 * newlines in them, but that's probably okay. As these files aren't intended
104 * to be long-lived, changing their format won't be too painful.
106 * Btree files are named "vi.XXXX" and recovery files are named "recover.XXXX".
109 #define VI_FHEADER "X-vi-recover-file: "
110 #define VI_PHEADER "X-vi-recover-path: "
112 static int rcv_copy
__P((SCR
*, int, char *));
113 static void rcv_email
__P((SCR
*, char *));
114 static char *rcv_gets
__P((char *, size_t, int));
115 static int rcv_mailfile
__P((SCR
*, int, char *));
116 static int rcv_mktemp
__P((SCR
*, char *, char *, int));
120 * Build a file name that will be used as the recovery file.
122 * PUBLIC: int rcv_tmp __P((SCR *, EXF *, char *));
125 rcv_tmp(SCR
*sp
, EXF
*ep
, char *name
)
129 char *dp
, *p
, path
[MAXPATHLEN
];
133 * ep MAY NOT BE THE SAME AS sp->ep, DON'T USE THE LATTER.
136 * If the recovery directory doesn't exist, try and create it. As
137 * the recovery files are themselves protected from reading/writing
138 * by other than the owner, the worst that can happen is that a user
139 * would have permission to remove other user's recovery files. If
140 * the sticky bit has the BSD semantics, that too will be impossible.
142 if (opts_empty(sp
, O_RECDIR
, 0))
144 dp
= O_STR(sp
, O_RECDIR
);
146 if (errno
!= ENOENT
|| mkdir(dp
, 0)) {
147 msgq(sp
, M_SYSERR
, "%s", dp
);
150 (void)chmod(dp
, S_IRWXU
| S_IRWXG
| S_IRWXO
| S_ISVTX
);
153 /* Newlines delimit the mail messages. */
154 if (strchr(p
, '\n') {
156 "055|Files with newlines in the name are unrecoverable");
160 (void)snprintf(path
, sizeof(path
), "%s/vi.XXXXXX", dp
);
161 if ((fd
= rcv_mktemp(sp
, path
, dp
, S_IRWXU
)) == -1)
165 if ((ep
->rcv_path
= strdup(path
)) == NULL
) {
166 msgq(sp
, M_SYSERR
, NULL
);
169 "056|Modifications not recoverable if the session fails");
173 /* We believe the file is recoverable. */
180 * Force the file to be snapshotted for recovery.
182 * PUBLIC: int rcv_init __P((SCR *));
192 /* Only do this once. */
193 F_CLR(ep
, F_FIRSTMODIFY
);
195 /* If we already know the file isn't recoverable, we're done. */
196 if (!F_ISSET(ep
, F_RCV_ON
))
199 /* Turn off recoverability until we figure out if this will work. */
202 /* Test if we're recovering a file, not editing one. */
203 if (ep
->rcv_mpath
== NULL
) {
206 /* Build a file to mail to the user. */
207 if (rcv_mailfile(sp
, 0, NULL
))
210 /* Force a read of the entire file. */
211 if (db_last(sp
, &lno
))
214 /* Turn on a busy message, and sync it to backing store. */
216 "057|Copying file for recovery...", BUSY_ON
);
219 We don't want DB to write to the underlying
220 recno database, so we just tell it that it's
223 ep
->db
->type
= DB_UNKNOWN
;
224 if (ep
->db
->sync(ep
->db
, 0)) {
225 msgq_str(sp
, M_SYSERR
, ep
->rcv_path
,
226 "058|Preservation failed: %s");
227 sp
->gp
->scr_busy(sp
, NULL
, BUSY_OFF
);
231 sp
->gp
->scr_busy(sp
, NULL
, BUSY_OFF
);
234 /* Turn off the owner execute bit. */
235 (void)chmod(ep
->rcv_path
, S_IRUSR
| S_IWUSR
);
237 /* We believe the file is recoverable. */
242 "059|Modifications not recoverable if the session fails");
248 * Sync the file, optionally:
249 * flagging the backup file to be preserved
250 * snapshotting the backup file and send email to the user
251 * sending email to the user if the file was modified
252 * ending the file session
254 * PUBLIC: int rcv_sync __P((SCR *, u_int));
257 rcv_sync(SCR
*sp
, u_int flags
)
263 /* Make sure that there's something to recover/sync. */
265 if (ep
== NULL
|| !F_ISSET(ep
, F_RCV_ON
))
268 /* Sync the file if it's been modified. */
269 if (F_ISSET(ep
, F_MODIFIED
)) {
273 We don't want DB to write to the underlying
274 recno database, so we just tell it that it's
277 ep
->db
->type
= DB_UNKNOWN
;
278 if (ep
->db
->sync(ep
->db
, 0)) {
279 F_CLR(ep
, F_RCV_ON
| F_RCV_NORM
);
280 msgq_str(sp
, M_SYSERR
,
281 ep
->rcv_path
, "060|File backup failed: %s");
286 /* REQUEST: don't remove backing file on exit. */
287 if (LF_ISSET(RCV_PRESERVE
))
288 F_SET(ep
, F_RCV_NORM
);
290 /* REQUEST: send email. */
291 if (LF_ISSET(RCV_EMAIL
))
292 rcv_email(sp
, ep
->rcv_mpath
);
297 * Each time the user exec's :preserve, we have to snapshot all of
298 * the recovery information, i.e. it's like the user re-edited the
299 * file. We copy the DB(3) backing file, and then create a new mail
300 * recovery file, it's simpler than exiting and reopening all of the
303 * REQUEST: snapshot the file.
306 if (LF_ISSET(RCV_SNAPSHOT
)) {
307 if (opts_empty(sp
, O_RECDIR
, 0))
309 dp
= O_STR(sp
, O_RECDIR
);
310 (void)snprintf(buf
, sizeof(buf
), "%s/vi.XXXXXX", dp
);
311 if ((fd
= rcv_mktemp(sp
, buf
, dp
, S_IRUSR
| S_IWUSR
)) == -1)
314 "061|Copying file for recovery...", BUSY_ON
);
315 if (rcv_copy(sp
, fd
, ep
->rcv_path
) ||
316 close(fd
) || rcv_mailfile(sp
, 1, buf
)) {
321 sp
->gp
->scr_busy(sp
, NULL
, BUSY_OFF
);
327 /* REQUEST: end the file session. */
328 if (LF_ISSET(RCV_ENDSESSION
) && file_end(sp
, NULL
, 1))
336 * Build the file to mail to the user.
339 rcv_mailfile(SCR
*sp
, int issync
, char *cp_path
)
348 char *dp
, *p
, *t
, buf
[4096], mpath
[MAXPATHLEN
];
353 * MAXHOSTNAMELEN is in various places on various systems, including
354 * <netdb.h> and <sys/socket.h>. If not found, use a large default.
356 #ifndef MAXHOSTNAMELEN
357 #define MAXHOSTNAMELEN 1024
359 char host
[MAXHOSTNAMELEN
];
362 if ((pw
= getpwuid(uid
= getuid())) == NULL
) {
364 "062|Information on user id %u not found", uid
);
368 if (opts_empty(sp
, O_RECDIR
, 0))
370 dp
= O_STR(sp
, O_RECDIR
);
371 (void)snprintf(mpath
, sizeof(mpath
), "%s/recover.XXXXXX", dp
);
372 if ((fd
= rcv_mktemp(sp
, mpath
, dp
, S_IRUSR
| S_IWUSR
)) == -1)
377 * We keep an open lock on the file so that the recover option can
378 * distinguish between files that are live and those that need to
379 * be recovered. There's an obvious window between the mkstemp call
380 * and the lock, but it's pretty small.
383 if (file_lock(sp
, NULL
, NULL
, fd
, 1) != LOCK_SUCCESS
)
384 msgq(sp
, M_SYSERR
, "063|Unable to lock recovery file");
386 /* Save the recover file descriptor, and mail path. */
388 if ((ep
->rcv_mpath
= strdup(mpath
)) == NULL
) {
389 msgq(sp
, M_SYSERR
, NULL
);
392 cp_path
= ep
->rcv_path
;
397 * We can't use stdio(3) here. The problem is that we may be using
398 * fcntl(2), so if ANY file descriptor into the file is closed, the
399 * lock is lost. So, we could never close the FILE *, even if we
400 * dup'd the fd first.
403 if ((p
= strrchr(t
, '/')) == NULL
)
408 (void)gethostname(host
, sizeof(host
));
409 len
= snprintf(buf
, sizeof(buf
),
410 "%s%s\n%s%s\n%s\n%s\n%s%s\n%s%s\n%s\n\n",
411 VI_FHEADER
, t
, /* Non-standard. */
412 VI_PHEADER
, cp_path
, /* Non-standard. */
414 "From: root (Nvi recovery program)",
416 "Subject: Nvi saved the file ", p
,
417 "Precedence: bulk"); /* For vacation(1). */
418 if (len
> sizeof(buf
) - 1)
420 if (write(fd
, buf
, len
) != len
)
423 len
= snprintf(buf
, sizeof(buf
),
424 "%s%.24s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n\n",
425 "On ", ctime(&now
), ", the user ", pw
->pw_name
,
426 " was editing a file named ", t
, " on the machine ",
427 host
, ", when it was saved for recovery. ",
428 "You can recover most, if not all, of the changes ",
429 "to this file using the -r option to ", gp
->progname
, ":\n\n\t",
430 gp
->progname
, " -r ", t
);
431 if (len
> sizeof(buf
) - 1) {
432 lerr
: msgq(sp
, M_ERR
, "064|Recovery file buffer overrun");
437 * Format the message. (Yes, I know it's silly.)
438 * Requires that the message end in a <newline>.
441 for (t1
= buf
; len
> 0; len
-= t2
- t1
, t1
= t2
) {
442 /* Check for a short length. */
443 if (len
<= FMTCOLS
) {
448 /* Check for a required <newline>. */
449 t2
= strchr(t1
, '\n');
450 if (t2
- t1
<= FMTCOLS
)
453 /* Find the closest space, if any. */
454 for (t3
= t2
; t2
> t1
; --t2
)
456 if (t2
- t1
<= FMTCOLS
)
462 /* t2 points to the last character to display. */
465 /* t2 points one after the last character to display. */
466 if (write(fd
, t1
, t2
- t1
) != t2
- t1
)
471 rcv_email(sp
, mpath
);
473 werr
: msgq(sp
, M_SYSERR
, "065|Recovery file");
488 * never exactly the same
489 * just like a snowflake
492 * List the files that can be recovered by this user.
494 * PUBLIC: int rcv_list __P((SCR *));
504 char *p
, *t
, file
[MAXPATHLEN
], path
[MAXPATHLEN
];
506 /* Open the recovery directory for reading. */
507 if (opts_empty(sp
, O_RECDIR
, 0))
509 p
= O_STR(sp
, O_RECDIR
);
510 if (chdir(p
) || (dirp
= opendir(".")) == NULL
) {
511 msgq_str(sp
, M_SYSERR
, p
, "recdir: %s");
515 /* Read the directory. */
516 for (found
= 0; (dp
= readdir(dirp
)) != NULL
;) {
517 if (strncmp(dp
->d_name
, "recover.", 8))
521 * If it's readable, it's recoverable.
524 * Should be "r", we don't want to write the file. However,
525 * if we're using fcntl(2), there's no way to lock a file
526 * descriptor that's not open for writing.
528 if ((fp
= fopen(dp
->d_name
, "r+")) == NULL
)
531 switch (file_lock(sp
, NULL
, NULL
, fileno(fp
), 1)) {
535 * Assume that a lock can't be acquired, but that we
536 * should permit recovery anyway. If this is wrong,
537 * and someone else is using the file, we're going to
544 /* If it's locked, it's live. */
549 /* Check the headers. */
550 if (fgets(file
, sizeof(file
), fp
) == NULL
||
551 strncmp(file
, VI_FHEADER
, sizeof(VI_FHEADER
) - 1) ||
552 (p
= strchr(file
, '\n')) == NULL
||
553 fgets(path
, sizeof(path
), fp
) == NULL
||
554 strncmp(path
, VI_PHEADER
, sizeof(VI_PHEADER
) - 1) ||
555 (t
= strchr(path
, '\n')) == NULL
) {
556 msgq_str(sp
, M_ERR
, dp
->d_name
,
557 "066|%s: malformed recovery file");
563 * If the file doesn't exist, it's an orphaned recovery file,
567 * This can occur if the backup file was deleted and we crashed
568 * before deleting the email file.
571 if (stat(path
+ sizeof(VI_PHEADER
) - 1, &sb
) &&
573 (void)unlink(dp
->d_name
);
577 /* Get the last modification time and display. */
578 (void)fstat(fileno(fp
), &sb
);
579 (void)printf("%.24s: %s\n",
580 ctime(&sb
.st_mtime
), file
+ sizeof(VI_FHEADER
) - 1);
583 /* Close, discarding lock. */
584 next
: (void)fclose(fp
);
587 (void)printf("vi: no files to recover.\n");
588 (void)closedir(dirp
);
594 * Start a recovered file as the file to edit.
596 * PUBLIC: int rcv_read __P((SCR *, FREF *));
599 rcv_read(SCR
*sp
, FREF
*frp
)
606 int fd
, found
, locked
, requested
, sv_fd
;
607 char *name
, *p
, *t
, *rp
, *recp
, *pathp
;
608 char file
[MAXPATHLEN
], path
[MAXPATHLEN
], recpath
[MAXPATHLEN
];
610 if (opts_empty(sp
, O_RECDIR
, 0))
612 rp
= O_STR(sp
, O_RECDIR
);
613 if ((dirp
= opendir(rp
)) == NULL
) {
614 msgq_str(sp
, M_ERR
, rp
, "%s");
622 for (found
= requested
= 0; (dp
= readdir(dirp
)) != NULL
;) {
623 if (strncmp(dp
->d_name
, "recover.", 8))
625 (void)snprintf(recpath
,
626 sizeof(recpath
), "%s/%s", rp
, dp
->d_name
);
629 * If it's readable, it's recoverable. It would be very
630 * nice to use stdio(3), but, we can't because that would
631 * require closing and then reopening the file so that we
632 * could have a lock and still close the FP. Another tip
633 * of the hat to fcntl(2).
636 * Should be O_RDONLY, we don't want to write it. However,
637 * if we're using fcntl(2), there's no way to lock a file
638 * descriptor that's not open for writing.
640 if ((fd
= open(recpath
, O_RDWR
, 0)) == -1)
643 switch (file_lock(sp
, NULL
, NULL
, fd
, 1)) {
647 * Assume that a lock can't be acquired, but that we
648 * should permit recovery anyway. If this is wrong,
649 * and someone else is using the file, we're going to
658 /* If it's locked, it's live. */
663 /* Check the headers. */
664 if (rcv_gets(file
, sizeof(file
), fd
) == NULL
||
665 strncmp(file
, VI_FHEADER
, sizeof(VI_FHEADER
) - 1) ||
666 (p
= strchr(file
, '\n')) == NULL
||
667 rcv_gets(path
, sizeof(path
), fd
) == NULL
||
668 strncmp(path
, VI_PHEADER
, sizeof(VI_PHEADER
) - 1) ||
669 (t
= strchr(path
, '\n')) == NULL
) {
670 msgq_str(sp
, M_ERR
, recpath
,
671 "067|%s: malformed recovery file");
678 * If the file doesn't exist, it's an orphaned recovery file,
682 * This can occur if the backup file was deleted and we crashed
683 * before deleting the email file.
686 if (stat(path
+ sizeof(VI_PHEADER
) - 1, &sb
) &&
688 (void)unlink(dp
->d_name
);
692 /* Check the file name. */
693 if (strcmp(file
+ sizeof(VI_FHEADER
) - 1, name
))
699 * If we've found more than one, take the most recent.
702 * Since we're using st_mtime, for portability reasons,
703 * we only get a single second granularity, instead of
706 (void)fstat(fd
, &sb
);
707 if (recp
== NULL
|| rec_mtime
< sb
.st_mtime
) {
710 if ((recp
= strdup(recpath
)) == NULL
) {
711 msgq(sp
, M_SYSERR
, NULL
);
715 if ((pathp
= strdup(path
)) == NULL
) {
716 msgq(sp
, M_SYSERR
, NULL
);
726 rec_mtime
= sb
.st_mtime
;
731 next
: (void)close(fd
);
733 (void)closedir(dirp
);
736 msgq_str(sp
, M_INFO
, name
,
737 "068|No files named %s, readable by you, to recover");
743 "069|There are older versions of this file for you to recover");
744 if (found
> requested
)
746 "070|There are other files for you to recover");
750 * Create the FREF structure, start the btree file.
753 * file_init() is going to set ep->rcv_path.
755 if (file_init(sp
, frp
, pathp
+ sizeof(VI_PHEADER
) - 1, 0)) {
763 * We keep an open lock on the file so that the recover option can
764 * distinguish between files that are live and those that need to
765 * be recovered. The lock is already acquired, just copy it.
768 ep
->rcv_mpath
= recp
;
771 F_SET(frp
, FR_UNLOCKED
);
773 /* We believe the file is recoverable. */
780 * Copy a recovery file.
783 rcv_copy(SCR
*sp
, int wfd
, char *fname
)
785 int nr
, nw
, off
, rfd
;
788 if ((rfd
= open(fname
, O_RDONLY
, 0)) == -1)
790 while ((nr
= read(rfd
, buf
, sizeof(buf
))) > 0)
791 for (off
= 0; nr
; nr
-= nw
, off
+= nw
)
792 if ((nw
= write(wfd
, buf
+ off
, nr
)) < 0)
797 err
: msgq_str(sp
, M_SYSERR
, fname
, "%s");
803 * Fgets(3) for a file descriptor.
806 rcv_gets(char *buf
, size_t len
, int fd
)
811 if ((nr
= read(fd
, buf
, len
- 1)) == -1)
813 if ((p
= strchr(buf
, '\n')) == NULL
)
815 (void)lseek(fd
, (off_t
)((p
- buf
) + 1), SEEK_SET
);
821 * Paranoid make temporary file routine.
824 rcv_mktemp(SCR
*sp
, char *path
, char *dname
, int perms
)
830 * We expect mkstemp(3) to set the permissions correctly. On
831 * historic System V systems, mkstemp didn't. Do it here, on
835 * The variable perms should really be a mode_t, and it would
836 * be nice to use fchmod(2) instead of chmod(2), here.
838 if ((fd
= mkstemp(path
)) == -1)
839 msgq_str(sp
, M_SYSERR
, dname
, "%s");
841 (void)chmod(path
, perms
);
850 rcv_email(SCR
*sp
, char *fname
)
853 char buf
[MAXPATHLEN
* 2 + 20];
855 if (_PATH_SENDMAIL
[0] != '/' || stat(_PATH_SENDMAIL
, &sb
))
856 msgq_str(sp
, M_SYSERR
,
857 _PATH_SENDMAIL
, "071|not sending email: %s");
861 * If you need to port this to a system that doesn't have
862 * sendmail, the -t flag causes sendmail to read the message
863 * for the recipients instead of specifying them some other
866 (void)snprintf(buf
, sizeof(buf
),
867 "%s -t < %s", _PATH_SENDMAIL
, fname
);