search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
split: port ‘split -n N /dev/null’ better to macOS
[coreutils.git] / src / chown-core.c
blobaefd4f6efef1ed304920384817f169cf35067bfb
1 /* chown-core.c -- core functions for changing ownership.
2 Copyright (C) 2000-2023 Free Software Foundation, Inc.
3
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <https://www.gnu.org/licenses/>. */
16
17 /* Extracted from chown.c/chgrp.c and librarified by Jim Meyering. */
18
19 #include <config.h>
20 #include <stdio.h>
21 #include <sys/types.h>
22 #include <pwd.h>
23 #include <grp.h>
24
25 #include "system.h"
26 #include "chown-core.h"
27 #include "error.h"
28 #include "ignore-value.h"
29 #include "root-dev-ino.h"
30 #include "xfts.h"
31
32 #define FTSENT_IS_DIRECTORY(E) \
33 ((E)->fts_info == FTS_D \
34 || (E)->fts_info == FTS_DC \
35 || (E)->fts_info == FTS_DP \
36 || (E)->fts_info == FTS_DNR)
37
38 enum RCH_status
39 {
40 /* we called fchown and close, and both succeeded */
41 RC_ok = 2,
42
43 /* required_uid and/or required_gid are specified, but don't match */
44 RC_excluded,
45
46 /* SAME_INODE check failed */
47 RC_inode_changed,
48
49 /* open/fchown isn't needed, isn't safe, or doesn't work due to
50 permissions problems; fall back on chown */
51 RC_do_ordinary_chown,
52
53 /* open, fstat, fchown, or close failed */
54 RC_error
55 };
56
57 extern void
58 chopt_init (struct Chown_option *chopt)
59 {
60 chopt->verbosity = V_off;
61 chopt->root_dev_ino = NULL;
62 chopt->affect_symlink_referent = true;
63 chopt->recurse = false;
64 chopt->force_silent = false;
65 chopt->user_name = NULL;
66 chopt->group_name = NULL;
67 }
68
69 extern void
70 chopt_free (struct Chown_option *chopt)
71 {
72 free (chopt->user_name);
73 free (chopt->group_name);
74 }
75
76 /* Convert the numeric user-id, UID, to a string stored in xmalloc'd memory,
77 and return it. Use the decimal representation of the ID. */
78
79 static char *
80 uid_to_str (uid_t uid)
81 {
82 char buf[INT_BUFSIZE_BOUND (intmax_t)];
83 return xstrdup (TYPE_SIGNED (uid_t) ? imaxtostr (uid, buf)
84 : umaxtostr (uid, buf));
85 }
86
87 /* Convert the numeric group-id, GID, to a string stored in xmalloc'd memory,
88 and return it. Use the decimal representation of the ID. */
89
90 static char *
91 gid_to_str (gid_t gid)
92 {
93 char buf[INT_BUFSIZE_BOUND (intmax_t)];
94 return xstrdup (TYPE_SIGNED (gid_t) ? imaxtostr (gid, buf)
95 : umaxtostr (gid, buf));
96 }
97
98 /* Convert the numeric group-id, GID, to a string stored in xmalloc'd memory,
99 and return it. If there's no corresponding group name, use the decimal
100 representation of the ID. */
101
102 extern char *
103 gid_to_name (gid_t gid)
104 {
105 struct group *grp = getgrgid (gid);
106 return grp ? xstrdup (grp->gr_name) : gid_to_str (gid);
107 }
108
109 /* Convert the numeric user-id, UID, to a string stored in xmalloc'd memory,
110 and return it. If there's no corresponding user name, use the decimal
111 representation of the ID. */
112
113 extern char *
114 uid_to_name (uid_t uid)
115 {
116 struct passwd *pwd = getpwuid (uid);
117 return pwd ? xstrdup (pwd->pw_name) : uid_to_str (uid);
118 }
119
120 /* Allocate a string representing USER and GROUP. */
121
122 static char *
123 user_group_str (char const *user, char const *group)
124 {
125 char *spec = NULL;
126
127 if (user)
128 {
129 if (group)
130 {
131 spec = xmalloc (strlen (user) + 1 + strlen (group) + 1);
132 stpcpy (stpcpy (stpcpy (spec, user), ":"), group);
133 }
134 else
135 {
136 spec = xstrdup (user);
137 }
138 }
139 else if (group)
140 {
141 spec = xstrdup (group);
142 }
143
144 return spec;
145 }
146
147 /* Tell the user how/if the user and group of FILE have been changed.
148 If USER is NULL, give the group-oriented messages.
149 CHANGED describes what (if anything) has happened. */
150
151 static void
152 describe_change (char const *file, enum Change_status changed,
153 char const *old_user, char const *old_group,
154 char const *user, char const *group)
155 {
156 char const *fmt;
157 char *old_spec;
158 char *spec;
159
160 if (changed == CH_NOT_APPLIED)
161 {
162 printf (_("neither symbolic link %s nor referent has been changed\n"),
163 quoteaf (file));
164 return;
165 }
166
167 spec = user_group_str (user, group);
168 old_spec = user_group_str (user ? old_user : NULL, group ? old_group : NULL);
169
170 switch (changed)
171 {
172 case CH_SUCCEEDED:
173 fmt = (user ? _("changed ownership of %s from %s to %s\n")
174 : group ? _("changed group of %s from %s to %s\n")
175 : _("no change to ownership of %s\n"));
176 break;
177 case CH_FAILED:
178 if (old_spec)
179 {
180 fmt = (user ? _("failed to change ownership of %s from %s to %s\n")
181 : group ? _("failed to change group of %s from %s to %s\n")
182 : _("failed to change ownership of %s\n"));
183 }
184 else
185 {
186 fmt = (user ? _("failed to change ownership of %s to %s\n")
187 : group ? _("failed to change group of %s to %s\n")
188 : _("failed to change ownership of %s\n"));
189 free (old_spec);
190 old_spec = spec;
191 spec = NULL;
192 }
193 break;
194 case CH_NO_CHANGE_REQUESTED:
195 fmt = (user ? _("ownership of %s retained as %s\n")
196 : group ? _("group of %s retained as %s\n")
197 : _("ownership of %s retained\n"));
198 break;
199 default:
200 abort ();
201 }
202
203 printf (fmt, quoteaf (file), old_spec, spec);
204
205 free (old_spec);
206 free (spec);
207 }
208
209 /* Change the owner and/or group of the FILE to UID and/or GID (safely)
210 only if REQUIRED_UID and REQUIRED_GID match the owner and group IDs
211 of FILE. ORIG_ST must be the result of 'stat'ing FILE.
212
213 The 'safely' part above means that we can't simply use chown(2),
214 since FILE might be replaced with some other file between the time
215 of the preceding stat/lstat and this chown call. So here we open
216 FILE and do everything else via the resulting file descriptor.
217 We first call fstat and verify that the dev/inode match those from
218 the preceding stat call, and only then, if appropriate (given the
219 required_uid and required_gid constraints) do we call fchown.
220
221 Return RC_do_ordinary_chown if we can't open FILE, or if FILE is a
222 special file that might have undesirable side effects when opening.
223 In this case the caller can use the less-safe ordinary chown.
224
225 Return one of the RCH_status values. */
226
227 static enum RCH_status
228 restricted_chown (int cwd_fd, char const *file,
229 struct stat const *orig_st,
230 uid_t uid, gid_t gid,
231 uid_t required_uid, gid_t required_gid)
232 {
233 enum RCH_status status = RC_ok;
234 struct stat st;
235 int open_flags = O_NONBLOCK | O_NOCTTY;
236 int fd;
237
238 if (required_uid == (uid_t) -1 && required_gid == (gid_t) -1)
239 return RC_do_ordinary_chown;
240
241 if (! S_ISREG (orig_st->st_mode))
242 {
243 if (S_ISDIR (orig_st->st_mode))
244 open_flags |= O_DIRECTORY;
245 else
246 return RC_do_ordinary_chown;
247 }
248
249 fd = openat (cwd_fd, file, O_RDONLY | open_flags);
250 if (! (0 <= fd
251 || (errno == EACCES && S_ISREG (orig_st->st_mode)
252 && 0 <= (fd = openat (cwd_fd, file, O_WRONLY | open_flags)))))
253 return (errno == EACCES ? RC_do_ordinary_chown : RC_error);
254
255 if (fstat (fd, &st) != 0)
256 status = RC_error;
257 else if (! SAME_INODE (*orig_st, st))
258 status = RC_inode_changed;
259 else if ((required_uid == (uid_t) -1 || required_uid == st.st_uid)
260 && (required_gid == (gid_t) -1 || required_gid == st.st_gid))
261 {
262 if (fchown (fd, uid, gid) == 0)
263 {
264 status = (close (fd) == 0
265 ? RC_ok : RC_error);
266 return status;
267 }
268 else
269 {
270 status = RC_error;
271 }
272 }
273
274 int saved_errno = errno;
275 close (fd);
276 errno = saved_errno;
277 return status;
278 }
279
280 /* Change the owner and/or group of the file specified by FTS and ENT
281 to UID and/or GID as appropriate.
282 If REQUIRED_UID is not -1, then skip files with any other user ID.
283 If REQUIRED_GID is not -1, then skip files with any other group ID.
284 CHOPT specifies additional options.
285 Return true if successful. */
286 static bool
287 change_file_owner (FTS *fts, FTSENT *ent,
288 uid_t uid, gid_t gid,
289 uid_t required_uid, gid_t required_gid,
290 struct Chown_option const *chopt)
291 {
292 char const *file_full_name = ent->fts_path;
293 char const *file = ent->fts_accpath;
294 struct stat const *file_stats;
295 struct stat stat_buf;
296 bool ok = true;
297 bool do_chown;
298 bool symlink_changed = true;
299
300 switch (ent->fts_info)
301 {
302 case FTS_D:
303 if (chopt->recurse)
304 {
305 if (ROOT_DEV_INO_CHECK (chopt->root_dev_ino, ent->fts_statp))
306 {
307 /* This happens e.g., with "chown -R --preserve-root 0 /"
308 and with "chown -RH --preserve-root 0 symlink-to-root". */
309 ROOT_DEV_INO_WARN (file_full_name);
310 /* Tell fts not to traverse into this hierarchy. */
311 fts_set (fts, ent, FTS_SKIP);
312 /* Ensure that we do not process "/" on the second visit. */
313 ignore_value (fts_read (fts));
314 return false;
315 }
316 return true;
317 }
318 break;
319
320 case FTS_DP:
321 if (! chopt->recurse)
322 return true;
323 break;
324
325 case FTS_NS:
326 /* For a top-level file or directory, this FTS_NS (stat failed)
327 indicator is determined at the time of the initial fts_open call.
328 With programs like chmod, chown, and chgrp, that modify
329 permissions, it is possible that the file in question is
330 accessible when control reaches this point. So, if this is
331 the first time we've seen the FTS_NS for this file, tell
332 fts_read to stat it "again". */
333 if (ent->fts_level == 0 && ent->fts_number == 0)
334 {
335 ent->fts_number = 1;
336 fts_set (fts, ent, FTS_AGAIN);
337 return true;
338 }
339 if (! chopt->force_silent)
340 error (0, ent->fts_errno, _("cannot access %s"),
341 quoteaf (file_full_name));
342 ok = false;
343 break;
344
345 case FTS_ERR:
346 if (! chopt->force_silent)
347 error (0, ent->fts_errno, "%s", quotef (file_full_name));
348 ok = false;
349 break;
350
351 case FTS_DNR:
352 if (! chopt->force_silent)
353 error (0, ent->fts_errno, _("cannot read directory %s"),
354 quoteaf (file_full_name));
355 ok = false;
356 break;
357
358 case FTS_DC: /* directory that causes cycles */
359 if (cycle_warning_required (fts, ent))
360 {
361 emit_cycle_warning (file_full_name);
362 return false;
363 }
364 break;
365
366 default:
367 break;
368 }
369
370 if (!ok)
371 {
372 do_chown = false;
373 file_stats = NULL;
374 }
375 else if (required_uid == (uid_t) -1 && required_gid == (gid_t) -1
376 && chopt->verbosity == V_off
377 && ! chopt->root_dev_ino
378 && ! chopt->affect_symlink_referent)
379 {
380 do_chown = true;
381 file_stats = ent->fts_statp;
382 }
383 else
384 {
385 file_stats = ent->fts_statp;
386
387 /* If this is a symlink and we're dereferencing them,
388 stat it to get info on the referent. */
389 if (chopt->affect_symlink_referent && S_ISLNK (file_stats->st_mode))
390 {
391 if (fstatat (fts->fts_cwd_fd, file, &stat_buf, 0) != 0)
392 {
393 if (! chopt->force_silent)
394 error (0, errno, _("cannot dereference %s"),
395 quoteaf (file_full_name));
396 ok = false;
397 }
398
399 file_stats = &stat_buf;
400 }
401
402 do_chown = (ok
403 && (required_uid == (uid_t) -1
404 || required_uid == file_stats->st_uid)
405 && (required_gid == (gid_t) -1
406 || required_gid == file_stats->st_gid));
407 }
408
409 /* This happens when chown -LR --preserve-root encounters a symlink-to-/. */
410 if (ok
411 && FTSENT_IS_DIRECTORY (ent)
412 && ROOT_DEV_INO_CHECK (chopt->root_dev_ino, file_stats))
413 {
414 ROOT_DEV_INO_WARN (file_full_name);
415 return false;
416 }
417
418 if (do_chown)
419 {
420 if ( ! chopt->affect_symlink_referent)
421 {
422 ok = (lchownat (fts->fts_cwd_fd, file, uid, gid) == 0);
423
424 /* Ignore any error due to lack of support; POSIX requires
425 this behavior for top-level symbolic links with -h, and
426 implies that it's required for all symbolic links. */
427 if (!ok && errno == EOPNOTSUPP)
428 {
429 ok = true;
430 symlink_changed = false;
431 }
432 }
433 else
434 {
435 /* If possible, avoid a race condition with --from=O:G and without the
436 (-h) --no-dereference option. If fts's stat call determined
437 that the uid/gid of FILE matched the --from=O:G-selected
438 owner and group IDs, blindly using chown(2) here could lead
439 chown(1) or chgrp(1) mistakenly to dereference a *symlink*
440 to an arbitrary file that an attacker had moved into the
441 place of FILE during the window between the stat and
442 chown(2) calls. If FILE is a regular file or a directory
443 that can be opened, this race condition can be avoided safely. */
444
445 enum RCH_status err
446 = restricted_chown (fts->fts_cwd_fd, file, file_stats, uid, gid,
447 required_uid, required_gid);
448 switch (err)
449 {
450 case RC_ok:
451 break;
452
453 case RC_do_ordinary_chown:
454 ok = (chownat (fts->fts_cwd_fd, file, uid, gid) == 0);
455 break;
456
457 case RC_error:
458 ok = false;
459 break;
460
461 case RC_inode_changed:
462 /* FIXME: give a diagnostic in this case? */
463 case RC_excluded:
464 do_chown = false;
465 ok = false;
466 break;
467
468 default:
469 abort ();
470 }
471 }
472
473 /* On some systems (e.g., GNU/Linux 2.4.x),
474 the chown function resets the 'special' permission bits.
475 Do *not* restore those bits; doing so would open a window in
476 which a malicious user, M, could subvert a chown command run
477 by some other user and operating on files in a directory
478 where M has write access. */
479
480 if (do_chown && !ok && ! chopt->force_silent)
481 error (0, errno, (uid != (uid_t) -1
482 ? _("changing ownership of %s")
483 : _("changing group of %s")),
484 quoteaf (file_full_name));
485 }
486
487 if (chopt->verbosity != V_off)
488 {
489 bool changed =
490 ((do_chown && ok && symlink_changed)
491 && ! ((uid == (uid_t) -1 || uid == file_stats->st_uid)
492 && (gid == (gid_t) -1 || gid == file_stats->st_gid)));
493
494 if (changed || chopt->verbosity == V_high)
495 {
496 enum Change_status ch_status =
497 (!ok ? CH_FAILED
498 : !symlink_changed ? CH_NOT_APPLIED
499 : !changed ? CH_NO_CHANGE_REQUESTED
500 : CH_SUCCEEDED);
501 char *old_usr = file_stats ? uid_to_name (file_stats->st_uid) : NULL;
502 char *old_grp = file_stats ? gid_to_name (file_stats->st_gid) : NULL;
503 char *new_usr = chopt->user_name
504 ? chopt->user_name : uid != -1
505 ? uid_to_str (uid) : NULL;
506 char *new_grp = chopt->group_name
507 ? chopt->group_name : gid != -1
508 ? gid_to_str (gid) : NULL;
509 describe_change (file_full_name, ch_status,
510 old_usr, old_grp,
511 new_usr, new_grp);
512 free (old_usr);
513 free (old_grp);
514 if (new_usr != chopt->user_name)
515 free (new_usr);
516 if (new_grp != chopt->group_name)
517 free (new_grp);
518 }
519 }
520
521 if ( ! chopt->recurse)
522 fts_set (fts, ent, FTS_SKIP);
523
524 return ok;
525 }
526
527 /* Change the owner and/or group of the specified FILES.
528 BIT_FLAGS specifies how to treat each symlink-to-directory
529 that is encountered during a recursive traversal.
530 CHOPT specifies additional options.
531 If UID is not -1, then change the owner id of each file to UID.
532 If GID is not -1, then change the group id of each file to GID.
533 If REQUIRED_UID and/or REQUIRED_GID is not -1, then change only
534 files with user ID and group ID that match the non-(-1) value(s).
535 Return true if successful. */
536 extern bool
537 chown_files (char **files, int bit_flags,
538 uid_t uid, gid_t gid,
539 uid_t required_uid, gid_t required_gid,
540 struct Chown_option const *chopt)
541 {
542 bool ok = true;
543
544 /* Use lstat and stat only if they're needed. */
545 int stat_flags = ((required_uid != (uid_t) -1 || required_gid != (gid_t) -1
546 || chopt->affect_symlink_referent
547 || chopt->verbosity != V_off)
548 ? 0
549 : FTS_NOSTAT);
550
551 FTS *fts = xfts_open (files, bit_flags | stat_flags, NULL);
552
553 while (true)
554 {
555 FTSENT *ent;
556
557 ent = fts_read (fts);
558 if (ent == NULL)
559 {
560 if (errno != 0)
561 {
562 /* FIXME: try to give a better message */
563 if (! chopt->force_silent)
564 error (0, errno, _("fts_read failed"));
565 ok = false;
566 }
567 break;
568 }
569
570 ok &= change_file_owner (fts, ent, uid, gid,
571 required_uid, required_gid, chopt);
572 }
573
574 if (fts_close (fts) != 0)
575 {
576 error (0, errno, _("fts_close failed"));
577 ok = false;
578 }
579
580 return ok;
581 }
GNU core utilities