lib/ccan: readd execinfo dependency to failtest
[Samba/gebeck_regimport.git] / source4 / ntvfs / posix / pvfs_sys.c
blob5775d0bb7790a7e93358deed8d70f1d57567b62d
1 /*
2 Unix SMB/CIFS implementation.
4 POSIX NTVFS backend - pvfs_sys wrappers
6 Copyright (C) Andrew Tridgell 2010
7 Copyright (C) Andrew Bartlett 2010
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "includes.h"
24 #include "vfs_posix.h"
25 #include "../lib/util/unix_privs.h"
28 these wrapper functions must only be called when the appropriate ACL
29 has already been checked. The wrappers will override a EACCES result
30 by gaining root privileges if the 'pvfs:perm override' is set on the
31 share (it is enabled by default)
33 Careful use of O_NOFOLLOW and O_DIRECTORY is used to prevent
34 security attacks via symlinks
38 struct pvfs_sys_ctx {
39 struct pvfs_state *pvfs;
40 void *privs;
41 const char *old_wd;
42 struct stat st_orig;
47 we create PVFS_NOFOLLOW and PVFS_DIRECTORY as aliases for O_NOFOLLOW
48 and O_DIRECTORY on systems that have them. On systems that don't
49 have O_NOFOLLOW we are less safe, but the root override code is off
50 by default.
52 #ifdef O_NOFOLLOW
53 #define PVFS_NOFOLLOW O_NOFOLLOW
54 #else
55 #define PVFS_NOFOLLOW 0
56 #endif
57 #ifdef O_DIRECTORY
58 #define PVFS_DIRECTORY O_DIRECTORY
59 #else
60 #define PVFS_DIRECTORY 0
61 #endif
64 return to original directory when context is destroyed
66 static int pvfs_sys_pushdir_destructor(struct pvfs_sys_ctx *ctx)
68 struct stat st;
70 if (ctx->old_wd == NULL) {
71 return 0;
74 if (chdir(ctx->old_wd) != 0) {
75 smb_panic("Failed to restore working directory");
77 if (stat(".", &st) != 0) {
78 smb_panic("Failed to stat working directory");
80 if (st.st_ino != ctx->st_orig.st_ino ||
81 st.st_dev != ctx->st_orig.st_dev) {
82 smb_panic("Working directory changed during call");
85 return 0;
90 chdir() to the directory part of a pathname, but disallow any
91 component with a symlink
93 Note that we can't use O_NOFOLLOW on the whole path as that only
94 prevents links in the final component of the path
96 static int pvfs_sys_chdir_nosymlink(struct pvfs_sys_ctx *ctx, const char *pathname)
98 char *p, *path;
99 size_t base_len = strlen(ctx->pvfs->base_directory);
101 /* don't check for symlinks in the base directory of the share */
102 if (strncmp(ctx->pvfs->base_directory, pathname, base_len) == 0 &&
103 pathname[base_len] == '/') {
104 if (chdir(ctx->pvfs->base_directory) != 0) {
105 return -1;
107 pathname += base_len + 1;
110 path = talloc_strdup(ctx, pathname);
111 if (path == NULL) {
112 return -1;
114 while ((p = strchr(path, '/'))) {
115 int fd;
116 struct stat st1, st2;
117 *p = 0;
118 fd = open(path, PVFS_NOFOLLOW | PVFS_DIRECTORY | O_RDONLY);
119 if (fd == -1) {
120 return -1;
122 if (chdir(path) != 0) {
123 close(fd);
124 return -1;
126 if (stat(".", &st1) != 0 ||
127 fstat(fd, &st2) != 0) {
128 close(fd);
129 return -1;
131 close(fd);
132 if (st1.st_ino != st2.st_ino ||
133 st1.st_dev != st2.st_dev) {
134 DEBUG(0,(__location__ ": Inode changed during chdir in '%s' - symlink attack?",
135 pathname));
136 return -1;
138 path = p + 1;
141 return 0;
146 become root, and change directory to the directory component of a
147 path. Return a talloc context which when freed will move us back
148 to the original directory, and return us to the original uid
150 change the pathname argument to contain just the base component of
151 the path
153 return NULL on error, which could include an attempt to subvert
154 security using symlink tricks
156 static struct pvfs_sys_ctx *pvfs_sys_pushdir(struct pvfs_state *pvfs,
157 const char **pathname)
159 struct pvfs_sys_ctx *ctx;
160 char *cwd, *p, *dirname;
161 int ret;
163 ctx = talloc_zero(pvfs, struct pvfs_sys_ctx);
164 if (ctx == NULL) {
165 return NULL;
167 ctx->pvfs = pvfs;
168 ctx->privs = root_privileges();
169 if (ctx->privs == NULL) {
170 talloc_free(ctx);
171 return NULL;
174 talloc_steal(ctx, ctx->privs);
176 if (!pathname) {
177 /* no pathname needed */
178 return ctx;
181 p = strrchr(*pathname, '/');
182 if (p == NULL) {
183 /* we don't need to change directory */
184 return ctx;
187 /* we keep the old st around, so we can tell that
188 we have come back to the right directory */
189 if (stat(".", &ctx->st_orig) != 0) {
190 talloc_free(ctx);
191 return NULL;
194 cwd = get_current_dir_name();
195 if (cwd == NULL) {
196 talloc_free(ctx);
197 return NULL;
199 ctx->old_wd = talloc_strdup(ctx, cwd);
200 if (ctx->old_wd == NULL) {
201 free(cwd);
202 talloc_free(ctx);
203 return NULL;
206 dirname = talloc_strndup(ctx, *pathname, (p - *pathname));
207 if (dirname == NULL) {
208 talloc_free(ctx);
209 return NULL;
212 ret = pvfs_sys_chdir_nosymlink(ctx, *pathname);
213 if (ret == -1) {
214 talloc_free(ctx);
215 return NULL;
218 talloc_set_destructor(ctx, pvfs_sys_pushdir_destructor);
220 /* return the basename as the filename that should be operated on */
221 (*pathname) = talloc_strdup(ctx, p+1);
222 if (! *pathname) {
223 talloc_free(ctx);
224 return NULL;
227 return ctx;
232 chown a file that we created with a root privileges override
234 static int pvfs_sys_fchown(struct pvfs_state *pvfs, struct pvfs_sys_ctx *ctx, int fd)
236 return fchown(fd, root_privileges_original_uid(ctx->privs), -1);
240 chown a directory that we created with a root privileges override
242 static int pvfs_sys_chown(struct pvfs_state *pvfs, struct pvfs_sys_ctx *ctx, const char *name)
244 /* to avoid symlink hacks, we need to use fchown() on a directory fd */
245 int ret, fd;
246 fd = open(name, PVFS_DIRECTORY | PVFS_NOFOLLOW | O_RDONLY);
247 if (fd == -1) {
248 return -1;
250 ret = pvfs_sys_fchown(pvfs, ctx, fd);
251 close(fd);
252 return ret;
257 wrap open for system override
259 int pvfs_sys_open(struct pvfs_state *pvfs, const char *filename, int flags, mode_t mode, bool allow_override)
261 int fd, ret;
262 struct pvfs_sys_ctx *ctx;
263 int saved_errno, orig_errno;
264 int retries = 5;
266 orig_errno = errno;
268 fd = open(filename, flags, mode);
269 if (fd != -1 ||
270 !allow_override ||
271 errno != EACCES) {
272 return fd;
275 saved_errno = errno;
276 ctx = pvfs_sys_pushdir(pvfs, &filename);
277 if (ctx == NULL) {
278 errno = saved_errno;
279 return -1;
282 /* don't allow permission overrides to follow links */
283 flags |= PVFS_NOFOLLOW;
286 if O_CREAT was specified and O_EXCL was not specified
287 then initially do the open without O_CREAT, as in that case
288 we know that we did not create the file, so we don't have
289 to fchown it
291 if ((flags & O_CREAT) && !(flags & O_EXCL)) {
292 try_again:
293 fd = open(filename, flags & ~O_CREAT, mode);
294 /* if this open succeeded, or if it failed
295 with anything other than ENOENT, then we return the
296 open result, with the original errno */
297 if (fd == -1 && errno != ENOENT) {
298 talloc_free(ctx);
299 errno = saved_errno;
300 return -1;
302 if (fd != -1) {
303 /* the file already existed and we opened it */
304 talloc_free(ctx);
305 errno = orig_errno;
306 return fd;
309 fd = open(filename, flags | O_EXCL, mode);
310 if (fd == -1 && errno != EEXIST) {
311 talloc_free(ctx);
312 errno = saved_errno;
313 return -1;
315 if (fd != -1) {
316 /* we created the file, we need to set the
317 right ownership on it */
318 ret = pvfs_sys_fchown(pvfs, ctx, fd);
319 if (ret == -1) {
320 close(fd);
321 unlink(filename);
322 talloc_free(ctx);
323 errno = saved_errno;
324 return -1;
326 talloc_free(ctx);
327 errno = orig_errno;
328 return fd;
331 /* the file got created between the two times
332 we tried to open it! Try again */
333 if (retries-- > 0) {
334 goto try_again;
337 talloc_free(ctx);
338 errno = saved_errno;
339 return -1;
342 fd = open(filename, flags, mode);
343 if (fd == -1) {
344 talloc_free(ctx);
345 errno = saved_errno;
346 return -1;
349 /* if we have created a file then fchown it */
350 if (flags & O_CREAT) {
351 ret = pvfs_sys_fchown(pvfs, ctx, fd);
352 if (ret == -1) {
353 close(fd);
354 unlink(filename);
355 talloc_free(ctx);
356 errno = saved_errno;
357 return -1;
361 talloc_free(ctx);
362 return fd;
367 wrap unlink for system override
369 int pvfs_sys_unlink(struct pvfs_state *pvfs, const char *filename, bool allow_override)
371 int ret;
372 struct pvfs_sys_ctx *ctx;
373 int saved_errno, orig_errno;
375 orig_errno = errno;
377 ret = unlink(filename);
378 if (ret != -1 ||
379 !allow_override ||
380 errno != EACCES) {
381 return ret;
384 saved_errno = errno;
386 ctx = pvfs_sys_pushdir(pvfs, &filename);
387 if (ctx == NULL) {
388 errno = saved_errno;
389 return -1;
392 ret = unlink(filename);
393 if (ret == -1) {
394 talloc_free(ctx);
395 errno = saved_errno;
396 return -1;
399 talloc_free(ctx);
400 errno = orig_errno;
401 return ret;
405 static bool contains_symlink(const char *path)
407 int fd = open(path, PVFS_NOFOLLOW | O_RDONLY);
408 int posix_errno = errno;
409 if (fd != -1) {
410 close(fd);
411 return false;
414 #if defined(ENOTSUP) && defined(OSF1)
415 /* handle special Tru64 errno */
416 if (errno == ENOTSUP) {
417 posix_errno = ELOOP;
419 #endif /* ENOTSUP */
421 #ifdef EFTYPE
422 /* fix broken NetBSD errno */
423 if (errno == EFTYPE) {
424 posix_errno = ELOOP;
426 #endif /* EFTYPE */
428 /* fix broken FreeBSD errno */
429 if (errno == EMLINK) {
430 posix_errno = ELOOP;
433 return (posix_errno == ELOOP);
437 wrap rename for system override
439 int pvfs_sys_rename(struct pvfs_state *pvfs, const char *name1, const char *name2, bool allow_override)
441 int ret;
442 struct pvfs_sys_ctx *ctx;
443 int saved_errno, orig_errno;
445 orig_errno = errno;
447 ret = rename(name1, name2);
448 if (ret != -1 ||
449 !allow_override ||
450 errno != EACCES) {
451 return ret;
454 saved_errno = errno;
456 ctx = pvfs_sys_pushdir(pvfs, &name1);
457 if (ctx == NULL) {
458 errno = saved_errno;
459 return -1;
462 /* we need the destination as an absolute path */
463 if (name2[0] != '/') {
464 name2 = talloc_asprintf(ctx, "%s/%s", ctx->old_wd, name2);
465 if (name2 == NULL) {
466 talloc_free(ctx);
467 errno = saved_errno;
468 return -1;
472 /* make sure the destination isn't a symlink beforehand */
473 if (contains_symlink(name2)) {
474 talloc_free(ctx);
475 errno = saved_errno;
476 return -1;
479 ret = rename(name1, name2);
480 if (ret == -1) {
481 talloc_free(ctx);
482 errno = saved_errno;
483 return -1;
486 /* make sure the destination isn't a symlink afterwards */
487 if (contains_symlink(name2)) {
488 DEBUG(0,(__location__ ": Possible symlink attack in rename to '%s' - unlinking\n", name2));
489 unlink(name2);
490 talloc_free(ctx);
491 errno = saved_errno;
492 return -1;
495 talloc_free(ctx);
496 errno = orig_errno;
497 return ret;
502 wrap mkdir for system override
504 int pvfs_sys_mkdir(struct pvfs_state *pvfs, const char *dirname, mode_t mode, bool allow_override)
506 int ret;
507 struct pvfs_sys_ctx *ctx;
508 int saved_errno, orig_errno;
510 orig_errno = errno;
512 ret = mkdir(dirname, mode);
513 if (ret != -1 ||
514 !allow_override ||
515 errno != EACCES) {
516 return ret;
519 saved_errno = errno;
520 ctx = pvfs_sys_pushdir(pvfs, &dirname);
521 if (ctx == NULL) {
522 errno = saved_errno;
523 return -1;
526 ret = mkdir(dirname, mode);
527 if (ret == -1) {
528 talloc_free(ctx);
529 errno = saved_errno;
530 return -1;
533 ret = pvfs_sys_chown(pvfs, ctx, dirname);
534 if (ret == -1) {
535 rmdir(dirname);
536 talloc_free(ctx);
537 errno = saved_errno;
538 return -1;
541 talloc_free(ctx);
542 return ret;
547 wrap rmdir for system override
549 int pvfs_sys_rmdir(struct pvfs_state *pvfs, const char *dirname, bool allow_override)
551 int ret;
552 struct pvfs_sys_ctx *ctx;
553 int saved_errno, orig_errno;
555 orig_errno = errno;
557 ret = rmdir(dirname);
558 if (ret != -1 ||
559 !allow_override ||
560 errno != EACCES) {
561 return ret;
564 saved_errno = errno;
566 ctx = pvfs_sys_pushdir(pvfs, &dirname);
567 if (ctx == NULL) {
568 errno = saved_errno;
569 return -1;
572 ret = rmdir(dirname);
573 if (ret == -1) {
574 talloc_free(ctx);
575 errno = saved_errno;
576 return -1;
579 talloc_free(ctx);
580 errno = orig_errno;
581 return ret;
585 wrap fchmod for system override
587 int pvfs_sys_fchmod(struct pvfs_state *pvfs, int fd, mode_t mode, bool allow_override)
589 int ret;
590 struct pvfs_sys_ctx *ctx;
591 int saved_errno, orig_errno;
593 orig_errno = errno;
595 ret = fchmod(fd, mode);
596 if (ret != -1 ||
597 !allow_override ||
598 errno != EACCES) {
599 return ret;
602 saved_errno = errno;
604 ctx = pvfs_sys_pushdir(pvfs, NULL);
605 if (ctx == NULL) {
606 errno = saved_errno;
607 return -1;
610 ret = fchmod(fd, mode);
611 if (ret == -1) {
612 talloc_free(ctx);
613 errno = saved_errno;
614 return -1;
617 talloc_free(ctx);
618 errno = orig_errno;
619 return ret;
624 wrap chmod for system override
626 int pvfs_sys_chmod(struct pvfs_state *pvfs, const char *filename, mode_t mode, bool allow_override)
628 int ret;
629 struct pvfs_sys_ctx *ctx;
630 int saved_errno, orig_errno;
632 orig_errno = errno;
634 ret = chmod(filename, mode);
635 if (ret != -1 ||
636 !allow_override ||
637 errno != EACCES) {
638 return ret;
641 saved_errno = errno;
643 ctx = pvfs_sys_pushdir(pvfs, &filename);
644 if (ctx == NULL) {
645 errno = saved_errno;
646 return -1;
649 ret = chmod(filename, mode);
650 if (ret == -1) {
651 talloc_free(ctx);
652 errno = saved_errno;
653 return -1;
656 talloc_free(ctx);
657 errno = orig_errno;
658 return ret;