| blob | 66ab006914f6bd36b653c81178a31c141e31e21c |
1 /* copy.c -- core functions for copying files and directories
2 Copyright (C) 1989-2023 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <https://www.gnu.org/licenses/>. */
17 /* Extracted from cp.c and librarified by Jim Meyering. */
19 #include <config.h>
20 #include <stdckdint.h>
21 #include <stdio.h>
22 #include <sys/ioctl.h>
23 #include <sys/types.h>
24 #include <selinux/selinux.h>
26 #if HAVE_HURD_H
27 # include <hurd.h>
28 #endif
29 #if HAVE_PRIV_H
30 # include <priv.h>
31 #endif
67 #ifndef USE_XATTR
68 # define USE_XATTR false
69 #endif
71 #if USE_XATTR
72 # include <attr/error_context.h>
73 # include <attr/libattr.h>
74 # include <stdarg.h>
76 #endif
78 #if HAVE_LINUX_FALLOC_H
79 # include <linux/falloc.h>
80 #endif
82 /* See HAVE_FALLOCATE workaround when including this file. */
83 #ifdef HAVE_LINUX_FS_H
84 # include <linux/fs.h>
85 #endif
87 #if !defined FICLONE && defined __linux__
88 # define FICLONE _IOW (0x94, 9, int)
89 #endif
91 #if HAVE_FCLONEFILEAT && !USE_XATTR
92 # include <sys/clonefile.h>
93 #endif
95 #ifndef USE_ACL
96 # define USE_ACL 0
97 #endif
99 #define SAME_OWNER(A, B) ((A).st_uid == (B).st_uid)
100 #define SAME_GROUP(A, B) ((A).st_gid == (B).st_gid)
101 #define SAME_OWNER_AND_GROUP(A, B) (SAME_OWNER (A, B) && SAME_GROUP (A, B))
103 /* LINK_FOLLOWS_SYMLINKS is tri-state; if it is -1, we don't know
104 how link() behaves, so assume we can't hardlink symlinks in that case. */
105 #if (defined HAVE_LINKAT && ! LINKAT_SYMLINK_NOTSUP) || ! LINK_FOLLOWS_SYMLINKS
106 # define CAN_HARDLINK_SYMLINKS 1
107 #else
108 # define CAN_HARDLINK_SYMLINKS 0
109 #endif
111 struct dir_list
112 {
114 ino_t ino;
115 dev_t dev;
116 };
118 /* Initial size of the cp.dest_info hash table. */
119 #define DEST_INFO_INITIAL_CAPACITY 61
132 /* Pointers to the file names: they're used in the diagnostic that is issued
133 when we detect the user is trying to copy a directory into itself. */
137 enum copy_debug_val
138 {
139 COPY_DEBUG_UNKNOWN,
140 COPY_DEBUG_NO,
141 COPY_DEBUG_YES,
142 COPY_DEBUG_EXTERNAL,
143 COPY_DEBUG_EXTERNAL_INTERNAL,
144 COPY_DEBUG_AVOIDED,
145 COPY_DEBUG_UNSUPPORTED,
146 };
148 /* debug info about the last file copy. */
149 static struct copy_debug
150 {
158 {
160 {
166 }
167 }
171 {
173 {
179 }
180 }
182 /* Print --debug output on standard output. */
183 static void
185 {
191 }
193 #ifndef DEV_FD_MIGHT_BE_CHR
194 # define DEV_FD_MIGHT_BE_CHR false
195 #endif
197 /* Act like fstat (DIRFD, FILENAME, ST, FLAGS), except when following
198 symbolic links on Solaris-like systems, treat any character-special
199 device like /dev/fd/0 as if it were the file it is open on. */
200 static int
202 {
207 {
211 {
215 {
218 }
219 else
221 }
224 }
227 }
229 /* Attempt to punch a hole to avoid any permanent
230 speculative preallocation on file systems such as XFS.
231 Return values as per fallocate(2) except ENOSYS etc. are ignored. */
233 static int
235 {
237 /* +0 is to work around older <linux/fs.h> defining HAVE_FALLOCATE to empty. */
238 #if HAVE_FALLOCATE + 0
239 # if defined FALLOC_FL_PUNCH_HOLE && defined FALLOC_FL_KEEP_SIZE
244 # endif
245 #endif
247 }
249 /* Create a hole at the end of a file,
250 avoiding preallocation if requested. */
252 static bool
254 {
258 {
261 }
263 /* Some file systems (like XFS) preallocate when write extending a file.
264 I.e., a previous write() may have preallocated extra space
265 that the seek above will not discard. A subsequent write() could
266 then make this allocation permanent. */
268 {
271 }
274 }
277 /* Whether an errno value ERR, set by FICLONE or copy_file_range,
278 indicates that the copying operation has terminally failed, even
279 though it was invoked correctly (so that, e.g, EBADF cannot occur)
280 and even though !is_CLONENOTSUP (ERR). */
282 static bool
284 {
286 }
288 /* Similarly, whether ERR indicates that the copying operation is not
289 supported or allowed for this file or process, even though the
290 operation was invoked correctly. */
292 static bool
294 {
299 }
302 /* Copy the regular file open on SRC_FD/SRC_NAME to DST_FD/DST_NAME,
303 honoring the MAKE_HOLES setting and using the BUF_SIZE-byte buffer
304 *ABUF for temporary storage, allocating it lazily if *ABUF is null.
305 Copy no more than MAX_N_READ bytes.
306 Return true upon successful completion;
307 print a diagnostic and return false upon error.
308 Note that for best results, BUF should be "well"-aligned.
309 Set *LAST_WRITE_MADE_HOLE to true if the final operation on
310 DEST_FD introduced a hole. Set *TOTAL_N_READ to the number of
311 bytes read. */
312 static bool
318 {
327 /* If not looking for holes, use copy_file_range if functional,
328 but don't use if reflink disallowed as that may be implicit. */
331 {
332 /* Copy at most COPY_MAX bytes at a time; this is min
333 (SSIZE_MAX, SIZE_MAX) truncated to a value that is
334 surely aligned well. */
339 {
340 /* copy_file_range incorrectly returns 0 when reading from
341 the proc file system on the Linux kernel through at
342 least 5.6.19 (2020), so fall back on 'read' if the
343 input file seems empty. */
348 }
350 {
353 /* Consider operation unsupported only if no data copied.
354 For example, EPERM could occur if copy_file_range not enabled
355 in seccomp filters, so retry with a standard copy. EPERM can
356 also occur for immutable files, but that would only be in the
357 edge case where the file is made immutable after creating,
358 in which case the (more accurate) error is still shown. */
362 /* ENOENT was seen sometimes across CIFS shares, resulting in
363 no data being copied, but subsequent standard copies succeed. */
369 else
370 {
374 }
375 }
379 }
380 else
388 {
394 {
399 }
405 /* Loop over the input buffer in chunks of hole_size. */
411 {
422 {
427 {
429 {
433 }
434 }
435 else
436 {
439 }
445 {
451 else
453 }
454 }
456 {
458 {
461 }
462 }
466 }
470 /* It's tempting to break early here upon a short read from
471 a regular file. That would save the final read syscall
472 for each file. Unfortunately that doesn't work for
473 certain files in /proc or /sys with linux kernels. */
474 }
476 /* Ensure a trailing hole is created, so that subsequent
477 calls of sparse_copy() start at the correct offset. */
480 else
482 }
484 /* Perform the O(1) btrfs clone operation, if possible.
485 Upon success, return 0. Otherwise, return -1 and set errno. */
488 {
489 #ifdef FICLONE
491 #else
496 #endif
497 }
499 /* Write N_BYTES zero bytes to file descriptor FD. Return true if successful.
500 Upon write failure, set errno and return false. */
501 static bool
503 {
507 /* Attempt to use a relatively large calloc'd source buffer for
508 efficiency, but if that allocation fails, resort to a smaller
509 statically allocated one. */
511 {
515 {
518 }
519 }
522 {
527 }
530 }
532 #ifdef SEEK_HOLE
533 /* Perform an efficient extent copy, if possible. This avoids
534 the overhead of detecting holes in hole-introducing/preserving
535 copy, and thus makes copying sparse files much more efficient.
536 Copy from SRC_FD to DEST_FD, using *ABUF (of size BUF_SIZE) for a buffer.
537 Allocate *ABUF lazily if *ABUF is null.
538 Look for holes of size HOLE_SIZE in the input.
539 The input file is of size SRC_TOTAL_SIZE.
540 Use SPARSE_MODE to determine whether to create holes in the output.
541 SRC_NAME and DST_NAME are the input and output file names.
542 Return true if successful, false (with a diagnostic) otherwise. */
544 static bool
550 {
559 {
562 {
567 {
568 /* The input file grew; get its current size. */
573 /* If the input file shrank after growing, stop copying. */
578 }
579 }
580 /* If the input file must have grown, increase its measured size. */
591 {
593 {
596 ext_hole_size))
599 }
600 else
601 {
602 /* When not inducing holes and when there is a hole between
603 the end of the previous extent and the beginning of the
604 current one, write zeros to the destination file. */
606 {
610 }
611 }
612 }
618 /* Copy this extent, looking for further opportunities to not
619 bother to write zeros if --sparse=always, since SEEK_HOLE
620 is conservative and may miss some holes. */
621 off_t n_read;
633 {
634 /* The input file shrank. */
637 }
642 }
644 /* When the source file ends with a hole, we have to do a little more work,
645 since the above copied only up to and including the final extent.
646 In order to complete the copy, we may have to insert a hole or write
647 zeros in the destination corresponding to the source file's hole-at-EOF.
649 In addition, if the final extent was a block of zeros at EOF and we've
650 just converted them to a hole in the destination, we must call ftruncate
651 here in order to record the proper length in the destination. */
656 {
659 }
663 {
666 }
670 cannot_lseek:
673 }
674 #endif
676 /* FIXME: describe */
677 /* FIXME: rewrite this to use a hash table so we avoid the quadratic
678 performance hit that's probably noticeable only on trees deeper
679 than a few hundred levels. See use of active_dir_map in remove.c */
681 ATTRIBUTE_PURE
682 static bool
684 {
686 {
690 }
692 }
694 static bool
696 {
698 }
700 #if USE_XATTR
702 static void
705 {
707 {
711 /* use verror module to print error message */
715 }
716 }
719 static void
722 {
726 /* use verror module to print error message */
730 }
734 {
736 }
738 static void
741 {
742 }
744 /* Exclude SELinux extended attributes that are otherwise handled,
745 and are problematic to copy again. Also honor attributes
746 configured for exclusion in /etc/xattr.conf.
747 FIXME: Should we handle POSIX ACLs similarly?
748 Return zero to skip. */
749 static int
751 {
754 }
756 /* If positive SRC_FD and DST_FD descriptors are passed,
757 then copy by fd, otherwise copy by name. */
759 static bool
762 {
769 # if 4 < __GNUC__ + (8 <= __GNUC_MINOR__)
770 /* Pacify gcc -Wsuggest-attribute=format through at least GCC 11.2.1. */
771 # pragma GCC diagnostic push
773 # endif
780 })
782 # if 4 < __GNUC__ + (8 <= __GNUC_MINOR__)
783 # pragma GCC diagnostic pop
784 # endif
789 }
792 static bool
798 {
800 }
803 /* Read the contents of the directory SRC_NAME_IN, and recursively
804 copy the contents to DST_NAME_IN aka DST_DIRFD+DST_RELNAME_IN.
805 NEW_DST is true if DST_NAME_IN is a directory
806 that was created previously in the recursion.
807 SRC_SB and ANCESTORS describe SRC_NAME_IN.
808 Set *COPY_INTO_SELF if SRC_NAME_IN is a parent of
809 (or the same as) DST_NAME_IN; otherwise, clear it.
810 Propagate *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG from
811 caller to each invocation of copy_internal. Be careful to
812 pass the address of a temporary, and to update
813 *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG only upon completion.
814 Return true if successful. */
816 static bool
823 {
831 {
832 /* This diagnostic is a bit vague because savedir can fail in
833 several different ways. */
836 }
838 /* For cp's -H option, dereference command line arguments, but do not
839 dereference symlinks that are found via recursive traversal. */
846 {
864 /* If we're copying into self, there's no point in continuing,
865 and in fact, that would even infloop, now that we record only
866 the first created directory per command line argument. */
872 }
877 }
879 /* Change the file mode bits of the file identified by DESC or
880 DIRFD+NAME to MODE. Use DESC if DESC is valid and fchmod is
881 available, DIRFD+NAME otherwise. */
883 static int
885 {
886 #if HAVE_FCHMOD
889 #endif
891 }
893 /* Change the ownership of the file identified by DESC or
894 DIRFD+NAME to UID+GID. Use DESC if DESC is valid and fchown is
895 available, DIRFD+NAME otherwise. */
897 static int
899 {
900 #if HAVE_FCHOWN
903 #endif
905 }
907 /* Set the owner and owning group of DEST_DESC to the st_uid and
908 st_gid fields of SRC_SB. If DEST_DESC is undefined (-1), set
909 the owner and owning group of DST_NAME aka DST_DIRFD+DST_RELNAME
910 instead; for safety prefer lchownat since no
911 symbolic links should be involved. DEST_DESC must
912 refer to the same file as DST_NAME if defined.
913 Upon failure to set both UID and GID, try to set only the GID.
914 NEW_DST is true if the file was newly created; otherwise,
915 DST_SB is the status of the destination.
916 Return 1 if the initial syscall succeeds, 0 if it fails but it's OK
917 not to preserve ownership, -1 otherwise. */
919 static int
924 {
928 /* Naively changing the ownership of an already-existing file before
929 changing its permissions would create a window of vulnerability if
930 the file's old permissions are too generous for the new owner and
931 group. Avoid the window by first changing to a restrictive
932 temporary mode if necessary. */
935 {
937 mode_t new_mode =
945 {
950 }
951 }
956 /* The ownership change failed. If the failure merely means we lack
957 privileges to change owner+group, try to change just the group
958 and ignore any failure of this. Otherwise, report an error. */
962 else
963 {
968 }
971 }
973 /* Set the st_author field of DEST_DESC to the st_author field of
974 SRC_SB. If DEST_DESC is undefined (-1), set the st_author field
975 of DST_NAME instead. DEST_DESC must refer to the same file as
976 DST_NAME if defined. */
978 static void
980 {
981 #if HAVE_STRUCT_STAT_ST_AUTHOR
982 /* FIXME: Modify the following code so that it does not
983 follow symbolic links. */
985 /* Preserve the st_author field. */
991 else
992 {
998 }
999 #else
1003 #endif
1004 }
1006 /* Set the default security context for the process. New files will
1007 have this security context set. Also existing files can have their
1008 context adjusted based on this process context, by
1009 set_file_security_ctx() called with PROCESS_LOCAL=true.
1010 This should be called before files are created so there is no race
1011 where a file may be present without an appropriate security context.
1012 Based on CP_OPTIONS, diagnose warnings and fail when appropriate.
1013 Return FALSE on failure, TRUE on success. */
1015 bool
1018 {
1020 {
1021 /* Set the default context for the process to match the source. */
1027 {
1029 {
1035 {
1038 }
1039 }
1041 }
1042 else
1043 {
1045 {
1049 }
1052 }
1053 }
1055 {
1056 /* With -Z, adjust the default context for the process
1057 to have the type component adjusted as per the destination path. */
1060 {
1064 }
1065 }
1068 }
1070 /* Reset the security context of DST_NAME, to that already set
1071 as the process default if !X->set_security_context. Otherwise
1072 adjust the type component of DST_NAME's security context as
1073 per the system default for that path. Issue warnings upon
1074 failure, when allowed by various settings in X.
1075 Return false on failure, true on success. */
1077 bool
1080 {
1086 {
1091 }
1094 }
1096 #ifndef HAVE_STRUCT_STAT_ST_BLOCKS
1097 # define HAVE_STRUCT_STAT_ST_BLOCKS 0
1098 #endif
1100 /* Type of scan being done on the input when looking for sparseness. */
1101 enum scantype
1102 {
1103 /* An error was found when determining scantype. */
1104 ERROR_SCANTYPE,
1106 /* No fancy scanning; just read and write. */
1107 PLAIN_SCANTYPE,
1109 /* Read and examine data looking for zero blocks; useful when
1110 attempting to create sparse output. */
1111 ZERO_SCANTYPE,
1113 /* lseek information is available. */
1114 LSEEK_SCANTYPE,
1115 };
1117 /* Result of infer_scantype. */
1118 union scan_inference
1119 {
1120 /* Used if infer_scantype returns LSEEK_SCANTYPE. This is the
1121 offset of the first data block, or -1 if the file has no data. */
1122 off_t ext_start;
1123 };
1125 /* Return how to scan a file with descriptor FD and stat buffer SB.
1126 *SCAN_INFERENCE is set to a valid value if returning LSEEK_SCANTYPE. */
1127 static enum scantype
1130 {
1133 /* Only attempt SEEK_HOLE if this heuristic
1134 suggests the file is sparse. */
1140 #ifdef SEEK_HOLE
1143 {
1146 }
1149 #endif
1152 }
1154 #if HAVE_FCLONEFILEAT && !USE_XATTR
1155 # include <sys/acl.h>
1156 /* Return true if FD has a nontrivial ACL. */
1157 static bool
1159 {
1160 /* Every platform with fclonefileat (macOS 10.12 or later) also has
1161 acl_get_fd_np. */
1165 {
1166 acl_entry_t ace;
1169 }
1171 }
1172 #endif
1174 /* Handle failure from FICLONE or fclonefileat.
1175 Return FALSE if it's a terminal failure for this file. */
1177 static bool
1181 {
1182 /* When the clone operation fails, report failure only with errno values
1183 known to mean trouble when the clone is supported and called properly.
1184 Do not report failure merely because !is_CLONENOTSUP (errno),
1185 as systems may yield oddball errno values here with FICLONE,
1186 and is_CLONENOTSUP is not appropriate for fclonefileat. */
1193 /* Remove the destination if cp --reflink=always created it
1194 but cloned no data. */
1208 }
1211 /* Copy a regular file from SRC_NAME to DST_NAME aka DST_DIRFD+DST_RELNAME.
1212 If the source file contains holes, copies holes and blocks of zeros
1213 in the source file as holes in the destination file.
1214 (Holes are read as zeroes by the 'read' system call.)
1215 When creating the destination, use DST_MODE & ~OMITTED_PERMISSIONS
1216 as the third argument in the call to open, adding
1217 OMITTED_PERMISSIONS after copying as needed.
1218 X provides many option settings.
1219 Return true if successful.
1220 *NEW_DST is initially as in copy_internal.
1221 If successful, set *NEW_DST to true if the destination file was created and
1222 to false otherwise; if unsuccessful, perhaps set *NEW_DST to some value.
1223 SRC_SB is the result of calling follow_fstatat on SRC_NAME;
1224 it might be updated by calling fstat again on the same file,
1225 to give it slightly more up-to-date contents. */
1227 static bool
1233 {
1238 mode_t extra_permissions;
1254 {
1257 }
1260 {
1264 }
1266 /* Compare the source dev/ino from the open file to the incoming,
1267 saved ones obtained via a previous call to stat. */
1269 {
1275 }
1277 /* Might as well tell the caller about the latest version of the
1278 source file status, since we have it already. */
1282 /* The semantics of the following open calls are mandated
1283 by the specs for both cp and mv. */
1285 {
1291 /* When using cp --preserve=context to copy to an existing destination,
1292 reset the context as per the default context, which has already been
1293 set according to the src.
1294 When using the mutually exclusive -Z option, then adjust the type of
1295 the existing context according to the system default for the dest.
1296 Note we set the context here, _after_ the file is opened, lest the
1297 new context disallow that. */
1300 {
1302 {
1304 {
1307 }
1308 }
1309 }
1313 {
1315 {
1318 }
1320 {
1324 }
1327 }
1330 {
1331 /* Ensure there is no race where a file may be left without
1332 an appropriate security context. */
1334 {
1337 {
1340 }
1341 }
1343 /* Tell caller that the destination file is created. */
1345 }
1346 }
1349 {
1350 #if HAVE_FCLONEFILEAT && !USE_XATTR
1351 # ifndef CLONE_ACL
1353 # endif
1354 # ifndef CLONE_NOOWNERCOPY
1356 # endif
1357 /* Try fclonefileat if copying data in reflink mode.
1358 Use CLONE_NOFOLLOW to avoid security issues that could occur
1359 if writing through dangling symlinks. Although the circa
1360 2023 macOS documentation doesn't say so, CLONE_NOFOLLOW
1361 affects the destination file too. */
1364 {
1365 /* Try fclonefileat so long as it won't create the
1366 destination with unwanted permissions, which could lead
1367 to a security race. */
1370 mode_t desired_mode
1376 {
1377 int fc_flags
1378 = (CLONE_NOFOLLOW
1382 fc_flags);
1384 {
1387 fc_flags);
1388 }
1390 {
1393 /* Update the clone's timestamps and permissions
1394 as needed. */
1397 {
1401 AT_SYMLINK_NOFOLLOW)
1403 {
1408 }
1409 }
1415 {
1417 }
1419 /* Either some desired permissions were not cloned,
1420 or ACLs were not cloned despite that being requested. */
1424 }
1426 dst_name,
1429 {
1432 }
1433 }
1434 else
1436 }
1438 {
1441 }
1442 #endif
1444 /* To allow copying xattrs on read-only files, create with u+w.
1445 This satisfies an inode permission check done by
1446 xattr_permission in fs/xattr.c of the GNU/Linux kernel. */
1447 mode_t open_mode =
1454 open_mode);
1457 /* When trying to copy through a dangling destination symlink,
1458 the above open fails with EEXIST. If that happens, and
1459 readlinkat shows that it is a symlink, then we
1460 have a problem: trying to resolve this dangling symlink to
1461 a directory/destination-entry pair is fundamentally racy,
1462 so punt. If x->open_dangling_dest_symlink is set (cp sets
1463 that when POSIXLY_CORRECT is set in the environment), simply
1464 call open again, but without O_EXCL (potentially dangerous).
1465 If not, fail with a diagnostic. These shenanigans are necessary
1466 only when copying, i.e., not in move_mode. */
1468 {
1471 {
1473 {
1477 }
1478 else
1479 {
1484 }
1485 }
1486 }
1488 /* Improve quality of diagnostic when a nonexistent dst_name
1489 ends in a slash and open fails with errno == EISDIR. */
1493 }
1494 else
1495 {
1497 }
1500 {
1505 }
1507 /* --attributes-only overrides --reflink. */
1509 {
1511 {
1514 }
1515 else
1516 {
1519 {
1522 }
1523 }
1524 }
1529 {
1533 }
1535 /* If extra permissions needed for copy_xattr didn't happen (e.g.,
1536 due to umask) chmod to add them temporarily; if that fails give
1537 up with extra permissions, letting copy_attr fail later. */
1545 {
1546 /* Choose a suitable buffer size; it may be adjusted later. */
1550 /* Deal with sparse files. */
1554 {
1558 }
1559 bool make_holes
1567 /* If not making a sparse file, try to use a more-efficient
1568 buffer size. */
1570 {
1571 /* Compute the least common multiple of the input and output
1572 buffer sizes, adjusting for outlandish values.
1573 Note we read in multiples of the reported block size
1574 to support (unusual) devices that have this constraint. */
1577 blcm_max);
1579 /* Do not bother with a buffer larger than the input file, plus one
1580 byte to make sure the file has not grown while reading it. */
1584 /* However, stick with a block size that is a positive multiple of
1585 blcm, overriding the above adjustments. Watch out for
1586 overflow. */
1591 }
1593 off_t n_read;
1596 #ifdef SEEK_HOLE
1597 scantype == LSEEK_SCANTYPE
1603 :
1604 #endif
1611 {
1614 }
1616 {
1620 }
1621 }
1624 {
1630 {
1633 {
1636 }
1637 }
1638 }
1640 /* Set ownership before xattrs as changing owners will
1641 clear capabilities. */
1643 {
1646 {
1654 }
1655 }
1658 {
1662 }
1666 #if HAVE_FCLONEFILEAT && !USE_XATTR
1667 set_dest_mode:
1668 #endif
1670 {
1674 }
1676 {
1679 }
1681 {
1684 }
1686 {
1692 {
1697 }
1698 }
1703 close_src_and_dst_desc:
1705 {
1708 }
1709 close_src_desc:
1711 {
1714 }
1716 /* Output debug info for data copying operations. */
1722 }
1724 /* Return whether it's OK that two files are the "same" by some measure.
1725 The first file is SRC_NAME and has status SRC_SB.
1726 The second is DST_DIRFD+DST_RELNAME and has status DST_SB.
1727 The copying options are X. The goal is to avoid
1728 making the 'copy' operation remove both copies of the file
1729 in that case, while still allowing the user to e.g., move or
1730 copy a regular file onto a symlink that points to it.
1731 Try to minimize the cost of this function in the common case.
1732 Set *RETURN_NOW if we've determined that the caller has no more
1733 work to do and should return successfully, right away. */
1735 static bool
1739 {
1750 /* FIXME: this should (at the very least) be moved into the following
1751 if-block. More likely, it should be removed, because it inhibits
1752 making backups. But removing it will result in a change in behavior
1753 that will probably have to be documented -- and tests will have to
1754 be updated. */
1756 {
1759 }
1762 {
1765 /* If both the source and destination files are symlinks (and we'll
1766 know this here IFF preserving symlinks), then it's usually ok
1767 when they are distinct. */
1769 {
1772 {
1773 /* It's fine when we're making any type of backup. */
1777 /* Here we have two symlinks that are hard-linked together,
1778 and we're not making backups. In this unusual case, simply
1779 returning true would lead to mv calling "rename(A,B)",
1780 which would do nothing and return 0. */
1782 {
1785 }
1786 }
1789 }
1793 }
1794 else
1795 {
1809 /* If both are symlinks, then it's ok, but only if the destination
1810 will be unlinked before being opened. This is like the test
1811 above, but with the addition of the unlink_dest_before_opening
1812 conjunct because otherwise, with two symlinks to the same target,
1813 we'd end up truncating the source file. */
1817 }
1819 /* The backup code ensures there's a copy, so it's usually ok to
1820 remove any destination file. One exception is when both
1821 source and destination are the same directory entry. In that
1822 case, moving the destination file aside (in making the backup)
1823 would also rename the source file and result in an error. */
1825 {
1827 {
1828 /* In copy mode when dereferencing symlinks, if the source is a
1829 symlink and the dest is not, then backing up the destination
1830 (moving it aside) would make it a dangling symlink, and the
1831 subsequent attempt to open it in copy_reg would fail with
1832 a misleading diagnostic. Avoid that by returning zero in
1833 that case so the caller can make cp (or mv when it has to
1834 resort to reading the source file) fail now. */
1836 /* FIXME-note: even with the following kludge, we can still provoke
1837 the offending diagnostic. It's just a little harder to do :-)
1838 $ rm -f a b c; touch c; ln -s c b; ln -s b a; cp -b a b
1839 cp: cannot open 'a' for reading: No such file or directory
1840 That's misleading, since a subsequent 'ls' shows that 'a'
1841 is still there.
1842 One solution would be to open the source file *before* moving
1843 aside the destination, but that'd involve a big rewrite. */
1851 }
1853 /* FIXME: What about case insensitive file systems ? */
1855 }
1857 #if 0
1858 /* FIXME: use or remove */
1860 /* If we're making a backup, we'll detect the problem case in
1861 copy_reg because SRC_NAME will no longer exist. Allowing
1862 the test to be deferred lets cp do some useful things.
1863 But when creating hardlinks and SRC_NAME is a symlink
1864 but DST_RELNAME is not we must test anyway. */
1872 #endif
1875 {
1876 /* They may refer to the same file if we're in move mode and the
1877 target is a symlink. That is ok, since we remove any existing
1878 destination file before opening it -- via 'rename' if they're on
1879 the same file system, via unlinkat otherwise. */
1883 /* It's not ok if they're distinct hard links to the same file as
1884 this causes a race condition and we may lose data in this case. */
1889 }
1891 /* If neither is a symlink, then it's ok as long as they aren't
1892 hard links to the same file. */
1894 {
1898 /* If they are the same file, it's ok if we're making hard links. */
1900 {
1903 }
1904 }
1906 /* At this point, it is normally an error (data loss) to move a symlink
1907 onto its referent, but in at least one narrow case, it is not:
1908 In move mode, when
1909 1) src is a symlink,
1910 2) dest has a link count of 2 or more and
1911 3) dest and the referent of src are not the same directory entry,
1912 then it's ok, since while we'll lose one of those hard links,
1913 src will still point to a remaining link.
1914 Note that technically, condition #3 obviates condition #2, but we
1915 retain the 1 < st_nlink condition because that means fewer invocations
1916 of the more expensive #3.
1918 Given this,
1919 $ touch f && ln f l && ln -s f s
1920 $ ls -og f l s
1921 -rw-------. 2 0 Jan 4 22:46 f
1922 -rw-------. 2 0 Jan 4 22:46 l
1923 lrwxrwxrwx. 1 1 Jan 4 22:46 s -> f
1924 this must fail: mv s f
1925 this must succeed: mv s l */
1929 {
1932 {
1937 }
1938 }
1940 /* It's ok to recreate a destination symlink. */
1945 {
1960 {
1961 /* It's ok to attempt to hardlink the same file,
1962 and return early if not replacing a symlink.
1963 Note we need to return early to avoid a later
1964 unlink() of DST (when SRC is a symlink). */
1967 }
1968 }
1971 }
1973 /* Return whether DST_DIRFD+DST_RELNAME, with mode MODE,
1974 is writable in the sense of 'mv'.
1975 Always consider a symbolic link to be writable. */
1976 static bool
1978 {
1982 }
1984 static bool
1988 {
1990 {
2002 }
2003 else
2004 {
2007 }
2010 }
2012 /* Initialize the hash table implementing a set of F_triple entries
2013 corresponding to destination files. */
2016 {
2017 x->dest_info
2020 triple_hash,
2021 triple_compare,
2022 triple_free);
2025 }
2027 /* Initialize the hash table implementing a set of F_triple entries
2028 corresponding to source files listed on the command line. */
2031 {
2033 /* Note that we use triple_hash_no_name here.
2034 Contrast with the use of triple_hash above.
2035 That is necessary because a source file may be specified
2036 in many different ways. We want to warn about this
2037 cp a a d/
2038 as well as this:
2039 cp a ./a d/
2040 */
2041 x->src_info
2044 triple_hash_no_name,
2045 triple_compare,
2046 triple_free);
2049 }
2051 /* When effecting a move (e.g., for mv(1)), and given the name DST_NAME
2052 aka DST_DIRFD+DST_RELNAME
2053 of the destination and a corresponding stat buffer, DST_SB, return
2054 true if the logical 'move' operation should _not_ proceed.
2055 Otherwise, return false.
2056 Depending on options specified in X, this code may issue an
2057 interactive prompt asking whether it's ok to overwrite DST_NAME. */
2058 static bool
2063 {
2073 }
2075 /* Print --verbose output on standard output, e.g. 'new' -> 'old'.
2076 If BACKUP_DST_NAME is non-null, then also indicate that it is
2077 the name of a backup file. */
2078 static void
2080 {
2085 }
2087 /* A wrapper around "setfscreatecon (nullptr)" that exits upon failure. */
2088 static void
2090 {
2094 }
2096 /* Return a newly-allocated string that is like STR
2097 except replace its suffix SUFFIX with NEWSUFFIX. */
2100 {
2106 }
2108 /* Create a hard link to SRC_NAME aka SRC_DIRFD+SRC_RELNAME;
2109 the new link is at DST_NAME aka DST_DIRFD+DST_RELNAME.
2110 A null SRC_NAME stands for the file whose name is like DST_NAME
2111 except with DST_RELNAME replaced with SRC_RELNAME.
2112 Honor the REPLACE, VERBOSE and DEREFERENCE settings.
2113 Return true upon success. Otherwise, diagnose the
2114 failure and return false. If SRC_NAME is a symbolic link, then it will not
2115 be followed unless DEREFERENCE is true.
2116 If the system doesn't support hard links to symbolic links, then DST_NAME
2117 will be created as a symbolic link to SRC_NAME. */
2118 static bool
2122 {
2127 {
2132 src_relname);
2137 }
2141 }
2143 /* Return true if the current file should be (tried to be) dereferenced:
2144 either for DEREF_ALWAYS or for DEREF_COMMAND_LINE_ARGUMENTS in the case
2145 where the current file is a COMMAND_LINE_ARG; otherwise return false. */
2146 ATTRIBUTE_PURE
2149 {
2153 }
2155 /* Return true if the source file with basename SRCBASE and status SRC_ST
2156 is likely to be the simple backup file for DST_DIRFD+DST_RELNAME. */
2157 static bool
2160 {
2171 simple_backup_suffix);
2176 }
2178 /* Copy the file SRC_NAME to the file DST_NAME aka DST_DIRFD+DST_RELNAME.
2179 If NONEXISTENT_DST is positive, DST_NAME does not exist even as a
2180 dangling symlink; if negative, it does not exist except possibly
2181 as a dangling symlink; if zero, its existence status is unknown.
2182 A non-null PARENT describes the parent directory.
2183 ANCESTORS points to a linked, null terminated list of
2184 devices and inodes of parent directories of SRC_NAME.
2185 X summarizes the command-line options.
2186 COMMAND_LINE_ARG means SRC_NAME was specified on the command line.
2187 FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG is both input and output.
2188 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
2189 same as) DST_NAME; otherwise, clear it.
2190 If X->move_mode, set *RENAME_SUCCEEDED according to whether
2191 the source was simply renamed to the destination.
2192 Return true if successful. */
2193 static bool
2204 {
2209 mode_t dst_mode_bits;
2210 mode_t omitted_permissions;
2220 /* Whether the destination is (or was) known to be new, updated as
2221 more info comes in. This may become true if the destination is a
2222 dangling symlink, in contexts where dangling symlinks should be
2223 treated the same as nonexistent files. */
2230 {
2233 RENAME_NOREPLACE)
2236 }
2242 {
2246 int fstatat_flags
2249 {
2252 }
2257 {
2263 }
2264 }
2265 else
2266 {
2267 #if defined lint && (defined __clang__ || defined __COVERITY__)
2270 #endif
2271 }
2273 /* Detect the case in which the same source file appears more than
2274 once on the command line and no backup option has been selected.
2275 If so, simply warn and don't copy it the second time.
2276 This check is enabled only if x->src_info is non-null. */
2278 {
2282 {
2286 }
2289 }
2294 {
2298 {
2299 /* Regular files can be created by writing through symbolic
2300 links, but other files cannot. So use stat on the
2301 destination when copying a regular file, and lstat otherwise.
2302 However, if we intend to unlink or remove the destination
2303 first, use lstat, since a copy won't actually be made to the
2304 destination in that case. */
2305 bool use_lstat
2317 {
2320 }
2321 else
2322 {
2326 {
2329 }
2330 else
2332 }
2333 }
2336 {
2344 {
2348 }
2351 {
2352 /* When preserving timestamps (but not moving within a file
2353 system), don't worry if the destination timestamp is
2354 less than the source merely because of timestamp
2355 truncation. */
2359 ? UTIMECMP_TRUNCATE_SOURCE
2364 {
2365 /* We're using --update and the destination is not older
2366 than the source, so do not copy or move. Pretend the
2367 rename succeeded, so the caller (if it's mv) doesn't
2368 end up removing the source file. */
2372 /* However, we still must record that we've processed
2373 this src/dest pair, in case this source file is
2374 hard-linked to another one. In that case, we'll use
2375 the mapping information to link the corresponding
2376 destination names. */
2380 {
2381 /* Note we currently replace DST_NAME unconditionally,
2382 even if it was a newer separate file. */
2387 {
2389 }
2390 }
2394 }
2395 }
2397 /* When there is an existing destination file, we may end up
2398 returning early, and hence not copying/moving the file.
2399 This may be due to an interactive 'negative' reply to the
2400 prompt about the existing file. It may also be due to the
2401 use of the --no-clobber option.
2403 cp and mv treat -i and -f differently. */
2405 {
2407 {
2408 /* Pretend the rename succeeded, so the caller (mv)
2409 doesn't end up removing the source file. */
2415 }
2416 }
2417 else
2418 {
2425 {
2428 }
2429 }
2431 skip:
2433 {
2440 }
2446 {
2448 {
2450 {
2451 /* Moving a directory onto an existing
2452 non-directory is ok only with --backup. */
2453 }
2454 else
2455 {
2460 }
2461 }
2463 /* Don't let the user destroy their data, even if they try hard:
2464 This mv command must fail (likewise for cp):
2465 rm -rf a b c; mkdir a b c; touch a/f b/f; mv a/f b/f c
2466 Otherwise, the contents of b/f would be lost.
2467 In the case of 'cp', b/f would be lost if the user simulated
2468 a move using cp and rm.
2469 Note that it works fine if you use --backup=numbered. */
2473 {
2478 }
2479 }
2482 {
2484 {
2486 {
2487 /* Moving a non-directory onto an existing
2488 directory is ok only with --backup. */
2489 }
2490 else
2491 {
2496 }
2497 }
2498 }
2501 {
2502 /* Don't allow user to move a directory onto a non-directory. */
2505 {
2510 }
2511 }
2515 /* Don't try to back up a destination if the last
2516 component of src_name is "." or "..". */
2518 /* Create a backup of each destination directory in move mode,
2519 but not in copy mode. FIXME: it might make sense to add an
2520 option to suppress backup creation also for move mode.
2521 That would let one use mv to merge new content into an
2522 existing hierarchy. */
2524 {
2525 /* Fail if creating the backup file would likely destroy
2526 the source file. Otherwise, the commands:
2527 cd /tmp; rm -f a a~; : > a; echo A > a~; cp --b=simple a~ a
2528 would leave two zero-length files: a and a~. */
2532 {
2541 }
2546 /* FIXME: use fts:
2547 Using alloca for a file name that may be arbitrarily
2548 long is not recommended. In fact, even forming such a name
2549 should be discouraged. Eventually, this code will be rewritten
2550 to use fts, so using alloca here will be less of a problem. */
2552 {
2559 }
2561 {
2564 }
2566 }
2568 /* Never unlink dst_name when in move mode. */
2575 ))
2576 {
2578 {
2581 }
2585 }
2586 }
2587 }
2589 /* Ensure we don't try to copy through a symlink that was
2590 created by a prior call to this function. */
2595 {
2600 /* If we did not follow symlinks above, good: use that data.
2601 Otherwise, use AT_SYMLINK_NOFOLLOW, in case dst_name is a symlink. */
2607 else
2610 /* Never copy through a symlink we've just created. */
2614 {
2619 }
2620 }
2622 /* If the source is a directory, we don't always create the destination
2623 directory. So --verbose should not announce anything until we're
2624 sure we'll create a directory. Also don't announce yet when moving
2625 so we can distinguish renames versus copies. */
2629 /* Associate the destination file name with the source device and inode
2630 so that if we encounter a matching dev/ino pair in the source tree
2631 we can arrange to create a hard link between the corresponding names
2632 in the destination tree.
2634 When using the --link (-l) option, there is no need to take special
2635 measures, because (barring race conditions) files that are hard-linked
2636 in the source tree will also be hard-linked in the destination tree.
2638 Sometimes, when preserving links, we have to record dev/ino even
2639 though st_nlink == 1:
2640 - when in move_mode, since we may be moving a group of N hard-linked
2641 files (via two or more command line arguments) to a different
2642 partition; the links may be distributed among the command line
2643 arguments (possibly hierarchies) so that the link count of
2644 the final, once-linked source file is reduced to 1 when it is
2645 considered below. But in this case (for mv) we don't need to
2646 incur the expense of recording the dev/ino => name mapping; all we
2647 really need is a lookup, to see if the dev/ino pair has already
2648 been copied.
2649 - when using -H and processing a command line argument;
2650 that command line argument could be a symlink pointing to another
2651 command line argument. With 'cp -H --preserve=link', we hard-link
2652 those two destination files.
2653 - likewise for -L except that it applies to all files, not just
2654 command line arguments.
2656 Also, with --recursive, record dev/ino of each command-line directory.
2657 We'll use that info to detect this problem: cp -R dir dir. */
2662 {
2666 else
2668 }
2670 {
2672 }
2676 || (command_line_arg
2679 {
2682 }
2684 /* Did we copy this inode somewhere else (in this command line argument)
2685 and therefore this is a second hard link to the inode? */
2688 {
2689 /* Avoid damaging the destination file system by refusing to preserve
2690 hard-linked directories (which are found at least in Netapp snapshot
2691 directories). */
2693 {
2694 /* If src_name and earlier_file refer to the same directory entry,
2695 then warn about copying a directory into itself. */
2697 {
2703 }
2706 {
2710 /* In move mode, if a previous rename succeeded, then
2711 we won't be in this path as the source is missing. If the
2712 rename previously failed, then that has been handled, so
2713 pretend this attempt succeeded so the source isn't removed. */
2716 /* We only do backups in move mode, and for non directories.
2717 So just ignore this repeated entry. */
2719 }
2721 || (command_line_arg
2723 {
2724 /* This happens when e.g., encountering a directory for the
2725 second or subsequent time via symlinks when cp is invoked
2726 with -R and -L. E.g.,
2727 rm -rf a b c d; mkdir a b c d; ln -s ../c a; ln -s ../c b;
2728 cp -RL a b d
2729 */
2730 }
2731 else
2732 {
2734 earlier_file);
2739 }
2740 }
2741 else
2742 {
2749 }
2750 }
2753 {
2759 {
2761 {
2764 }
2767 {
2768 /* -Z failures are only warnings currently. */
2770 }
2776 {
2777 /* Record destination dev/ino/name, so that if we are asked
2778 to overwrite that file again, we can detect it and fail. */
2779 /* It's fine to use the _source_ stat buffer (src_sb) to get the
2780 _destination_ dev/ino, since the rename above can't have
2781 changed those, and 'mv' always uses lstat.
2782 We could limit it further by operating
2783 only on non-directories. */
2785 }
2788 }
2790 /* FIXME: someday, consider what to do when moving a directory into
2791 itself but when source and destination are on different devices. */
2793 /* This happens when attempting to rename a directory to a
2794 subdirectory of itself. */
2796 {
2797 /* FIXME: this is a little fragile in that it relies on rename(2)
2798 failing with a specific errno value. Expect problems on
2799 non-POSIX systems. */
2804 /* Note that there is no need to call forget_created here,
2805 (compare with the other calls in this file) since the
2806 destination directory didn't exist before. */
2809 /* FIXME-cleanup: Don't return true here; adjust mv.c accordingly.
2810 The only caller that uses this code (mv.c) ends up setting its
2811 exit status to nonzero when copy_into_self is nonzero. */
2813 }
2815 /* WARNING: there probably exist systems for which an inter-device
2816 rename fails with a value of errno not handled here.
2817 If/as those are reported, add them to the condition below.
2818 If this happens to you, please do the following and send the output
2819 to the bug-reporting address (e.g., in the output of cp --help):
2820 touch k; perl -e 'rename "k","/tmp/k" or print "$!(",$!+0,")\n"'
2821 where your current directory is on one partition and /tmp is the other.
2822 Also, please try to find the E* errno macro name corresponding to
2823 the diagnostic and parenthesized integer, and include that in your
2824 e-mail. One way to do that is to run a command like this
2825 find /usr/include/. -type f \
2826 | xargs grep 'define.*\<E[A-Z]*\>.*\<18\>' /dev/null
2827 where you'd replace '18' with the integer in parentheses that
2828 was output from the perl one-liner above.
2829 If necessary, of course, change '/tmp' to some other directory. */
2831 {
2832 /* There are many ways this can happen due to a race condition.
2833 When something happens between the initial follow_fstatat and the
2834 subsequent rename, we can get many different types of errors.
2835 For example, if the destination is initially a non-directory
2836 or non-existent, but it is created as a directory, the rename
2837 fails. If two 'mv' commands try to rename the same file at
2838 about the same time, one will succeed and the other will fail.
2839 If the permissions on the directory containing the source or
2840 destination file are made too restrictive, the rename will
2841 fail. Etc. */
2844 {
2847 #if ENOTEMPTY != EEXIST
2849 #endif
2850 /* The destination must be the problem. Don't mention
2851 the source as that is more likely to confuse the user
2852 than be helpful. */
2854 quoted_dst_name);
2861 }
2864 }
2866 /* The rename attempt has failed. Remove any existing destination
2867 file so that a cross-device 'mv' acts as if it were really using
2868 the rename syscall. Note both src and dst must both be directories
2869 or not, and this is enforced above. Therefore we check the src_mode
2870 and operate on dst_name here as a tighter constraint and also because
2871 src_mode is readily available here. */
2876 {
2882 }
2885 {
2888 }
2890 }
2892 /* If the ownership might change, or if it is a directory (whose
2893 special mode bits may change after the directory is created),
2894 omit some permissions at first, so unauthorized users cannot nip
2895 in before the file is ready. */
2897 omitted_permissions =
2898 (dst_mode_bits
2905 /* If required, set the default security context for new files.
2906 Also for existing files this is used as a reference
2907 when copying the context with --preserve=context.
2908 FIXME: Do we need to consider dst_mode_bits here? */
2913 {
2916 /* If this directory has been copied before during the
2917 recursion, there is a symbolic link to an ancestor
2918 directory of the symbolic link. It is impossible to
2919 continue to copy this, unless we've got an infinite file system. */
2922 {
2926 }
2928 /* Insert the current directory in the list of parents. */
2936 {
2937 /* POSIX says mkdir's behavior is implementation-defined when
2938 (src_mode & ~S_IRWXUGO) != 0. However, common practice is
2939 to ask mkdir to copy all the CHMOD_MODE_BITS, letting mkdir
2940 decide what to do with S_ISUID | S_ISGID | S_ISVTX. */
2943 {
2947 }
2949 /* We need search and write permissions to the new directory
2950 for writing the directory's contents. Check if these
2951 permissions are there. */
2954 {
2957 }
2959 {
2960 /* Make the new directory searchable and writable. */
2966 {
2970 }
2971 }
2973 /* Record the created directory's inode and device numbers into
2974 the search structure, so that we can avoid copying it again.
2975 Do this only for the first directory that is created for each
2976 source command line argument. */
2978 {
2981 }
2984 {
2987 else
2989 }
2990 }
2991 else
2992 {
2995 /* For directories, the process global context could be reset for
2996 descendants, so use it to set the context for existing dirs here.
2997 This will also give earlier indication of failure to set ctx. */
3000 {
3003 }
3004 }
3006 /* Decide whether to copy the contents of the directory. */
3008 {
3009 /* Here, we are crossing a file system boundary and cp's -x option
3010 is in effect: so don't copy the contents of this directory. */
3011 }
3012 else
3013 {
3014 /* Copy the contents of the directory. Don't just return if
3015 this fails -- otherwise, the failure to read a single file
3016 in a source directory would cause the containing destination
3017 directory not to have owner/perms set properly. */
3020 first_dir_created_per_command_line_arg,
3021 copy_into_self);
3022 }
3023 }
3025 {
3028 {
3029 /* Check that DST_NAME denotes a file in the current directory. */
3038 /* If either stat call fails, it's ok not to report
3039 the failure and say dst_name is in the current
3040 directory. Other things will fail later. */
3048 {
3053 }
3054 }
3059 {
3063 }
3064 }
3066 /* POSIX 2008 states that it is implementation-defined whether
3067 link() on a symlink creates a hard-link to the symlink, or only
3068 to the referent (effectively dereferencing the symlink) (POSIX
3069 2001 required the latter behavior, although many systems provided
3070 the former). Yet cp, invoked with '--link --no-dereference',
3071 should not follow the link. We can approximate the desired
3072 behavior by skipping this hard-link creating block and instead
3073 copying the symlink, via the 'S_ISLNK'- copying code below.
3075 Note gnulib's linkat module, guarantees that the symlink is not
3076 dereferenced. However its emulation currently doesn't maintain
3077 timestamps or ownership so we only call it when we know the
3078 emulation will not be needed. */
3082 {
3089 }
3092 {
3094 /* POSIX says the permission bits of the source file must be
3095 used as the 3rd argument in the open call. Historical
3096 practice passed all the source mode bits to 'open', but the extra
3097 bits were ignored, so it should be the same either way.
3099 This call uses DST_MODE_BITS, not SRC_MODE. These are
3100 normally the same, and the exception (where x->set_mode) is
3101 used only by 'install', which POSIX does not specify and
3102 where DST_MODE_BITS is what's wanted. */
3107 }
3109 {
3110 /* Use mknodat, rather than mkfifoat, because the former preserves
3111 the special mode bits of a fifo on Solaris 10, while mkfifoat
3112 does not. But fall back on mkfifoat, because on some BSD systems,
3113 mknodat always fails when asked to create a FIFO. */
3117 {
3120 }
3121 }
3123 {
3126 {
3130 }
3131 }
3133 {
3137 {
3141 }
3147 {
3148 /* See if the destination is already the desired symlink.
3149 FIXME: This behavior isn't documented, and seems wrong
3150 in some cases, e.g., if the destination symlink has the
3151 wrong ownership, permissions, or timestamps. */
3155 {
3159 }
3160 }
3163 {
3167 }
3173 {
3174 /* Preserve the owner and group of the just-'copied'
3175 symbolic link, if possible. */
3181 {
3183 dst_name);
3186 }
3187 else
3188 {
3189 /* Can't preserve ownership of symlinks.
3190 FIXME: maybe give a warning or even error for symlinks
3191 in directories with the sticky bit set -- there, not
3192 preserving owner/group is a potential security problem. */
3193 }
3194 }
3195 }
3196 else
3197 {
3200 }
3202 /* With -Z or --preserve=context, set the context for existing files.
3203 Note this is done already for copy_reg() for reasons described therein. */
3206 {
3208 {
3211 }
3212 }
3215 {
3216 /* Now that the destination file is very likely to exist,
3217 add its info to the set. */
3221 }
3223 /* If we've just created a hard-link due to cp's --link option,
3224 we're done. */
3233 /* POSIX says that 'cp -p' must restore the following:
3234 - permission bits
3235 - setuid, setgid bits
3236 - owner and group
3237 If it fails to restore any of those, we may give a warning but
3238 the destination must not be removed.
3239 FIXME: implement the above. */
3241 /* Adjust the times (and if possible, ownership) for the copy.
3242 chown turns off set[ug]id bits for non-root,
3243 so do the chmod last. */
3246 {
3253 {
3257 }
3258 }
3260 /* Avoid calling chown if we know it's not necessary. */
3263 {
3266 {
3273 }
3274 }
3276 /* Set xattrs after ownership as changing owners will clear capabilities. */
3281 /* The operations beyond this point may dereference a symlink. */
3288 {
3292 }
3294 {
3297 }
3299 {
3304 }
3305 else
3306 {
3308 {
3312 {
3313 /* Permissions were deliberately omitted when the file
3314 was created due to security concerns. See whether
3315 they need to be re-added now. It'd be faster to omit
3316 the lstat, but deducing the current destination mode
3317 is tricky in the presence of implementation-defined
3318 rules for special mode bits. */
3320 AT_SYMLINK_NOFOLLOW)
3322 {
3325 }
3329 }
3330 }
3333 {
3336 {
3341 }
3342 }
3343 }
3347 un_backup:
3352 /* We have failed to create the destination file.
3353 If we've just added a dev/ino entry via the remember_copied
3354 call above (i.e., unless we've just failed to create a hard link),
3355 remove the entry associating the source dev/ino with the
3356 destination file name, so we don't try to 'preserve' a link
3357 to a file we didn't create. */
3362 {
3366 else
3367 {
3371 }
3372 }
3374 }
3376 static void
3378 {
3386 }
3388 /* Copy the file SRC_NAME to the file DST_NAME aka DST_DIRFD+DST_RELNAME.
3389 If NONEXISTENT_DST is positive, DST_NAME does not exist even as a
3390 dangling symlink; if negative, it does not exist except possibly
3391 as a dangling symlink; if zero, its existence status is unknown.
3392 OPTIONS summarizes the command-line options.
3393 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
3394 same as) DST_NAME; otherwise, set clear it.
3395 If X->move_mode, set *RENAME_SUCCEEDED according to whether
3396 the source was simply renamed to the destination.
3397 Return true if successful. */
3404 {
3407 /* Record the file names: they're used in case of error, when copying
3408 a directory into itself. I don't like to make these tools do *any*
3409 extra work in the common case when that work is solely to handle
3410 exceptional cases, but in this case, I don't see a way to derive the
3411 top level source and destination directory names where they're used.
3412 An alternative is to use COPY_INTO_SELF and print the diagnostic
3413 from every caller -- but I don't want to do that. */
3423 }
3425 /* Set *X to the default options for a value of type struct cp_options. */
3429 {
3431 #ifdef PRIV_FILE_CHOWN
3432 {
3437 {
3440 }
3442 }
3443 #else
3445 #endif
3447 }
3449 /* Return true if it's OK for chown to fail, where errno is
3450 the error number that chown failed with and X is the copying
3451 option set. */
3455 {
3456 /* If non-root uses -p, it's ok if we can't preserve ownership.
3457 But root probably wants to know, e.g. if NFS disallows it,
3458 or if the target system doesn't support file ownership.
3460 Treat EACCES like EPERM and EINVAL to work around a bug in Linux
3461 CIFS <https://bugs.gnu.org/65599>. Although this means coreutils
3462 will ignore EACCES errors that it should report, problems should
3463 occur only when some other process is racing with coreutils and
3464 coreutils is not immune to races anyway. */
3468 }
3470 /* Similarly, return true if it's OK for chmod and similar operations
3471 to fail, where errno is the error number that chmod failed with and
3472 X is the copying option set. */
3474 static bool
3476 {
3479 }
3481 /* Return the user's umask, caching the result.
3483 FIXME: If the destination's parent directory has has a default ACL,
3484 some operating systems (e.g., GNU/Linux's "POSIX" ACLs) use that
3485 ACL's mask rather than the process umask. Currently, the callers
3486 of cached_umask incorrectly assume that this situation cannot occur. */
3487 extern mode_t
3489 {
3492 {
3495 }
3497 }