| blob | ddc9eab302c4aca8b5e3d5d85d8d22c07c17f044 |
1 /* copy.c -- core functions for copying files and directories
2 Copyright (C) 1989-2023 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <https://www.gnu.org/licenses/>. */
17 /* Extracted from cp.c and librarified by Jim Meyering. */
19 #include <config.h>
20 #include <stdckdint.h>
21 #include <stdio.h>
22 #include <sys/ioctl.h>
23 #include <sys/types.h>
24 #include <selinux/selinux.h>
26 #if HAVE_HURD_H
27 # include <hurd.h>
28 #endif
29 #if HAVE_PRIV_H
30 # include <priv.h>
31 #endif
67 #ifndef USE_XATTR
68 # define USE_XATTR false
69 #endif
71 #if USE_XATTR
72 # include <attr/error_context.h>
73 # include <attr/libattr.h>
74 # include <stdarg.h>
76 #endif
78 #if HAVE_LINUX_FALLOC_H
79 # include <linux/falloc.h>
80 #endif
82 /* See HAVE_FALLOCATE workaround when including this file. */
83 #ifdef HAVE_LINUX_FS_H
84 # include <linux/fs.h>
85 #endif
87 #if !defined FICLONE && defined __linux__
88 # define FICLONE _IOW (0x94, 9, int)
89 #endif
91 #if HAVE_FCLONEFILEAT && !USE_XATTR
92 # include <sys/clonefile.h>
93 #endif
95 #ifndef HAVE_FCHOWN
96 # define HAVE_FCHOWN false
97 # define fchown(fd, uid, gid) (-1)
98 #endif
100 #ifndef USE_ACL
101 # define USE_ACL 0
102 #endif
104 #define SAME_OWNER(A, B) ((A).st_uid == (B).st_uid)
105 #define SAME_GROUP(A, B) ((A).st_gid == (B).st_gid)
106 #define SAME_OWNER_AND_GROUP(A, B) (SAME_OWNER (A, B) && SAME_GROUP (A, B))
108 /* LINK_FOLLOWS_SYMLINKS is tri-state; if it is -1, we don't know
109 how link() behaves, so assume we can't hardlink symlinks in that case. */
110 #if (defined HAVE_LINKAT && ! LINKAT_SYMLINK_NOTSUP) || ! LINK_FOLLOWS_SYMLINKS
111 # define CAN_HARDLINK_SYMLINKS 1
112 #else
113 # define CAN_HARDLINK_SYMLINKS 0
114 #endif
116 struct dir_list
117 {
119 ino_t ino;
120 dev_t dev;
121 };
123 /* Initial size of the cp.dest_info hash table. */
124 #define DEST_INFO_INITIAL_CAPACITY 61
137 /* Pointers to the file names: they're used in the diagnostic that is issued
138 when we detect the user is trying to copy a directory into itself. */
142 enum copy_debug_val
143 {
144 COPY_DEBUG_UNKNOWN,
145 COPY_DEBUG_NO,
146 COPY_DEBUG_YES,
147 COPY_DEBUG_EXTERNAL,
148 COPY_DEBUG_EXTERNAL_INTERNAL,
149 COPY_DEBUG_AVOIDED,
150 COPY_DEBUG_UNSUPPORTED,
151 };
153 /* debug info about the last file copy. */
154 static struct copy_debug
155 {
163 {
165 {
171 }
172 }
176 {
178 {
184 }
185 }
187 /* Print --debug output on standard output. */
188 static void
190 {
196 }
198 #ifndef DEV_FD_MIGHT_BE_CHR
199 # define DEV_FD_MIGHT_BE_CHR false
200 #endif
202 /* Act like fstat (DIRFD, FILENAME, ST, FLAGS), except when following
203 symbolic links on Solaris-like systems, treat any character-special
204 device like /dev/fd/0 as if it were the file it is open on. */
205 static int
207 {
212 {
216 {
220 {
223 }
224 else
226 }
229 }
232 }
234 /* Attempt to punch a hole to avoid any permanent
235 speculative preallocation on file systems such as XFS.
236 Return values as per fallocate(2) except ENOSYS etc. are ignored. */
238 static int
240 {
242 /* +0 is to work around older <linux/fs.h> defining HAVE_FALLOCATE to empty. */
243 #if HAVE_FALLOCATE + 0
244 # if defined FALLOC_FL_PUNCH_HOLE && defined FALLOC_FL_KEEP_SIZE
249 # endif
250 #endif
252 }
254 /* Create a hole at the end of a file,
255 avoiding preallocation if requested. */
257 static bool
259 {
263 {
266 }
268 /* Some file systems (like XFS) preallocate when write extending a file.
269 I.e., a previous write() may have preallocated extra space
270 that the seek above will not discard. A subsequent write() could
271 then make this allocation permanent. */
273 {
276 }
279 }
282 /* Whether an errno value ERR, set by FICLONE or copy_file_range,
283 indicates that the copying operation has terminally failed, even
284 though it was invoked correctly (so that, e.g, EBADF cannot occur)
285 and even though !is_CLONENOTSUP (ERR). */
287 static bool
289 {
291 }
293 /* Similarly, whether ERR indicates that the copying operation is not
294 supported or allowed for this file or process, even though the
295 operation was invoked correctly. */
297 static bool
299 {
304 }
307 /* Copy the regular file open on SRC_FD/SRC_NAME to DST_FD/DST_NAME,
308 honoring the MAKE_HOLES setting and using the BUF_SIZE-byte buffer
309 *ABUF for temporary storage, allocating it lazily if *ABUF is null.
310 Copy no more than MAX_N_READ bytes.
311 Return true upon successful completion;
312 print a diagnostic and return false upon error.
313 Note that for best results, BUF should be "well"-aligned.
314 Set *LAST_WRITE_MADE_HOLE to true if the final operation on
315 DEST_FD introduced a hole. Set *TOTAL_N_READ to the number of
316 bytes read. */
317 static bool
323 {
332 /* If not looking for holes, use copy_file_range if functional,
333 but don't use if reflink disallowed as that may be implicit. */
336 {
337 /* Copy at most COPY_MAX bytes at a time; this is min
338 (SSIZE_MAX, SIZE_MAX) truncated to a value that is
339 surely aligned well. */
344 {
345 /* copy_file_range incorrectly returns 0 when reading from
346 the proc file system on the Linux kernel through at
347 least 5.6.19 (2020), so fall back on 'read' if the
348 input file seems empty. */
353 }
355 {
358 /* Consider operation unsupported only if no data copied.
359 For example, EPERM could occur if copy_file_range not enabled
360 in seccomp filters, so retry with a standard copy. EPERM can
361 also occur for immutable files, but that would only be in the
362 edge case where the file is made immutable after creating,
363 in which case the (more accurate) error is still shown. */
367 /* ENOENT was seen sometimes across CIFS shares, resulting in
368 no data being copied, but subsequent standard copies succeed. */
374 else
375 {
379 }
380 }
384 }
385 else
393 {
399 {
404 }
410 /* Loop over the input buffer in chunks of hole_size. */
416 {
427 {
432 {
434 {
438 }
439 }
440 else
441 {
444 }
450 {
456 else
458 }
459 }
461 {
463 {
466 }
467 }
471 }
475 /* It's tempting to break early here upon a short read from
476 a regular file. That would save the final read syscall
477 for each file. Unfortunately that doesn't work for
478 certain files in /proc or /sys with linux kernels. */
479 }
481 /* Ensure a trailing hole is created, so that subsequent
482 calls of sparse_copy() start at the correct offset. */
485 else
487 }
489 /* Perform the O(1) btrfs clone operation, if possible.
490 Upon success, return 0. Otherwise, return -1 and set errno. */
493 {
494 #ifdef FICLONE
496 #else
501 #endif
502 }
504 /* Write N_BYTES zero bytes to file descriptor FD. Return true if successful.
505 Upon write failure, set errno and return false. */
506 static bool
508 {
512 /* Attempt to use a relatively large calloc'd source buffer for
513 efficiency, but if that allocation fails, resort to a smaller
514 statically allocated one. */
516 {
520 {
523 }
524 }
527 {
532 }
535 }
537 #ifdef SEEK_HOLE
538 /* Perform an efficient extent copy, if possible. This avoids
539 the overhead of detecting holes in hole-introducing/preserving
540 copy, and thus makes copying sparse files much more efficient.
541 Copy from SRC_FD to DEST_FD, using *ABUF (of size BUF_SIZE) for a buffer.
542 Allocate *ABUF lazily if *ABUF is null.
543 Look for holes of size HOLE_SIZE in the input.
544 The input file is of size SRC_TOTAL_SIZE.
545 Use SPARSE_MODE to determine whether to create holes in the output.
546 SRC_NAME and DST_NAME are the input and output file names.
547 Return true if successful, false (with a diagnostic) otherwise. */
549 static bool
555 {
564 {
567 {
572 {
573 /* The input file grew; get its current size. */
578 /* If the input file shrank after growing, stop copying. */
583 }
584 }
585 /* If the input file must have grown, increase its measured size. */
596 {
598 {
601 ext_hole_size))
604 }
605 else
606 {
607 /* When not inducing holes and when there is a hole between
608 the end of the previous extent and the beginning of the
609 current one, write zeros to the destination file. */
611 {
615 }
616 }
617 }
623 /* Copy this extent, looking for further opportunities to not
624 bother to write zeros if --sparse=always, since SEEK_HOLE
625 is conservative and may miss some holes. */
626 off_t n_read;
638 {
639 /* The input file shrank. */
642 }
647 }
649 /* When the source file ends with a hole, we have to do a little more work,
650 since the above copied only up to and including the final extent.
651 In order to complete the copy, we may have to insert a hole or write
652 zeros in the destination corresponding to the source file's hole-at-EOF.
654 In addition, if the final extent was a block of zeros at EOF and we've
655 just converted them to a hole in the destination, we must call ftruncate
656 here in order to record the proper length in the destination. */
661 {
664 }
668 {
671 }
675 cannot_lseek:
678 }
679 #endif
681 /* FIXME: describe */
682 /* FIXME: rewrite this to use a hash table so we avoid the quadratic
683 performance hit that's probably noticeable only on trees deeper
684 than a few hundred levels. See use of active_dir_map in remove.c */
686 ATTRIBUTE_PURE
687 static bool
689 {
691 {
695 }
697 }
699 static bool
701 {
703 }
705 #if USE_XATTR
707 static void
710 {
712 {
716 /* use verror module to print error message */
720 }
721 }
724 static void
727 {
731 /* use verror module to print error message */
735 }
739 {
741 }
743 static void
746 {
747 }
749 /* Exclude SELinux extended attributes that are otherwise handled,
750 and are problematic to copy again. Also honor attributes
751 configured for exclusion in /etc/xattr.conf.
752 FIXME: Should we handle POSIX ACLs similarly?
753 Return zero to skip. */
754 static int
756 {
759 }
761 /* If positive SRC_FD and DST_FD descriptors are passed,
762 then copy by fd, otherwise copy by name. */
764 static bool
767 {
774 # if 4 < __GNUC__ + (8 <= __GNUC_MINOR__)
775 /* Pacify gcc -Wsuggest-attribute=format through at least GCC 11.2.1. */
776 # pragma GCC diagnostic push
778 # endif
785 })
787 # if 4 < __GNUC__ + (8 <= __GNUC_MINOR__)
788 # pragma GCC diagnostic pop
789 # endif
794 }
797 static bool
803 {
805 }
808 /* Read the contents of the directory SRC_NAME_IN, and recursively
809 copy the contents to DST_NAME_IN aka DST_DIRFD+DST_RELNAME_IN.
810 NEW_DST is true if DST_NAME_IN is a directory
811 that was created previously in the recursion.
812 SRC_SB and ANCESTORS describe SRC_NAME_IN.
813 Set *COPY_INTO_SELF if SRC_NAME_IN is a parent of
814 (or the same as) DST_NAME_IN; otherwise, clear it.
815 Propagate *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG from
816 caller to each invocation of copy_internal. Be careful to
817 pass the address of a temporary, and to update
818 *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG only upon completion.
819 Return true if successful. */
821 static bool
828 {
836 {
837 /* This diagnostic is a bit vague because savedir can fail in
838 several different ways. */
841 }
843 /* For cp's -H option, dereference command line arguments, but do not
844 dereference symlinks that are found via recursive traversal. */
851 {
869 /* If we're copying into self, there's no point in continuing,
870 and in fact, that would even infloop, now that we record only
871 the first created directory per command line argument. */
877 }
882 }
884 /* Set the owner and owning group of DEST_DESC to the st_uid and
885 st_gid fields of SRC_SB. If DEST_DESC is undefined (-1), set
886 the owner and owning group of DST_NAME aka DST_DIRFD+DST_RELNAME
887 instead; for safety prefer lchownat since no
888 symbolic links should be involved. DEST_DESC must
889 refer to the same file as DST_NAME if defined.
890 Upon failure to set both UID and GID, try to set only the GID.
891 NEW_DST is true if the file was newly created; otherwise,
892 DST_SB is the status of the destination.
893 Return 1 if the initial syscall succeeds, 0 if it fails but it's OK
894 not to preserve ownership, -1 otherwise. */
896 static int
901 {
905 /* Naively changing the ownership of an already-existing file before
906 changing its permissions would create a window of vulnerability if
907 the file's old permissions are too generous for the new owner and
908 group. Avoid the window by first changing to a restrictive
909 temporary mode if necessary. */
912 {
914 mode_t new_mode =
922 {
927 }
928 }
931 {
935 {
936 /* We've failed to set *both*. Now, try to set just the group
937 ID, but ignore any failure here, and don't change errno. */
941 }
942 }
943 else
944 {
948 {
949 /* We've failed to set *both*. Now, try to set just the group
950 ID, but ignore any failure here, and don't change errno. */
954 }
955 }
958 {
963 }
966 }
968 /* Set the st_author field of DEST_DESC to the st_author field of
969 SRC_SB. If DEST_DESC is undefined (-1), set the st_author field
970 of DST_NAME instead. DEST_DESC must refer to the same file as
971 DST_NAME if defined. */
973 static void
975 {
976 #if HAVE_STRUCT_STAT_ST_AUTHOR
977 /* FIXME: Modify the following code so that it does not
978 follow symbolic links. */
980 /* Preserve the st_author field. */
986 else
987 {
993 }
994 #else
998 #endif
999 }
1001 /* Set the default security context for the process. New files will
1002 have this security context set. Also existing files can have their
1003 context adjusted based on this process context, by
1004 set_file_security_ctx() called with PROCESS_LOCAL=true.
1005 This should be called before files are created so there is no race
1006 where a file may be present without an appropriate security context.
1007 Based on CP_OPTIONS, diagnose warnings and fail when appropriate.
1008 Return FALSE on failure, TRUE on success. */
1010 bool
1013 {
1015 {
1016 /* Set the default context for the process to match the source. */
1022 {
1024 {
1030 {
1033 }
1034 }
1036 }
1037 else
1038 {
1040 {
1044 }
1047 }
1048 }
1050 {
1051 /* With -Z, adjust the default context for the process
1052 to have the type component adjusted as per the destination path. */
1055 {
1059 }
1060 }
1063 }
1065 /* Reset the security context of DST_NAME, to that already set
1066 as the process default if !X->set_security_context. Otherwise
1067 adjust the type component of DST_NAME's security context as
1068 per the system default for that path. Issue warnings upon
1069 failure, when allowed by various settings in X.
1070 Return false on failure, true on success. */
1072 bool
1075 {
1081 {
1086 }
1089 }
1091 /* Change the file mode bits of the file identified by DESC or
1092 DIRFD+NAME to MODE. Use DESC if DESC is valid and fchmod is
1093 available, DIRFD+NAME otherwise. */
1095 static int
1097 {
1098 #if HAVE_FCHMOD
1101 #endif
1103 }
1105 #ifndef HAVE_STRUCT_STAT_ST_BLOCKS
1106 # define HAVE_STRUCT_STAT_ST_BLOCKS 0
1107 #endif
1109 /* Type of scan being done on the input when looking for sparseness. */
1110 enum scantype
1111 {
1112 /* An error was found when determining scantype. */
1113 ERROR_SCANTYPE,
1115 /* No fancy scanning; just read and write. */
1116 PLAIN_SCANTYPE,
1118 /* Read and examine data looking for zero blocks; useful when
1119 attempting to create sparse output. */
1120 ZERO_SCANTYPE,
1122 /* lseek information is available. */
1123 LSEEK_SCANTYPE,
1124 };
1126 /* Result of infer_scantype. */
1127 union scan_inference
1128 {
1129 /* Used if infer_scantype returns LSEEK_SCANTYPE. This is the
1130 offset of the first data block, or -1 if the file has no data. */
1131 off_t ext_start;
1132 };
1134 /* Return how to scan a file with descriptor FD and stat buffer SB.
1135 *SCAN_INFERENCE is set to a valid value if returning LSEEK_SCANTYPE. */
1136 static enum scantype
1139 {
1147 #ifdef SEEK_HOLE
1150 {
1153 }
1156 #endif
1159 }
1161 #if HAVE_FCLONEFILEAT && !USE_XATTR
1162 # include <sys/acl.h>
1163 /* Return true if FD has a nontrivial ACL. */
1164 static bool
1166 {
1167 /* Every platform with fclonefileat (macOS 10.12 or later) also has
1168 acl_get_fd_np. */
1172 {
1173 acl_entry_t ace;
1176 }
1178 }
1179 #endif
1181 /* Handle failure from FICLONE or fclonefileat.
1182 Return FALSE if it's a terminal failure for this file. */
1184 static bool
1188 {
1189 /* When the clone operation fails, report failure only with errno values
1190 known to mean trouble when the clone is supported and called properly.
1191 Do not report failure merely because !is_CLONENOTSUP (errno),
1192 as systems may yield oddball errno values here with FICLONE,
1193 and is_CLONENOTSUP is not appropriate for fclonefileat. */
1200 /* Remove the destination if cp --reflink=always created it
1201 but cloned no data. */
1215 }
1218 /* Copy a regular file from SRC_NAME to DST_NAME aka DST_DIRFD+DST_RELNAME.
1219 If the source file contains holes, copies holes and blocks of zeros
1220 in the source file as holes in the destination file.
1221 (Holes are read as zeroes by the 'read' system call.)
1222 When creating the destination, use DST_MODE & ~OMITTED_PERMISSIONS
1223 as the third argument in the call to open, adding
1224 OMITTED_PERMISSIONS after copying as needed.
1225 X provides many option settings.
1226 Return true if successful.
1227 *NEW_DST is initially as in copy_internal.
1228 If successful, set *NEW_DST to true if the destination file was created and
1229 to false otherwise; if unsuccessful, perhaps set *NEW_DST to some value.
1230 SRC_SB is the result of calling follow_fstatat on SRC_NAME. */
1232 static bool
1238 {
1244 mode_t extra_permissions;
1260 {
1263 }
1266 {
1270 }
1272 /* Compare the source dev/ino from the open file to the incoming,
1273 saved ones obtained via a previous call to stat. */
1275 {
1281 }
1283 /* The semantics of the following open calls are mandated
1284 by the specs for both cp and mv. */
1286 {
1292 /* When using cp --preserve=context to copy to an existing destination,
1293 reset the context as per the default context, which has already been
1294 set according to the src.
1295 When using the mutually exclusive -Z option, then adjust the type of
1296 the existing context according to the system default for the dest.
1297 Note we set the context here, _after_ the file is opened, lest the
1298 new context disallow that. */
1301 {
1303 {
1305 {
1308 }
1309 }
1310 }
1314 {
1316 {
1319 }
1321 {
1325 }
1328 }
1331 {
1332 /* Ensure there is no race where a file may be left without
1333 an appropriate security context. */
1335 {
1338 {
1341 }
1342 }
1344 /* Tell caller that the destination file is created. */
1346 }
1347 }
1350 {
1351 #if HAVE_FCLONEFILEAT && !USE_XATTR
1352 # ifndef CLONE_ACL
1354 # endif
1355 # ifndef CLONE_NOOWNERCOPY
1357 # endif
1358 /* Try fclonefileat if copying data in reflink mode.
1359 Use CLONE_NOFOLLOW to avoid security issues that could occur
1360 if writing through dangling symlinks. Although the circa
1361 2023 macOS documentation doesn't say so, CLONE_NOFOLLOW
1362 affects the destination file too. */
1365 {
1366 /* Try fclonefileat so long as it won't create the
1367 destination with unwanted permissions, which could lead
1368 to a security race. */
1371 mode_t desired_mode
1377 {
1378 int fc_flags
1379 = (CLONE_NOFOLLOW
1383 fc_flags);
1385 {
1388 fc_flags);
1389 }
1391 {
1394 /* Update the clone's timestamps and permissions
1395 as needed. */
1398 {
1402 AT_SYMLINK_NOFOLLOW)
1404 {
1409 }
1410 }
1416 {
1418 }
1420 /* Either some desired permissions were not cloned,
1421 or ACLs were not cloned despite that being requested. */
1425 }
1427 dst_name,
1430 {
1433 }
1434 }
1435 else
1437 }
1439 {
1442 }
1443 #endif
1445 /* To allow copying xattrs on read-only files, create with u+w.
1446 This satisfies an inode permission check done by
1447 xattr_permission in fs/xattr.c of the GNU/Linux kernel. */
1448 mode_t open_mode =
1455 open_mode);
1458 /* When trying to copy through a dangling destination symlink,
1459 the above open fails with EEXIST. If that happens, and
1460 readlinkat shows that it is a symlink, then we
1461 have a problem: trying to resolve this dangling symlink to
1462 a directory/destination-entry pair is fundamentally racy,
1463 so punt. If x->open_dangling_dest_symlink is set (cp sets
1464 that when POSIXLY_CORRECT is set in the environment), simply
1465 call open again, but without O_EXCL (potentially dangerous).
1466 If not, fail with a diagnostic. These shenanigans are necessary
1467 only when copying, i.e., not in move_mode. */
1469 {
1472 {
1474 {
1478 }
1479 else
1480 {
1485 }
1486 }
1487 }
1489 /* Improve quality of diagnostic when a nonexistent dst_name
1490 ends in a slash and open fails with errno == EISDIR. */
1494 }
1495 else
1496 {
1498 }
1501 {
1506 }
1508 /* --attributes-only overrides --reflink. */
1510 {
1512 {
1515 }
1516 else
1517 {
1520 {
1523 }
1524 }
1525 }
1530 {
1534 }
1536 /* If extra permissions needed for copy_xattr didn't happen (e.g.,
1537 due to umask) chmod to add them temporarily; if that fails give
1538 up with extra permissions, letting copy_attr fail later. */
1546 {
1547 /* Choose a suitable buffer size; it may be adjusted later. */
1551 /* Deal with sparse files. */
1555 {
1559 }
1560 bool make_holes
1568 /* If not making a sparse file, try to use a more-efficient
1569 buffer size. */
1571 {
1572 /* Compute the least common multiple of the input and output
1573 buffer sizes, adjusting for outlandish values.
1574 Note we read in multiples of the reported block size
1575 to support (unusual) devices that have this constraint. */
1578 blcm_max);
1580 /* Do not bother with a buffer larger than the input file, plus one
1581 byte to make sure the file has not grown while reading it. */
1585 /* However, stick with a block size that is a positive multiple of
1586 blcm, overriding the above adjustments. Watch out for
1587 overflow. */
1592 }
1594 off_t n_read;
1597 #ifdef SEEK_HOLE
1598 scantype == LSEEK_SCANTYPE
1604 :
1605 #endif
1612 {
1615 }
1617 {
1621 }
1622 }
1625 {
1631 {
1634 {
1637 }
1638 }
1639 }
1641 /* Set ownership before xattrs as changing owners will
1642 clear capabilities. */
1644 {
1647 {
1655 }
1656 }
1659 {
1663 }
1667 #if HAVE_FCLONEFILEAT && !USE_XATTR
1668 set_dest_mode:
1669 #endif
1671 {
1675 }
1677 {
1680 }
1682 {
1685 }
1687 {
1693 {
1698 }
1699 }
1704 close_src_and_dst_desc:
1706 {
1709 }
1710 close_src_desc:
1712 {
1715 }
1717 /* Output debug info for data copying operations. */
1723 }
1725 /* Return whether it's OK that two files are the "same" by some measure.
1726 The first file is SRC_NAME and has status SRC_SB.
1727 The second is DST_DIRFD+DST_RELNAME and has status DST_SB.
1728 The copying options are X. The goal is to avoid
1729 making the 'copy' operation remove both copies of the file
1730 in that case, while still allowing the user to e.g., move or
1731 copy a regular file onto a symlink that points to it.
1732 Try to minimize the cost of this function in the common case.
1733 Set *RETURN_NOW if we've determined that the caller has no more
1734 work to do and should return successfully, right away. */
1736 static bool
1740 {
1751 /* FIXME: this should (at the very least) be moved into the following
1752 if-block. More likely, it should be removed, because it inhibits
1753 making backups. But removing it will result in a change in behavior
1754 that will probably have to be documented -- and tests will have to
1755 be updated. */
1757 {
1760 }
1763 {
1766 /* If both the source and destination files are symlinks (and we'll
1767 know this here IFF preserving symlinks), then it's usually ok
1768 when they are distinct. */
1770 {
1773 {
1774 /* It's fine when we're making any type of backup. */
1778 /* Here we have two symlinks that are hard-linked together,
1779 and we're not making backups. In this unusual case, simply
1780 returning true would lead to mv calling "rename(A,B)",
1781 which would do nothing and return 0. */
1783 {
1786 }
1787 }
1790 }
1794 }
1795 else
1796 {
1810 /* If both are symlinks, then it's ok, but only if the destination
1811 will be unlinked before being opened. This is like the test
1812 above, but with the addition of the unlink_dest_before_opening
1813 conjunct because otherwise, with two symlinks to the same target,
1814 we'd end up truncating the source file. */
1818 }
1820 /* The backup code ensures there's a copy, so it's usually ok to
1821 remove any destination file. One exception is when both
1822 source and destination are the same directory entry. In that
1823 case, moving the destination file aside (in making the backup)
1824 would also rename the source file and result in an error. */
1826 {
1828 {
1829 /* In copy mode when dereferencing symlinks, if the source is a
1830 symlink and the dest is not, then backing up the destination
1831 (moving it aside) would make it a dangling symlink, and the
1832 subsequent attempt to open it in copy_reg would fail with
1833 a misleading diagnostic. Avoid that by returning zero in
1834 that case so the caller can make cp (or mv when it has to
1835 resort to reading the source file) fail now. */
1837 /* FIXME-note: even with the following kludge, we can still provoke
1838 the offending diagnostic. It's just a little harder to do :-)
1839 $ rm -f a b c; touch c; ln -s c b; ln -s b a; cp -b a b
1840 cp: cannot open 'a' for reading: No such file or directory
1841 That's misleading, since a subsequent 'ls' shows that 'a'
1842 is still there.
1843 One solution would be to open the source file *before* moving
1844 aside the destination, but that'd involve a big rewrite. */
1852 }
1854 /* FIXME: What about case insensitive file systems ? */
1856 }
1858 #if 0
1859 /* FIXME: use or remove */
1861 /* If we're making a backup, we'll detect the problem case in
1862 copy_reg because SRC_NAME will no longer exist. Allowing
1863 the test to be deferred lets cp do some useful things.
1864 But when creating hardlinks and SRC_NAME is a symlink
1865 but DST_RELNAME is not we must test anyway. */
1873 #endif
1876 {
1877 /* They may refer to the same file if we're in move mode and the
1878 target is a symlink. That is ok, since we remove any existing
1879 destination file before opening it -- via 'rename' if they're on
1880 the same file system, via unlinkat otherwise. */
1884 /* It's not ok if they're distinct hard links to the same file as
1885 this causes a race condition and we may lose data in this case. */
1890 }
1892 /* If neither is a symlink, then it's ok as long as they aren't
1893 hard links to the same file. */
1895 {
1899 /* If they are the same file, it's ok if we're making hard links. */
1901 {
1904 }
1905 }
1907 /* At this point, it is normally an error (data loss) to move a symlink
1908 onto its referent, but in at least one narrow case, it is not:
1909 In move mode, when
1910 1) src is a symlink,
1911 2) dest has a link count of 2 or more and
1912 3) dest and the referent of src are not the same directory entry,
1913 then it's ok, since while we'll lose one of those hard links,
1914 src will still point to a remaining link.
1915 Note that technically, condition #3 obviates condition #2, but we
1916 retain the 1 < st_nlink condition because that means fewer invocations
1917 of the more expensive #3.
1919 Given this,
1920 $ touch f && ln f l && ln -s f s
1921 $ ls -og f l s
1922 -rw-------. 2 0 Jan 4 22:46 f
1923 -rw-------. 2 0 Jan 4 22:46 l
1924 lrwxrwxrwx. 1 1 Jan 4 22:46 s -> f
1925 this must fail: mv s f
1926 this must succeed: mv s l */
1930 {
1933 {
1938 }
1939 }
1941 /* It's ok to recreate a destination symlink. */
1946 {
1961 {
1962 /* It's ok to attempt to hardlink the same file,
1963 and return early if not replacing a symlink.
1964 Note we need to return early to avoid a later
1965 unlink() of DST (when SRC is a symlink). */
1968 }
1969 }
1972 }
1974 /* Return whether DST_DIRFD+DST_RELNAME, with mode MODE,
1975 is writable in the sense of 'mv'.
1976 Always consider a symbolic link to be writable. */
1977 static bool
1979 {
1983 }
1985 static bool
1989 {
1991 {
2003 }
2004 else
2005 {
2008 }
2011 }
2013 /* Initialize the hash table implementing a set of F_triple entries
2014 corresponding to destination files. */
2017 {
2018 x->dest_info
2021 triple_hash,
2022 triple_compare,
2023 triple_free);
2026 }
2028 /* Initialize the hash table implementing a set of F_triple entries
2029 corresponding to source files listed on the command line. */
2032 {
2034 /* Note that we use triple_hash_no_name here.
2035 Contrast with the use of triple_hash above.
2036 That is necessary because a source file may be specified
2037 in many different ways. We want to warn about this
2038 cp a a d/
2039 as well as this:
2040 cp a ./a d/
2041 */
2042 x->src_info
2045 triple_hash_no_name,
2046 triple_compare,
2047 triple_free);
2050 }
2052 /* When effecting a move (e.g., for mv(1)), and given the name DST_NAME
2053 aka DST_DIRFD+DST_RELNAME
2054 of the destination and a corresponding stat buffer, DST_SB, return
2055 true if the logical 'move' operation should _not_ proceed.
2056 Otherwise, return false.
2057 Depending on options specified in X, this code may issue an
2058 interactive prompt asking whether it's ok to overwrite DST_NAME. */
2059 static bool
2064 {
2074 }
2076 /* Print --verbose output on standard output, e.g. 'new' -> 'old'.
2077 If BACKUP_DST_NAME is non-null, then also indicate that it is
2078 the name of a backup file. */
2079 static void
2081 {
2086 }
2088 /* A wrapper around "setfscreatecon (nullptr)" that exits upon failure. */
2089 static void
2091 {
2095 }
2097 /* Return a newly-allocated string that is like STR
2098 except replace its suffix SUFFIX with NEWSUFFIX. */
2101 {
2107 }
2109 /* Create a hard link to SRC_NAME aka SRC_DIRFD+SRC_RELNAME;
2110 the new link is at DST_NAME aka DST_DIRFD+DST_RELNAME.
2111 A null SRC_NAME stands for the file whose name is like DST_NAME
2112 except with DST_RELNAME replaced with SRC_RELNAME.
2113 Honor the REPLACE, VERBOSE and DEREFERENCE settings.
2114 Return true upon success. Otherwise, diagnose the
2115 failure and return false. If SRC_NAME is a symbolic link, then it will not
2116 be followed unless DEREFERENCE is true.
2117 If the system doesn't support hard links to symbolic links, then DST_NAME
2118 will be created as a symbolic link to SRC_NAME. */
2119 static bool
2123 {
2128 {
2133 src_relname);
2138 }
2142 }
2144 /* Return true if the current file should be (tried to be) dereferenced:
2145 either for DEREF_ALWAYS or for DEREF_COMMAND_LINE_ARGUMENTS in the case
2146 where the current file is a COMMAND_LINE_ARG; otherwise return false. */
2147 ATTRIBUTE_PURE
2150 {
2154 }
2156 /* Return true if the source file with basename SRCBASE and status SRC_ST
2157 is likely to be the simple backup file for DST_DIRFD+DST_RELNAME. */
2158 static bool
2161 {
2172 simple_backup_suffix);
2177 }
2179 /* Copy the file SRC_NAME to the file DST_NAME aka DST_DIRFD+DST_RELNAME.
2180 If NONEXISTENT_DST is positive, DST_NAME does not exist even as a
2181 dangling symlink; if negative, it does not exist except possibly
2182 as a dangling symlink; if zero, its existence status is unknown.
2183 A non-null PARENT describes the parent directory.
2184 ANCESTORS points to a linked, null terminated list of
2185 devices and inodes of parent directories of SRC_NAME.
2186 X summarizes the command-line options.
2187 COMMAND_LINE_ARG means SRC_NAME was specified on the command line.
2188 FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG is both input and output.
2189 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
2190 same as) DST_NAME; otherwise, clear it.
2191 If X->move_mode, set *RENAME_SUCCEEDED according to whether
2192 the source was simply renamed to the destination.
2193 Return true if successful. */
2194 static bool
2205 {
2210 mode_t dst_mode_bits;
2211 mode_t omitted_permissions;
2221 /* Whether the destination is (or was) known to be new, updated as
2222 more info comes in. This may become true if the destination is a
2223 dangling symlink, in contexts where dangling symlinks should be
2224 treated the same as nonexistent files. */
2231 {
2234 RENAME_NOREPLACE)
2237 }
2243 {
2247 int fstatat_flags
2250 {
2253 }
2258 {
2264 }
2265 }
2266 else
2267 {
2268 #if defined lint && (defined __clang__ || defined __COVERITY__)
2271 #endif
2272 }
2274 /* Detect the case in which the same source file appears more than
2275 once on the command line and no backup option has been selected.
2276 If so, simply warn and don't copy it the second time.
2277 This check is enabled only if x->src_info is non-null. */
2279 {
2283 {
2287 }
2290 }
2295 {
2299 {
2300 /* Regular files can be created by writing through symbolic
2301 links, but other files cannot. So use stat on the
2302 destination when copying a regular file, and lstat otherwise.
2303 However, if we intend to unlink or remove the destination
2304 first, use lstat, since a copy won't actually be made to the
2305 destination in that case. */
2306 bool use_lstat
2318 {
2321 }
2322 else
2323 {
2327 {
2330 }
2331 else
2333 }
2334 }
2337 {
2345 {
2349 }
2352 {
2353 /* When preserving timestamps (but not moving within a file
2354 system), don't worry if the destination timestamp is
2355 less than the source merely because of timestamp
2356 truncation. */
2360 ? UTIMECMP_TRUNCATE_SOURCE
2365 {
2366 /* We're using --update and the destination is not older
2367 than the source, so do not copy or move. Pretend the
2368 rename succeeded, so the caller (if it's mv) doesn't
2369 end up removing the source file. */
2373 /* However, we still must record that we've processed
2374 this src/dest pair, in case this source file is
2375 hard-linked to another one. In that case, we'll use
2376 the mapping information to link the corresponding
2377 destination names. */
2381 {
2382 /* Note we currently replace DST_NAME unconditionally,
2383 even if it was a newer separate file. */
2388 {
2390 }
2391 }
2395 }
2396 }
2398 /* When there is an existing destination file, we may end up
2399 returning early, and hence not copying/moving the file.
2400 This may be due to an interactive 'negative' reply to the
2401 prompt about the existing file. It may also be due to the
2402 use of the --no-clobber option.
2404 cp and mv treat -i and -f differently. */
2406 {
2408 {
2409 /* Pretend the rename succeeded, so the caller (mv)
2410 doesn't end up removing the source file. */
2416 }
2417 }
2418 else
2419 {
2426 {
2429 }
2430 }
2432 skip:
2434 {
2441 }
2447 {
2449 {
2451 {
2452 /* Moving a directory onto an existing
2453 non-directory is ok only with --backup. */
2454 }
2455 else
2456 {
2461 }
2462 }
2464 /* Don't let the user destroy their data, even if they try hard:
2465 This mv command must fail (likewise for cp):
2466 rm -rf a b c; mkdir a b c; touch a/f b/f; mv a/f b/f c
2467 Otherwise, the contents of b/f would be lost.
2468 In the case of 'cp', b/f would be lost if the user simulated
2469 a move using cp and rm.
2470 Note that it works fine if you use --backup=numbered. */
2474 {
2479 }
2480 }
2483 {
2485 {
2487 {
2488 /* Moving a non-directory onto an existing
2489 directory is ok only with --backup. */
2490 }
2491 else
2492 {
2497 }
2498 }
2499 }
2502 {
2503 /* Don't allow user to move a directory onto a non-directory. */
2506 {
2511 }
2512 }
2516 /* Don't try to back up a destination if the last
2517 component of src_name is "." or "..". */
2519 /* Create a backup of each destination directory in move mode,
2520 but not in copy mode. FIXME: it might make sense to add an
2521 option to suppress backup creation also for move mode.
2522 That would let one use mv to merge new content into an
2523 existing hierarchy. */
2525 {
2526 /* Fail if creating the backup file would likely destroy
2527 the source file. Otherwise, the commands:
2528 cd /tmp; rm -f a a~; : > a; echo A > a~; cp --b=simple a~ a
2529 would leave two zero-length files: a and a~. */
2533 {
2542 }
2547 /* FIXME: use fts:
2548 Using alloca for a file name that may be arbitrarily
2549 long is not recommended. In fact, even forming such a name
2550 should be discouraged. Eventually, this code will be rewritten
2551 to use fts, so using alloca here will be less of a problem. */
2553 {
2560 }
2562 {
2565 }
2567 }
2569 /* Never unlink dst_name when in move mode. */
2576 ))
2577 {
2579 {
2582 }
2586 }
2587 }
2588 }
2590 /* Ensure we don't try to copy through a symlink that was
2591 created by a prior call to this function. */
2596 {
2601 /* If we did not follow symlinks above, good: use that data.
2602 Otherwise, use AT_SYMLINK_NOFOLLOW, in case dst_name is a symlink. */
2608 else
2611 /* Never copy through a symlink we've just created. */
2615 {
2620 }
2621 }
2623 /* If the source is a directory, we don't always create the destination
2624 directory. So --verbose should not announce anything until we're
2625 sure we'll create a directory. Also don't announce yet when moving
2626 so we can distinguish renames versus copies. */
2630 /* Associate the destination file name with the source device and inode
2631 so that if we encounter a matching dev/ino pair in the source tree
2632 we can arrange to create a hard link between the corresponding names
2633 in the destination tree.
2635 When using the --link (-l) option, there is no need to take special
2636 measures, because (barring race conditions) files that are hard-linked
2637 in the source tree will also be hard-linked in the destination tree.
2639 Sometimes, when preserving links, we have to record dev/ino even
2640 though st_nlink == 1:
2641 - when in move_mode, since we may be moving a group of N hard-linked
2642 files (via two or more command line arguments) to a different
2643 partition; the links may be distributed among the command line
2644 arguments (possibly hierarchies) so that the link count of
2645 the final, once-linked source file is reduced to 1 when it is
2646 considered below. But in this case (for mv) we don't need to
2647 incur the expense of recording the dev/ino => name mapping; all we
2648 really need is a lookup, to see if the dev/ino pair has already
2649 been copied.
2650 - when using -H and processing a command line argument;
2651 that command line argument could be a symlink pointing to another
2652 command line argument. With 'cp -H --preserve=link', we hard-link
2653 those two destination files.
2654 - likewise for -L except that it applies to all files, not just
2655 command line arguments.
2657 Also, with --recursive, record dev/ino of each command-line directory.
2658 We'll use that info to detect this problem: cp -R dir dir. */
2663 {
2667 else
2669 }
2671 {
2673 }
2677 || (command_line_arg
2680 {
2683 }
2685 /* Did we copy this inode somewhere else (in this command line argument)
2686 and therefore this is a second hard link to the inode? */
2689 {
2690 /* Avoid damaging the destination file system by refusing to preserve
2691 hard-linked directories (which are found at least in Netapp snapshot
2692 directories). */
2694 {
2695 /* If src_name and earlier_file refer to the same directory entry,
2696 then warn about copying a directory into itself. */
2698 {
2704 }
2707 {
2711 /* In move mode, if a previous rename succeeded, then
2712 we won't be in this path as the source is missing. If the
2713 rename previously failed, then that has been handled, so
2714 pretend this attempt succeeded so the source isn't removed. */
2717 /* We only do backups in move mode, and for non directories.
2718 So just ignore this repeated entry. */
2720 }
2722 || (command_line_arg
2724 {
2725 /* This happens when e.g., encountering a directory for the
2726 second or subsequent time via symlinks when cp is invoked
2727 with -R and -L. E.g.,
2728 rm -rf a b c d; mkdir a b c d; ln -s ../c a; ln -s ../c b;
2729 cp -RL a b d
2730 */
2731 }
2732 else
2733 {
2735 earlier_file);
2740 }
2741 }
2742 else
2743 {
2750 }
2751 }
2754 {
2760 {
2762 {
2765 }
2768 {
2769 /* -Z failures are only warnings currently. */
2771 }
2777 {
2778 /* Record destination dev/ino/name, so that if we are asked
2779 to overwrite that file again, we can detect it and fail. */
2780 /* It's fine to use the _source_ stat buffer (src_sb) to get the
2781 _destination_ dev/ino, since the rename above can't have
2782 changed those, and 'mv' always uses lstat.
2783 We could limit it further by operating
2784 only on non-directories. */
2786 }
2789 }
2791 /* FIXME: someday, consider what to do when moving a directory into
2792 itself but when source and destination are on different devices. */
2794 /* This happens when attempting to rename a directory to a
2795 subdirectory of itself. */
2797 {
2798 /* FIXME: this is a little fragile in that it relies on rename(2)
2799 failing with a specific errno value. Expect problems on
2800 non-POSIX systems. */
2805 /* Note that there is no need to call forget_created here,
2806 (compare with the other calls in this file) since the
2807 destination directory didn't exist before. */
2810 /* FIXME-cleanup: Don't return true here; adjust mv.c accordingly.
2811 The only caller that uses this code (mv.c) ends up setting its
2812 exit status to nonzero when copy_into_self is nonzero. */
2814 }
2816 /* WARNING: there probably exist systems for which an inter-device
2817 rename fails with a value of errno not handled here.
2818 If/as those are reported, add them to the condition below.
2819 If this happens to you, please do the following and send the output
2820 to the bug-reporting address (e.g., in the output of cp --help):
2821 touch k; perl -e 'rename "k","/tmp/k" or print "$!(",$!+0,")\n"'
2822 where your current directory is on one partition and /tmp is the other.
2823 Also, please try to find the E* errno macro name corresponding to
2824 the diagnostic and parenthesized integer, and include that in your
2825 e-mail. One way to do that is to run a command like this
2826 find /usr/include/. -type f \
2827 | xargs grep 'define.*\<E[A-Z]*\>.*\<18\>' /dev/null
2828 where you'd replace '18' with the integer in parentheses that
2829 was output from the perl one-liner above.
2830 If necessary, of course, change '/tmp' to some other directory. */
2832 {
2833 /* There are many ways this can happen due to a race condition.
2834 When something happens between the initial follow_fstatat and the
2835 subsequent rename, we can get many different types of errors.
2836 For example, if the destination is initially a non-directory
2837 or non-existent, but it is created as a directory, the rename
2838 fails. If two 'mv' commands try to rename the same file at
2839 about the same time, one will succeed and the other will fail.
2840 If the permissions on the directory containing the source or
2841 destination file are made too restrictive, the rename will
2842 fail. Etc. */
2848 }
2850 /* The rename attempt has failed. Remove any existing destination
2851 file so that a cross-device 'mv' acts as if it were really using
2852 the rename syscall. Note both src and dst must both be directories
2853 or not, and this is enforced above. Therefore we check the src_mode
2854 and operate on dst_name here as a tighter constraint and also because
2855 src_mode is readily available here. */
2860 {
2866 }
2869 {
2872 }
2874 }
2876 /* If the ownership might change, or if it is a directory (whose
2877 special mode bits may change after the directory is created),
2878 omit some permissions at first, so unauthorized users cannot nip
2879 in before the file is ready. */
2881 omitted_permissions =
2882 (dst_mode_bits
2889 /* If required, set the default security context for new files.
2890 Also for existing files this is used as a reference
2891 when copying the context with --preserve=context.
2892 FIXME: Do we need to consider dst_mode_bits here? */
2897 {
2900 /* If this directory has been copied before during the
2901 recursion, there is a symbolic link to an ancestor
2902 directory of the symbolic link. It is impossible to
2903 continue to copy this, unless we've got an infinite file system. */
2906 {
2910 }
2912 /* Insert the current directory in the list of parents. */
2920 {
2921 /* POSIX says mkdir's behavior is implementation-defined when
2922 (src_mode & ~S_IRWXUGO) != 0. However, common practice is
2923 to ask mkdir to copy all the CHMOD_MODE_BITS, letting mkdir
2924 decide what to do with S_ISUID | S_ISGID | S_ISVTX. */
2927 {
2931 }
2933 /* We need search and write permissions to the new directory
2934 for writing the directory's contents. Check if these
2935 permissions are there. */
2938 {
2941 }
2943 {
2944 /* Make the new directory searchable and writable. */
2950 {
2954 }
2955 }
2957 /* Record the created directory's inode and device numbers into
2958 the search structure, so that we can avoid copying it again.
2959 Do this only for the first directory that is created for each
2960 source command line argument. */
2962 {
2965 }
2968 {
2971 else
2973 }
2974 }
2975 else
2976 {
2979 /* For directories, the process global context could be reset for
2980 descendents, so use it to set the context for existing dirs here.
2981 This will also give earlier indication of failure to set ctx. */
2984 {
2987 }
2988 }
2990 /* Decide whether to copy the contents of the directory. */
2992 {
2993 /* Here, we are crossing a file system boundary and cp's -x option
2994 is in effect: so don't copy the contents of this directory. */
2995 }
2996 else
2997 {
2998 /* Copy the contents of the directory. Don't just return if
2999 this fails -- otherwise, the failure to read a single file
3000 in a source directory would cause the containing destination
3001 directory not to have owner/perms set properly. */
3004 first_dir_created_per_command_line_arg,
3005 copy_into_self);
3006 }
3007 }
3009 {
3012 {
3013 /* Check that DST_NAME denotes a file in the current directory. */
3022 /* If either stat call fails, it's ok not to report
3023 the failure and say dst_name is in the current
3024 directory. Other things will fail later. */
3032 {
3037 }
3038 }
3043 {
3047 }
3048 }
3050 /* POSIX 2008 states that it is implementation-defined whether
3051 link() on a symlink creates a hard-link to the symlink, or only
3052 to the referent (effectively dereferencing the symlink) (POSIX
3053 2001 required the latter behavior, although many systems provided
3054 the former). Yet cp, invoked with '--link --no-dereference',
3055 should not follow the link. We can approximate the desired
3056 behavior by skipping this hard-link creating block and instead
3057 copying the symlink, via the 'S_ISLNK'- copying code below.
3059 Note gnulib's linkat module, guarantees that the symlink is not
3060 dereferenced. However its emulation currently doesn't maintain
3061 timestamps or ownership so we only call it when we know the
3062 emulation will not be needed. */
3066 {
3073 }
3076 {
3078 /* POSIX says the permission bits of the source file must be
3079 used as the 3rd argument in the open call. Historical
3080 practice passed all the source mode bits to 'open', but the extra
3081 bits were ignored, so it should be the same either way.
3083 This call uses DST_MODE_BITS, not SRC_MODE. These are
3084 normally the same, and the exception (where x->set_mode) is
3085 used only by 'install', which POSIX does not specify and
3086 where DST_MODE_BITS is what's wanted. */
3091 }
3093 {
3094 /* Use mknodat, rather than mkfifoat, because the former preserves
3095 the special mode bits of a fifo on Solaris 10, while mkfifoat
3096 does not. But fall back on mkfifoat, because on some BSD systems,
3097 mknodat always fails when asked to create a FIFO. */
3101 {
3104 }
3105 }
3107 {
3110 {
3114 }
3115 }
3117 {
3121 {
3125 }
3131 {
3132 /* See if the destination is already the desired symlink.
3133 FIXME: This behavior isn't documented, and seems wrong
3134 in some cases, e.g., if the destination symlink has the
3135 wrong ownership, permissions, or timestamps. */
3139 {
3143 }
3144 }
3147 {
3151 }
3157 {
3158 /* Preserve the owner and group of the just-'copied'
3159 symbolic link, if possible. */
3165 {
3167 dst_name);
3170 }
3171 else
3172 {
3173 /* Can't preserve ownership of symlinks.
3174 FIXME: maybe give a warning or even error for symlinks
3175 in directories with the sticky bit set -- there, not
3176 preserving owner/group is a potential security problem. */
3177 }
3178 }
3179 }
3180 else
3181 {
3184 }
3186 /* With -Z or --preserve=context, set the context for existing files.
3187 Note this is done already for copy_reg() for reasons described therein. */
3190 {
3192 {
3195 }
3196 }
3199 {
3200 /* Now that the destination file is very likely to exist,
3201 add its info to the set. */
3205 }
3207 /* If we've just created a hard-link due to cp's --link option,
3208 we're done. */
3217 /* POSIX says that 'cp -p' must restore the following:
3218 - permission bits
3219 - setuid, setgid bits
3220 - owner and group
3221 If it fails to restore any of those, we may give a warning but
3222 the destination must not be removed.
3223 FIXME: implement the above. */
3225 /* Adjust the times (and if possible, ownership) for the copy.
3226 chown turns off set[ug]id bits for non-root,
3227 so do the chmod last. */
3230 {
3237 {
3241 }
3242 }
3244 /* Avoid calling chown if we know it's not necessary. */
3247 {
3250 {
3257 }
3258 }
3260 /* Set xattrs after ownership as changing owners will clear capabilities. */
3265 /* The operations beyond this point may dereference a symlink. */
3272 {
3276 }
3278 {
3281 }
3283 {
3288 }
3289 else
3290 {
3292 {
3296 {
3297 /* Permissions were deliberately omitted when the file
3298 was created due to security concerns. See whether
3299 they need to be re-added now. It'd be faster to omit
3300 the lstat, but deducing the current destination mode
3301 is tricky in the presence of implementation-defined
3302 rules for special mode bits. */
3304 AT_SYMLINK_NOFOLLOW)
3306 {
3309 }
3313 }
3314 }
3317 {
3320 {
3325 }
3326 }
3327 }
3331 un_backup:
3336 /* We have failed to create the destination file.
3337 If we've just added a dev/ino entry via the remember_copied
3338 call above (i.e., unless we've just failed to create a hard link),
3339 remove the entry associating the source dev/ino with the
3340 destination file name, so we don't try to 'preserve' a link
3341 to a file we didn't create. */
3346 {
3350 else
3351 {
3355 }
3356 }
3358 }
3360 static void
3362 {
3370 }
3372 /* Copy the file SRC_NAME to the file DST_NAME aka DST_DIRFD+DST_RELNAME.
3373 If NONEXISTENT_DST is positive, DST_NAME does not exist even as a
3374 dangling symlink; if negative, it does not exist except possibly
3375 as a dangling symlink; if zero, its existence status is unknown.
3376 OPTIONS summarizes the command-line options.
3377 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
3378 same as) DST_NAME; otherwise, set clear it.
3379 If X->move_mode, set *RENAME_SUCCEEDED according to whether
3380 the source was simply renamed to the destination.
3381 Return true if successful. */
3388 {
3391 /* Record the file names: they're used in case of error, when copying
3392 a directory into itself. I don't like to make these tools do *any*
3393 extra work in the common case when that work is solely to handle
3394 exceptional cases, but in this case, I don't see a way to derive the
3395 top level source and destination directory names where they're used.
3396 An alternative is to use COPY_INTO_SELF and print the diagnostic
3397 from every caller -- but I don't want to do that. */
3407 }
3409 /* Set *X to the default options for a value of type struct cp_options. */
3413 {
3415 #ifdef PRIV_FILE_CHOWN
3416 {
3421 {
3424 }
3426 }
3427 #else
3429 #endif
3431 }
3433 /* Return true if it's OK for chown to fail, where errno is
3434 the error number that chown failed with and X is the copying
3435 option set. */
3439 {
3440 /* If non-root uses -p, it's ok if we can't preserve ownership.
3441 But root probably wants to know, e.g. if NFS disallows it,
3442 or if the target system doesn't support file ownership. */
3445 }
3447 /* Similarly, return true if it's OK for chmod and similar operations
3448 to fail, where errno is the error number that chmod failed with and
3449 X is the copying option set. */
3451 static bool
3453 {
3455 }
3457 /* Return the user's umask, caching the result.
3459 FIXME: If the destination's parent directory has has a default ACL,
3460 some operating systems (e.g., GNU/Linux's "POSIX" ACLs) use that
3461 ACL's mask rather than the process umask. Currently, the callers
3462 of cached_umask incorrectly assume that this situation cannot occur. */
3463 extern mode_t
3465 {
3468 {
3471 }
3473 }