WHATSNEW: Start release notes for Samba 3.6.11.
[Samba.git] / source4 / ntvfs / posix / pvfs_sys.c
blobf110590153953dcb6a5643e6fcdf0c4fa16470b5
1 /*
2 Unix SMB/CIFS implementation.
4 POSIX NTVFS backend - pvfs_sys wrappers
6 Copyright (C) Andrew Tridgell 2010
7 Copyright (C) Andrew Bartlett 2010
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "includes.h"
24 #include "vfs_posix.h"
25 #include "../lib/util/unix_privs.h"
28 these wrapper functions must only be called when the appropriate ACL
29 has already been checked. The wrappers will override a EACCES result
30 by gaining root privileges if the 'pvfs:perm override' is set on the
31 share (it is enabled by default)
33 Careful use of O_NOFOLLOW and O_DIRECTORY is used to prevent
34 security attacks via symlinks
38 struct pvfs_sys_ctx {
39 struct pvfs_state *pvfs;
40 void *privs;
41 const char *old_wd;
42 struct stat st_orig;
47 we create PVFS_NOFOLLOW and PVFS_DIRECTORY as aliases for O_NOFOLLOW
48 and O_DIRECTORY on systems that have them. On systems that don't
49 have O_NOFOLLOW we are less safe, but the root override code is off
50 by default.
52 #ifdef O_NOFOLLOW
53 #define PVFS_NOFOLLOW O_NOFOLLOW
54 #else
55 #define PVFS_NOFOLLOW 0
56 #endif
57 #ifdef O_DIRECTORY
58 #define PVFS_DIRECTORY O_DIRECTORY
59 #else
60 #define PVFS_DIRECTORY 0
61 #endif
64 return to original directory when context is destroyed
66 static int pvfs_sys_pushdir_destructor(struct pvfs_sys_ctx *ctx)
68 struct stat st;
70 if (ctx->old_wd == NULL) {
71 return 0;
74 if (chdir(ctx->old_wd) != 0) {
75 smb_panic("Failed to restore working directory");
77 if (stat(".", &st) != 0) {
78 smb_panic("Failed to stat working directory");
80 if (st.st_ino != ctx->st_orig.st_ino ||
81 st.st_dev != ctx->st_orig.st_dev) {
82 smb_panic("Working directory changed during call");
85 return 0;
90 chdir() to the directory part of a pathname, but disallow any
91 component with a symlink
93 Note that we can't use O_NOFOLLOW on the whole path as that only
94 prevents links in the final component of the path
96 static int pvfs_sys_chdir_nosymlink(struct pvfs_sys_ctx *ctx, const char *pathname)
98 char *p, *path;
99 size_t base_len = strlen(ctx->pvfs->base_directory);
101 /* don't check for symlinks in the base directory of the share */
102 if (strncmp(ctx->pvfs->base_directory, pathname, base_len) == 0 &&
103 pathname[base_len] == '/') {
104 if (chdir(ctx->pvfs->base_directory) != 0) {
105 return -1;
107 pathname += base_len + 1;
110 path = talloc_strdup(ctx, pathname);
111 if (path == NULL) {
112 return -1;
114 while ((p = strchr(path, '/'))) {
115 int fd;
116 struct stat st1, st2;
117 *p = 0;
118 fd = open(path, PVFS_NOFOLLOW | PVFS_DIRECTORY | O_RDONLY);
119 if (fd == -1) {
120 return -1;
122 if (chdir(path) != 0) {
123 close(fd);
124 return -1;
126 if (stat(".", &st1) != 0 ||
127 fstat(fd, &st2) != 0) {
128 close(fd);
129 return -1;
131 close(fd);
132 if (st1.st_ino != st2.st_ino ||
133 st1.st_dev != st2.st_dev) {
134 DEBUG(0,(__location__ ": Inode changed during chdir in '%s' - symlink attack?",
135 pathname));
136 return -1;
138 path = p + 1;
141 return 0;
146 become root, and change directory to the directory component of a
147 path. Return a talloc context which when freed will move us back
148 to the original directory, and return us to the original uid
150 change the pathname argument to contain just the base component of
151 the path
153 return NULL on error, which could include an attempt to subvert
154 security using symlink tricks
156 static struct pvfs_sys_ctx *pvfs_sys_pushdir(struct pvfs_state *pvfs,
157 const char **pathname)
159 struct pvfs_sys_ctx *ctx;
160 char *cwd, *p, *dirname;
161 int ret;
163 ctx = talloc_zero(pvfs, struct pvfs_sys_ctx);
164 if (ctx == NULL) {
165 return NULL;
167 ctx->pvfs = pvfs;
168 ctx->privs = root_privileges();
169 if (ctx->privs == NULL) {
170 talloc_free(ctx);
171 return NULL;
174 talloc_steal(ctx, ctx->privs);
176 if (!pathname) {
177 /* no pathname needed */
178 return ctx;
181 p = strrchr(*pathname, '/');
182 if (p == NULL) {
183 /* we don't need to change directory */
184 return ctx;
187 /* we keep the old st around, so we can tell that
188 we have come back to the right directory */
189 if (stat(".", &ctx->st_orig) != 0) {
190 talloc_free(ctx);
191 return NULL;
194 cwd = get_current_dir_name();
195 if (cwd == NULL) {
196 talloc_free(ctx);
197 return NULL;
199 ctx->old_wd = talloc_strdup(ctx, cwd);
200 if (ctx->old_wd == NULL) {
201 free(cwd);
202 talloc_free(ctx);
203 return NULL;
206 dirname = talloc_strndup(ctx, *pathname, (p - *pathname));
207 if (dirname == NULL) {
208 talloc_free(ctx);
209 return NULL;
212 ret = pvfs_sys_chdir_nosymlink(ctx, *pathname);
213 if (ret == -1) {
214 talloc_free(ctx);
215 return NULL;
218 talloc_set_destructor(ctx, pvfs_sys_pushdir_destructor);
220 /* return the basename as the filename that should be operated on */
221 (*pathname) = talloc_strdup(ctx, p+1);
222 if (! *pathname) {
223 talloc_free(ctx);
224 return NULL;
227 return ctx;
232 chown a file that we created with a root privileges override
234 static int pvfs_sys_fchown(struct pvfs_state *pvfs, struct pvfs_sys_ctx *ctx, int fd)
236 return fchown(fd, root_privileges_original_uid(ctx->privs), -1);
240 chown a directory that we created with a root privileges override
242 static int pvfs_sys_chown(struct pvfs_state *pvfs, struct pvfs_sys_ctx *ctx, const char *name)
244 /* to avoid symlink hacks, we need to use fchown() on a directory fd */
245 int ret, fd;
246 fd = open(name, PVFS_DIRECTORY | PVFS_NOFOLLOW | O_RDONLY);
247 if (fd == -1) {
248 return -1;
250 ret = pvfs_sys_fchown(pvfs, ctx, fd);
251 close(fd);
252 return ret;
257 wrap open for system override
259 int pvfs_sys_open(struct pvfs_state *pvfs, const char *filename, int flags, mode_t mode)
261 int fd, ret;
262 struct pvfs_sys_ctx *ctx;
263 int saved_errno, orig_errno;
264 int retries = 5;
266 orig_errno = errno;
268 fd = open(filename, flags, mode);
269 if (fd != -1 ||
270 !(pvfs->flags & PVFS_FLAG_PERM_OVERRIDE) ||
271 errno != EACCES) {
272 return fd;
275 saved_errno = errno;
276 ctx = pvfs_sys_pushdir(pvfs, &filename);
277 if (ctx == NULL) {
278 errno = saved_errno;
279 return -1;
282 /* don't allow permission overrides to follow links */
283 flags |= PVFS_NOFOLLOW;
286 if O_CREAT was specified and O_EXCL was not specified
287 then initially do the open without O_CREAT, as in that case
288 we know that we did not create the file, so we don't have
289 to fchown it
291 if ((flags & O_CREAT) && !(flags & O_EXCL)) {
292 try_again:
293 fd = open(filename, flags & ~O_CREAT, mode);
294 /* if this open succeeded, or if it failed
295 with anything other than ENOENT, then we return the
296 open result, with the original errno */
297 if (fd == -1 && errno != ENOENT) {
298 talloc_free(ctx);
299 errno = saved_errno;
300 return -1;
302 if (fd != -1) {
303 /* the file already existed and we opened it */
304 talloc_free(ctx);
305 errno = orig_errno;
306 return fd;
309 fd = open(filename, flags | O_EXCL, mode);
310 if (fd == -1 && errno != EEXIST) {
311 talloc_free(ctx);
312 errno = saved_errno;
313 return -1;
315 if (fd != -1) {
316 /* we created the file, we need to set the
317 right ownership on it */
318 ret = pvfs_sys_fchown(pvfs, ctx, fd);
319 if (ret == -1) {
320 close(fd);
321 unlink(filename);
322 talloc_free(ctx);
323 errno = saved_errno;
324 return -1;
326 talloc_free(ctx);
327 errno = orig_errno;
328 return fd;
331 /* the file got created between the two times
332 we tried to open it! Try again */
333 if (retries-- > 0) {
334 goto try_again;
337 talloc_free(ctx);
338 errno = saved_errno;
339 return -1;
342 fd = open(filename, flags, mode);
343 if (fd == -1) {
344 talloc_free(ctx);
345 errno = saved_errno;
346 return -1;
349 /* if we have created a file then fchown it */
350 if (flags & O_CREAT) {
351 ret = pvfs_sys_fchown(pvfs, ctx, fd);
352 if (ret == -1) {
353 close(fd);
354 unlink(filename);
355 talloc_free(ctx);
356 errno = saved_errno;
357 return -1;
361 talloc_free(ctx);
362 return fd;
367 wrap unlink for system override
369 int pvfs_sys_unlink(struct pvfs_state *pvfs, const char *filename)
371 int ret;
372 struct pvfs_sys_ctx *ctx;
373 int saved_errno, orig_errno;
375 orig_errno = errno;
377 ret = unlink(filename);
378 if (ret != -1 ||
379 !(pvfs->flags & PVFS_FLAG_PERM_OVERRIDE) ||
380 errno != EACCES) {
381 return ret;
384 saved_errno = errno;
386 ctx = pvfs_sys_pushdir(pvfs, &filename);
387 if (ctx == NULL) {
388 errno = saved_errno;
389 return -1;
392 ret = unlink(filename);
393 if (ret == -1) {
394 talloc_free(ctx);
395 errno = saved_errno;
396 return -1;
399 talloc_free(ctx);
400 errno = orig_errno;
401 return ret;
405 static bool contains_symlink(const char *path)
407 int fd = open(path, PVFS_NOFOLLOW | O_RDONLY);
408 if (fd != -1) {
409 close(fd);
410 return false;
412 return (errno == ELOOP);
416 wrap rename for system override
418 int pvfs_sys_rename(struct pvfs_state *pvfs, const char *name1, const char *name2)
420 int ret;
421 struct pvfs_sys_ctx *ctx;
422 int saved_errno, orig_errno;
424 orig_errno = errno;
426 ret = rename(name1, name2);
427 if (ret != -1 ||
428 !(pvfs->flags & PVFS_FLAG_PERM_OVERRIDE) ||
429 errno != EACCES) {
430 return ret;
433 saved_errno = errno;
435 ctx = pvfs_sys_pushdir(pvfs, &name1);
436 if (ctx == NULL) {
437 errno = saved_errno;
438 return -1;
441 /* we need the destination as an absolute path */
442 if (name2[0] != '/') {
443 name2 = talloc_asprintf(ctx, "%s/%s", ctx->old_wd, name2);
444 if (name2 == NULL) {
445 talloc_free(ctx);
446 errno = saved_errno;
447 return -1;
451 /* make sure the destination isn't a symlink beforehand */
452 if (contains_symlink(name2)) {
453 talloc_free(ctx);
454 errno = saved_errno;
455 return -1;
458 ret = rename(name1, name2);
459 if (ret == -1) {
460 talloc_free(ctx);
461 errno = saved_errno;
462 return -1;
465 /* make sure the destination isn't a symlink afterwards */
466 if (contains_symlink(name2)) {
467 DEBUG(0,(__location__ ": Possible symlink attack in rename to '%s' - unlinking\n", name2));
468 unlink(name2);
469 talloc_free(ctx);
470 errno = saved_errno;
471 return -1;
474 talloc_free(ctx);
475 errno = orig_errno;
476 return ret;
481 wrap mkdir for system override
483 int pvfs_sys_mkdir(struct pvfs_state *pvfs, const char *dirname, mode_t mode)
485 int ret;
486 struct pvfs_sys_ctx *ctx;
487 int saved_errno, orig_errno;
489 orig_errno = errno;
491 ret = mkdir(dirname, mode);
492 if (ret != -1 ||
493 !(pvfs->flags & PVFS_FLAG_PERM_OVERRIDE) ||
494 errno != EACCES) {
495 return ret;
498 saved_errno = errno;
499 ctx = pvfs_sys_pushdir(pvfs, &dirname);
500 if (ctx == NULL) {
501 errno = saved_errno;
502 return -1;
505 ret = mkdir(dirname, mode);
506 if (ret == -1) {
507 talloc_free(ctx);
508 errno = saved_errno;
509 return -1;
512 ret = pvfs_sys_chown(pvfs, ctx, dirname);
513 if (ret == -1) {
514 rmdir(dirname);
515 talloc_free(ctx);
516 errno = saved_errno;
517 return -1;
520 talloc_free(ctx);
521 return ret;
526 wrap rmdir for system override
528 int pvfs_sys_rmdir(struct pvfs_state *pvfs, const char *dirname)
530 int ret;
531 struct pvfs_sys_ctx *ctx;
532 int saved_errno, orig_errno;
534 orig_errno = errno;
536 ret = rmdir(dirname);
537 if (ret != -1 ||
538 !(pvfs->flags & PVFS_FLAG_PERM_OVERRIDE) ||
539 errno != EACCES) {
540 return ret;
543 saved_errno = errno;
545 ctx = pvfs_sys_pushdir(pvfs, &dirname);
546 if (ctx == NULL) {
547 errno = saved_errno;
548 return -1;
551 ret = rmdir(dirname);
552 if (ret == -1) {
553 talloc_free(ctx);
554 errno = saved_errno;
555 return -1;
558 talloc_free(ctx);
559 errno = orig_errno;
560 return ret;
564 wrap fchmod for system override
566 int pvfs_sys_fchmod(struct pvfs_state *pvfs, int fd, mode_t mode)
568 int ret;
569 struct pvfs_sys_ctx *ctx;
570 int saved_errno, orig_errno;
572 orig_errno = errno;
574 ret = fchmod(fd, mode);
575 if (ret != -1 ||
576 !(pvfs->flags & PVFS_FLAG_PERM_OVERRIDE) ||
577 errno != EACCES) {
578 return ret;
581 saved_errno = errno;
583 ctx = pvfs_sys_pushdir(pvfs, NULL);
584 if (ctx == NULL) {
585 errno = saved_errno;
586 return -1;
589 ret = fchmod(fd, mode);
590 if (ret == -1) {
591 talloc_free(ctx);
592 errno = saved_errno;
593 return -1;
596 talloc_free(ctx);
597 errno = orig_errno;
598 return ret;
603 wrap chmod for system override
605 int pvfs_sys_chmod(struct pvfs_state *pvfs, const char *filename, mode_t mode)
607 int ret;
608 struct pvfs_sys_ctx *ctx;
609 int saved_errno, orig_errno;
611 orig_errno = errno;
613 ret = chmod(filename, mode);
614 if (ret != -1 ||
615 !(pvfs->flags & PVFS_FLAG_PERM_OVERRIDE) ||
616 errno != EACCES) {
617 return ret;
620 saved_errno = errno;
622 ctx = pvfs_sys_pushdir(pvfs, &filename);
623 if (ctx == NULL) {
624 errno = saved_errno;
625 return -1;
628 ret = chmod(filename, mode);
629 if (ret == -1) {
630 talloc_free(ctx);
631 errno = saved_errno;
632 return -1;
635 talloc_free(ctx);
636 errno = orig_errno;
637 return ret;