| blob | bcae12368d0c662df3ae49b889959c56f9aa7e7a |
1 /* copy.c -- core functions for copying files and directories
2 Copyright (C) 1989-2013 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>. */
17 /* Extracted from cp.c and librarified by Jim Meyering. */
19 #include <config.h>
20 #include <stdio.h>
21 #include <assert.h>
22 #include <sys/ioctl.h>
23 #include <sys/types.h>
24 #include <selinux/selinux.h>
26 #if HAVE_HURD_H
27 # include <hurd.h>
28 #endif
29 #if HAVE_PRIV_H
30 # include <priv.h>
31 #endif
65 #if USE_XATTR
66 # include <attr/error_context.h>
67 # include <attr/libattr.h>
68 # include <stdarg.h>
70 #endif
72 #ifndef HAVE_FCHOWN
73 # define HAVE_FCHOWN false
74 # define fchown(fd, uid, gid) (-1)
75 #endif
77 #ifndef HAVE_LCHOWN
78 # define HAVE_LCHOWN false
79 # define lchown(name, uid, gid) chown (name, uid, gid)
80 #endif
82 #ifndef HAVE_MKFIFO
83 static int
85 {
88 }
89 # define mkfifo rpl_mkfifo
90 #endif
92 #ifndef USE_ACL
93 # define USE_ACL 0
94 #endif
96 #define SAME_OWNER(A, B) ((A).st_uid == (B).st_uid)
97 #define SAME_GROUP(A, B) ((A).st_gid == (B).st_gid)
98 #define SAME_OWNER_AND_GROUP(A, B) (SAME_OWNER (A, B) && SAME_GROUP (A, B))
100 struct dir_list
101 {
103 ino_t ino;
104 dev_t dev;
105 };
107 /* Initial size of the cp.dest_info hash table. */
108 #define DEST_INFO_INITIAL_CAPACITY 61
120 /* Pointers to the file names: they're used in the diagnostic that is issued
121 when we detect the user is trying to copy a directory into itself. */
125 /* Set the timestamp of symlink, FILE, to TIMESPEC.
126 If this system lacks support for that, simply return 0. */
129 {
131 /* When configuring on a system with new headers and libraries, and
132 running on one with a kernel that is old enough to lack the syscall,
133 utimensat fails with ENOSYS. Ignore that. */
137 }
139 /* Copy the regular file open on SRC_FD/SRC_NAME to DST_FD/DST_NAME,
140 honoring the MAKE_HOLES setting and using the BUF_SIZE-byte buffer
141 BUF for temporary storage. Copy no more than MAX_N_READ bytes.
142 Return true upon successful completion;
143 print a diagnostic and return false upon error.
144 Note that for best results, BUF should be "well"-aligned.
145 BUF must have sizeof(uintptr_t)-1 bytes of additional space
146 beyond BUF[BUF_SIZE-1].
147 Set *LAST_WRITE_MADE_HOLE to true if the final operation on
148 DEST_FD introduced a hole. Set *TOTAL_N_READ to the number of
149 bytes read. */
150 static bool
156 {
161 {
166 {
171 }
178 {
179 /* Sentinel required by is_nul(). */
181 #ifdef lint
183 /* Usually, buf[n_read] is not the byte just before a "word"
184 (aka uintptr_t) boundary. In that case, the word-oriented
185 test below (*wp++ == 0) would read some uninitialized bytes
186 after the sentinel. To avoid false-positive reports about
187 this condition (e.g., from a tool like valgrind), set the
188 remaining bytes -- to any value. */
190 #endif
193 {
195 {
198 }
199 }
200 }
203 {
206 {
209 }
211 /* It is tempting to return early here upon a short read from a
212 regular file. That would save the final read syscall for each
213 file. Unfortunately that doesn't work for certain files in
214 /proc with linux kernels from at least 2.6.9 .. 2.6.29. */
215 }
218 }
221 }
223 /* Perform the O(1) btrfs clone operation, if possible.
224 Upon success, return 0. Otherwise, return -1 and set errno. */
227 {
228 #ifdef __linux__
229 # undef BTRFS_IOCTL_MAGIC
230 # define BTRFS_IOCTL_MAGIC 0x94
231 # undef BTRFS_IOC_CLONE
232 # define BTRFS_IOC_CLONE _IOW (BTRFS_IOCTL_MAGIC, 9, int)
234 #else
239 #endif
240 }
242 /* Write N_BYTES zero bytes to file descriptor FD. Return true if successful.
243 Upon write failure, set errno and return false. */
244 static bool
246 {
250 /* Attempt to use a relatively large calloc'd source buffer for
251 efficiency, but if that allocation fails, resort to a smaller
252 statically allocated one. */
254 {
258 {
261 }
262 }
265 {
270 }
273 }
275 /* Perform an efficient extent copy, if possible. This avoids
276 the overhead of detecting holes in hole-introducing/preserving
277 copy, and thus makes copying sparse files much more efficient.
278 Upon a successful copy, return true. If the initial extent scan
279 fails, set *NORMAL_COPY_REQUIRED to true and return false.
280 Upon any other failure, set *NORMAL_COPY_REQUIRED to false and
281 return false. */
282 static bool
287 {
292 /* Keep track of the output position.
293 We may need this at the end, for a final ftruncate. */
300 do
301 {
304 {
309 {
312 }
317 }
322 {
323 off_t ext_start;
328 {
331 }
333 {
334 i--;
337 }
344 {
346 {
348 fail:
351 }
355 {
357 {
360 }
362 }
363 else
364 {
365 /* When not inducing holes and when there is a hole between
366 the end of the previous extent and the beginning of the
367 current one, write zeros to the destination file. */
373 {
376 }
379 }
380 }
384 /* Treat an unwritten but allocated extent much like a hole.
385 I.E. don't read, but don't convert to a hole in the destination,
386 unless SPARSE_ALWAYS. */
387 /* For now, do not treat FIEMAP_EXTENT_UNWRITTEN specially,
388 because that (in combination with no sync) would lead to data
389 loss at least on XFS and ext4 when using 2.6.39-rc3 kernels. */
391 {
396 }
397 else
398 {
399 off_t n_read;
410 }
412 /* If the file ends with unwritten extents not accounted for in the
413 size, then skip processing them, and the associated redundant
414 read() calls which will always return 0. We will need to
415 remove this when we add fallocate() so that we can maintain
416 extents beyond the apparent size. */
418 {
421 }
422 }
424 /* Release the space allocated to scan->ext_info. */
427 }
430 /* When the source file ends with a hole, we have to do a little more work,
431 since the above copied only up to and including the final extent.
432 In order to complete the copy, we may have to insert a hole or write
433 zeros in the destination corresponding to the source file's hole-at-EOF.
435 In addition, if the final extent was a block of zeros at EOF and we've
436 just converted them to a hole in the destination, we must call ftruncate
437 here in order to record the proper length in the destination. */
442 {
445 }
448 }
450 /* FIXME: describe */
451 /* FIXME: rewrite this to use a hash table so we avoid the quadratic
452 performance hit that's probably noticeable only on trees deeper
453 than a few hundred levels. See use of active_dir_map in remove.c */
455 static bool _GL_ATTRIBUTE_PURE
457 {
459 {
463 }
465 }
467 static bool
469 {
471 }
473 #if USE_XATTR
474 static void
477 {
479 {
483 /* use verror module to print error message */
487 }
488 }
490 static void
493 {
497 /* use verror module to print error message */
501 }
505 {
507 }
509 static void
512 {
513 }
515 /* If positive SRC_FD and DST_FD descriptors are passed,
516 then copy by fd, otherwise copy by name. */
518 static bool
521 {
526 {
530 };
534 else
539 }
542 static bool
548 {
550 }
553 /* Read the contents of the directory SRC_NAME_IN, and recursively
554 copy the contents to DST_NAME_IN. NEW_DST is true if
555 DST_NAME_IN is a directory that was created previously in the
556 recursion. SRC_SB and ANCESTORS describe SRC_NAME_IN.
557 Set *COPY_INTO_SELF if SRC_NAME_IN is a parent of
558 (or the same as) DST_NAME_IN; otherwise, clear it.
559 Propagate *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG from
560 caller to each invocation of copy_internal. Be careful to
561 pass the address of a temporary, and to update
562 *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG only upon completion.
563 Return true if successful. */
565 static bool
571 {
579 {
580 /* This diagnostic is a bit vague because savedir can fail in
581 several different ways. */
584 }
586 /* For cp's -H option, dereference command line arguments, but do not
587 dereference symlinks that are found via recursive traversal. */
594 {
609 /* If we're copying into self, there's no point in continuing,
610 and in fact, that would even infloop, now that we record only
611 the first created directory per command line argument. */
617 }
622 }
624 /* Set the owner and owning group of DEST_DESC to the st_uid and
625 st_gid fields of SRC_SB. If DEST_DESC is undefined (-1), set
626 the owner and owning group of DST_NAME instead; for
627 safety prefer lchown if the system supports it since no
628 symbolic links should be involved. DEST_DESC must
629 refer to the same file as DEST_NAME if defined.
630 Upon failure to set both UID and GID, try to set only the GID.
631 NEW_DST is true if the file was newly created; otherwise,
632 DST_SB is the status of the destination.
633 Return 1 if the initial syscall succeeds, 0 if it fails but it's OK
634 not to preserve ownership, -1 otherwise. */
636 static int
640 {
644 /* Naively changing the ownership of an already-existing file before
645 changing its permissions would create a window of vulnerability if
646 the file's old permissions are too generous for the new owner and
647 group. Avoid the window by first changing to a restrictive
648 temporary mode if necessary. */
651 {
653 mode_t new_mode =
661 {
666 }
667 }
670 {
674 {
675 /* We've failed to set *both*. Now, try to set just the group
676 ID, but ignore any failure here, and don't change errno. */
680 }
681 }
682 else
683 {
687 {
688 /* We've failed to set *both*. Now, try to set just the group
689 ID, but ignore any failure here, and don't change errno. */
693 }
694 }
697 {
702 }
705 }
707 /* Set the st_author field of DEST_DESC to the st_author field of
708 SRC_SB. If DEST_DESC is undefined (-1), set the st_author field
709 of DST_NAME instead. DEST_DESC must refer to the same file as
710 DEST_NAME if defined. */
712 static void
714 {
715 #if HAVE_STRUCT_STAT_ST_AUTHOR
716 /* FIXME: Modify the following code so that it does not
717 follow symbolic links. */
719 /* Preserve the st_author field. */
725 else
726 {
732 }
733 #else
737 #endif
738 }
740 /* Change the file mode bits of the file identified by DESC or NAME to MODE.
741 Use DESC if DESC is valid and fchmod is available, NAME otherwise. */
743 static int
745 {
746 #if HAVE_FCHMOD
749 #endif
751 }
753 #ifndef HAVE_STRUCT_STAT_ST_BLOCKS
754 # define HAVE_STRUCT_STAT_ST_BLOCKS 0
755 #endif
757 /* Use a heuristic to determine whether stat buffer SB comes from a file
758 with sparse blocks. If the file has fewer blocks than would normally
759 be needed for a file of its size, then at least one of the blocks in
760 the file is a hole. In that case, return true. */
761 static bool
763 {
767 }
770 /* Copy a regular file from SRC_NAME to DST_NAME.
771 If the source file contains holes, copies holes and blocks of zeros
772 in the source file as holes in the destination file.
773 (Holes are read as zeroes by the 'read' system call.)
774 When creating the destination, use DST_MODE & ~OMITTED_PERMISSIONS
775 as the third argument in the call to open, adding
776 OMITTED_PERMISSIONS after copying as needed.
777 X provides many option settings.
778 Return true if successful.
779 *NEW_DST is as in copy_internal.
780 SRC_SB is the result of calling XSTAT (aka stat) on SRC_NAME. */
782 static bool
787 {
804 {
807 }
810 {
814 }
816 /* Compare the source dev/ino from the open file to the incoming,
817 saved ones obtained via a previous call to stat. */
819 {
825 }
827 /* The semantics of the following open calls are mandated
828 by the specs for both cp and mv. */
830 {
836 /* When using cp --preserve=context to copy to an existing destination,
837 use the default context rather than that of the source. Why?
838 1) the src context may prohibit writing, and
839 2) because it's more consistent to use the same context
840 that is used when the destination file doesn't already exist. */
842 {
849 {
853 {
856 }
857 }
860 {
862 {
868 {
872 }
873 }
875 }
876 }
879 {
881 {
885 }
889 /* Tell caller that the destination file was unlinked. */
891 }
892 }
895 {
896 open_with_O_CREAT:;
903 /* When trying to copy through a dangling destination symlink,
904 the above open fails with EEXIST. If that happens, and
905 lstat'ing the DST_NAME shows that it is a symlink, then we
906 have a problem: trying to resolve this dangling symlink to
907 a directory/destination-entry pair is fundamentally racy,
908 so punt. If x->open_dangling_dest_symlink is set (cp sets
909 that when POSIXLY_CORRECT is set in the environment), simply
910 call open again, but without O_EXCL (potentially dangerous).
911 If not, fail with a diagnostic. These shenanigans are necessary
912 only when copying, i.e., not in move_mode. */
914 {
918 {
920 {
924 }
925 else
926 {
931 }
932 }
933 }
935 /* Improve quality of diagnostic when a nonexistent dst_name
936 ends in a slash and open fails with errno == EISDIR. */
940 }
941 else
942 {
944 }
947 {
948 /* If we've just failed due to ENOENT for an ostensibly preexisting
949 destination (*new_dst was 0), that's a bit of a contradiction/race:
950 the prior stat/lstat said the file existed (*new_dst was 0), yet
951 the subsequent open-existing-file failed with ENOENT. With NFS,
952 the race window is wider still, since its meta-data caching tends
953 to make the stat succeed for a just-removed remote file, while the
954 more-definitive initial open call will fail with ENOENT. When this
955 situation arises, we attempt to open again, but this time with
956 O_CREAT. Do this only when not in move-mode, since when handling
957 a cross-device move, we must never open an existing destination. */
959 {
962 }
964 /* Otherwise, it's an error. */
969 }
972 {
976 }
978 /* --attributes-only overrides --reflink. */
980 {
983 {
985 {
990 }
992 }
993 }
996 {
999 /* Choose a suitable buffer size; it may be adjusted later. */
1006 /* Deal with sparse files. */
1011 {
1012 /* Even with --sparse=always, try to create holes only
1013 if the destination is a regular file. */
1017 /* Use a heuristic to determine whether SRC_NAME contains any sparse
1018 blocks. If the file has fewer blocks than would normally be
1019 needed for a file of its size, then at least one of the blocks in
1020 the file is a hole. */
1024 }
1026 /* If not making a sparse file, try to use a more-efficient
1027 buffer size. */
1029 {
1030 /* Compute the least common multiple of the input and output
1031 buffer sizes, adjusting for outlandish values. */
1034 blcm_max);
1036 /* Do not bother with a buffer larger than the input file, plus one
1037 byte to make sure the file has not grown while reading it. */
1041 /* However, stick with a block size that is a positive multiple of
1042 blcm, overriding the above adjustments. Watch out for
1043 overflow. */
1048 }
1050 /* Make a buffer with space for a sentinel at the end. */
1055 {
1058 /* Perform an efficient extent-based copy, falling back to the
1059 standard copy only if the initial extent scan fails. If the
1060 '--sparse=never' option is specified, write all data but use
1061 any extents to read more efficiently. */
1069 {
1072 }
1073 }
1075 off_t n_read;
1081 || (wrote_hole_at_eof
1083 {
1087 }
1088 }
1090 preserve_metadata:
1092 {
1098 {
1101 {
1104 }
1105 }
1106 }
1108 /* Set ownership before xattrs as changing owners will
1109 clear capabilities. */
1111 {
1113 {
1121 }
1122 }
1124 /* To allow copying xattrs on read-only files, temporarily chmod u+rw.
1125 This workaround is required as an inode permission check is done
1126 by xattr_permission() in fs/xattr.c of the GNU/Linux kernel tree. */
1128 {
1140 }
1145 {
1149 }
1151 {
1154 }
1156 {
1159 }
1161 {
1165 {
1170 }
1171 }
1173 close_src_and_dst_desc:
1175 {
1178 }
1179 close_src_desc:
1181 {
1184 }
1189 }
1191 /* Return true if it's ok that the source and destination
1192 files are the 'same' by some measure. The goal is to avoid
1193 making the 'copy' operation remove both copies of the file
1194 in that case, while still allowing the user to e.g., move or
1195 copy a regular file onto a symlink that points to it.
1196 Try to minimize the cost of this function in the common case.
1197 Set *RETURN_NOW if we've determined that the caller has no more
1198 work to do and should return successfully, right away.
1200 Set *UNLINK_SRC if we've determined that the caller wants to do
1201 'rename (a, b)' where 'a' and 'b' are distinct hard links to the same
1202 file. In that case, the caller should try to unlink 'a' and then return
1203 successfully. Ideally, we wouldn't have to do that, and we'd be
1204 able to rely on rename to remove the source file. However, POSIX
1205 mistakenly requires that such a rename call do *nothing* and return
1206 successfully. */
1208 static bool
1212 {
1224 /* FIXME: this should (at the very least) be moved into the following
1225 if-block. More likely, it should be removed, because it inhibits
1226 making backups. But removing it will result in a change in behavior
1227 that will probably have to be documented -- and tests will have to
1228 be updated. */
1230 {
1233 }
1236 {
1239 /* If both the source and destination files are symlinks (and we'll
1240 know this here IFF preserving symlinks), then it's usually ok
1241 when they are distinct. */
1243 {
1246 {
1247 /* It's fine when we're making any type of backup. */
1251 /* Here we have two symlinks that are hard-linked together,
1252 and we're not making backups. In this unusual case, simply
1253 returning true would lead to mv calling "rename(A,B)",
1254 which would do nothing and return 0. I.e., A would
1255 not be removed. Hence, the solution is to tell the
1256 caller that all it must do is unlink A and return. */
1258 {
1262 }
1263 }
1266 }
1270 }
1271 else
1272 {
1285 /* If both are symlinks, then it's ok, but only if the destination
1286 will be unlinked before being opened. This is like the test
1287 above, but with the addition of the unlink_dest_before_opening
1288 conjunct because otherwise, with two symlinks to the same target,
1289 we'd end up truncating the source file. */
1293 }
1295 /* The backup code ensures there's a copy, so it's usually ok to
1296 remove any destination file. One exception is when both
1297 source and destination are the same directory entry. In that
1298 case, moving the destination file aside (in making the backup)
1299 would also rename the source file and result in an error. */
1301 {
1303 {
1304 /* In copy mode when dereferencing symlinks, if the source is a
1305 symlink and the dest is not, then backing up the destination
1306 (moving it aside) would make it a dangling symlink, and the
1307 subsequent attempt to open it in copy_reg would fail with
1308 a misleading diagnostic. Avoid that by returning zero in
1309 that case so the caller can make cp (or mv when it has to
1310 resort to reading the source file) fail now. */
1312 /* FIXME-note: even with the following kludge, we can still provoke
1313 the offending diagnostic. It's just a little harder to do :-)
1314 $ rm -f a b c; touch c; ln -s c b; ln -s b a; cp -b a b
1315 cp: cannot open 'a' for reading: No such file or directory
1316 That's misleading, since a subsequent 'ls' shows that 'a'
1317 is still there.
1318 One solution would be to open the source file *before* moving
1319 aside the destination, but that'd involve a big rewrite. */
1327 }
1330 }
1332 #if 0
1333 /* FIXME: use or remove */
1335 /* If we're making a backup, we'll detect the problem case in
1336 copy_reg because SRC_NAME will no longer exist. Allowing
1337 the test to be deferred lets cp do some useful things.
1338 But when creating hardlinks and SRC_NAME is a symlink
1339 but DST_NAME is not we must test anyway. */
1347 #endif
1349 /* They may refer to the same file if we're in move mode and the
1350 target is a symlink. That is ok, since we remove any existing
1351 destination file before opening it -- via 'rename' if they're on
1352 the same file system, via 'unlink (DST_NAME)' otherwise.
1353 It's also ok if they're distinct hard links to the same file. */
1355 {
1362 {
1364 {
1367 }
1369 }
1370 }
1372 /* If neither is a symlink, then it's ok as long as they aren't
1373 hard links to the same file. */
1375 {
1379 /* If they are the same file, it's ok if we're making hard links. */
1381 {
1384 }
1385 }
1387 /* At this point, it is normally an error (data loss) to move a symlink
1388 onto its referent, but in at least one narrow case, it is not:
1389 In move mode, when
1390 1) src is a symlink,
1391 2) dest has a link count of 2 or more and
1392 3) dest and the referent of src are not the same directory entry,
1393 then it's ok, since while we'll lose one of those hard links,
1394 src will still point to a remaining link.
1395 Note that technically, condition #3 obviates condition #2, but we
1396 retain the 1 < st_nlink condition because that means fewer invocations
1397 of the more expensive #3.
1399 Given this,
1400 $ touch f && ln f l && ln -s f s
1401 $ ls -og f l s
1402 -rw-------. 2 0 Jan 4 22:46 f
1403 -rw-------. 2 0 Jan 4 22:46 l
1404 lrwxrwxrwx. 1 1 Jan 4 22:46 s -> f
1405 this must fail: mv s f
1406 this must succeed: mv s l */
1410 {
1413 {
1417 }
1418 }
1420 /* It's ok to remove a destination symlink. But that works only when we
1421 unlink before opening the destination and when the source and destination
1422 files are on the same partition. */
1428 {
1442 /* FIXME: shouldn't this be testing whether we're making symlinks? */
1444 {
1447 }
1448 }
1451 }
1453 /* Return true if FILE, with mode MODE, is writable in the sense of 'mv'.
1454 Always consider a symbolic link to be writable. */
1455 static bool
1457 {
1461 }
1463 static void
1465 {
1467 {
1476 }
1477 else
1478 {
1481 }
1482 }
1484 /* Initialize the hash table implementing a set of F_triple entries
1485 corresponding to destination files. */
1488 {
1489 x->dest_info
1491 NULL,
1492 triple_hash,
1493 triple_compare,
1494 triple_free);
1495 }
1497 /* Initialize the hash table implementing a set of F_triple entries
1498 corresponding to source files listed on the command line. */
1501 {
1503 /* Note that we use triple_hash_no_name here.
1504 Contrast with the use of triple_hash above.
1505 That is necessary because a source file may be specified
1506 in many different ways. We want to warn about this
1507 cp a a d/
1508 as well as this:
1509 cp a ./a d/
1510 */
1511 x->src_info
1513 NULL,
1514 triple_hash_no_name,
1515 triple_compare,
1516 triple_free);
1517 }
1519 /* When effecting a move (e.g., for mv(1)), and given the name DST_NAME
1520 of the destination and a corresponding stat buffer, DST_SB, return
1521 true if the logical 'move' operation should _not_ proceed.
1522 Otherwise, return false.
1523 Depending on options specified in X, this code may issue an
1524 interactive prompt asking whether it's ok to overwrite DST_NAME. */
1525 static bool
1529 {
1538 }
1540 /* Print --verbose output on standard output, e.g. 'new' -> 'old'.
1541 If BACKUP_DST_NAME is non-NULL, then also indicate that it is
1542 the name of a backup file. */
1543 static void
1545 {
1550 }
1552 /* A wrapper around "setfscreatecon (NULL)" that exits upon failure. */
1553 static void
1555 {
1559 }
1561 /* Create a hard link DST_NAME to SRC_NAME, honoring the REPLACE, VERBOSE and
1562 DEREFERENCE settings. Return true upon success. Otherwise, diagnose the
1563 failure and return false. If SRC_NAME is a symbolic link, then it will not
1564 be followed unless DEREFERENCE is true.
1565 If the system doesn't support hard links to symbolic links, then DST_NAME
1566 will be created as a symbolic link to SRC_NAME. */
1567 static bool
1570 {
1571 /* We want to guarantee that symlinks are not followed, unless requested. */
1579 /* If the link failed because of an existing destination,
1580 remove that file and then call link again. */
1582 {
1584 {
1587 }
1592 }
1595 {
1599 }
1602 }
1604 /* Return true if the current file should be (tried to be) dereferenced:
1605 either for DEREF_ALWAYS or for DEREF_COMMAND_LINE_ARGUMENTS in the case
1606 where the current file is a COMMAND_LINE_ARG; otherwise return false. */
1609 {
1613 }
1615 /* Copy the file SRC_NAME to the file DST_NAME. The files may be of
1616 any type. NEW_DST should be true if the file DST_NAME cannot
1617 exist because its parent directory was just created; NEW_DST should
1618 be false if DST_NAME might already exist. DEVICE is the device
1619 number of the parent directory, or 0 if the parent of this file is
1620 not known. ANCESTORS points to a linked, null terminated list of
1621 devices and inodes of parent directories of SRC_NAME. COMMAND_LINE_ARG
1622 is true iff SRC_NAME was specified on the command line.
1623 FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG is both input and output.
1624 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
1625 same as) DST_NAME; otherwise, clear it.
1626 Return true if successful. */
1627 static bool
1630 dev_t device,
1637 {
1640 mode_t src_mode;
1642 mode_t dst_mode_bits;
1643 mode_t omitted_permissions;
1659 {
1662 }
1667 {
1670 }
1672 /* Detect the case in which the same source file appears more than
1673 once on the command line and no backup option has been selected.
1674 If so, simply warn and don't copy it the second time.
1675 This check is enabled only if x->src_info is non-NULL. */
1677 {
1681 {
1685 }
1688 }
1693 {
1694 /* Regular files can be created by writing through symbolic
1695 links, but other files cannot. So use stat on the
1696 destination when copying a regular file, and lstat otherwise.
1697 However, if we intend to unlink or remove the destination
1698 first, use lstat, since a copy won't actually be made to the
1699 destination in that case. */
1711 {
1713 {
1716 }
1717 else
1718 {
1720 }
1721 }
1722 else
1724 that it is stat'able or lstat'able. */
1731 {
1735 }
1738 {
1739 /* When preserving time stamps (but not moving within a file
1740 system), don't worry if the destination time stamp is
1741 less than the source merely because of time stamp
1742 truncation. */
1746 ? UTIMECMP_TRUNCATE_SOURCE
1750 {
1751 /* We're using --update and the destination is not older
1752 than the source, so do not copy or move. Pretend the
1753 rename succeeded, so the caller (if it's mv) doesn't
1754 end up removing the source file. */
1758 /* However, we still must record that we've processed
1759 this src/dest pair, in case this source file is
1760 hard-linked to another one. In that case, we'll use
1761 the mapping information to link the corresponding
1762 destination names. */
1766 {
1767 /* Note we currently replace DST_NAME unconditionally,
1768 even if it was a newer separate file. */
1771 {
1773 }
1774 }
1777 }
1778 }
1780 /* When there is an existing destination file, we may end up
1781 returning early, and hence not copying/moving the file.
1782 This may be due to an interactive 'negative' reply to the
1783 prompt about the existing file. It may also be due to the
1784 use of the --no-clobber option.
1786 cp and mv treat -i and -f differently. */
1788 {
1791 {
1792 /* Pretend the rename succeeded, so the caller (mv)
1793 doesn't end up removing the source file. */
1799 }
1801 {
1804 }
1805 }
1806 else
1807 {
1814 }
1820 {
1822 {
1824 {
1825 /* Moving a directory onto an existing
1826 non-directory is ok only with --backup. */
1827 }
1828 else
1829 {
1834 }
1835 }
1837 /* Don't let the user destroy their data, even if they try hard:
1838 This mv command must fail (likewise for cp):
1839 rm -rf a b c; mkdir a b c; touch a/f b/f; mv a/f b/f c
1840 Otherwise, the contents of b/f would be lost.
1841 In the case of 'cp', b/f would be lost if the user simulated
1842 a move using cp and rm.
1843 Note that it works fine if you use --backup=numbered. */
1847 {
1852 }
1853 }
1856 {
1858 {
1860 {
1861 /* Moving a non-directory onto an existing
1862 directory is ok only with --backup. */
1863 }
1864 else
1865 {
1870 }
1871 }
1872 }
1875 {
1876 /* Don't allow user to move a directory onto a non-directory. */
1879 {
1884 }
1885 }
1888 /* Don't try to back up a destination if the last
1889 component of src_name is "." or "..". */
1891 /* Create a backup of each destination directory in move mode,
1892 but not in copy mode. FIXME: it might make sense to add an
1893 option to suppress backup creation also for move mode.
1894 That would let one use mv to merge new content into an
1895 existing hierarchy. */
1897 {
1901 /* Detect (and fail) when creating the backup file would
1902 destroy the source file. Before, running the commands
1903 cd /tmp; rm -f a a~; : > a; echo A > a~; cp --b=simple a~ a
1904 would leave two zero-length files: a and a~. */
1905 /* FIXME: but simply change e.g., the final a~ to './a~'
1906 and the source will still be destroyed. */
1908 {
1918 }
1920 /* FIXME: use fts:
1921 Using alloca for a file name that may be arbitrarily
1922 long is not recommended. In fact, even forming such a name
1923 should be discouraged. Eventually, this code will be rewritten
1924 to use fts, so using alloca here will be less of a problem. */
1927 /* In move mode, when src_name and dst_name are on the
1928 same partition (FIXME, and when they are non-directories),
1929 make the operation atomic: link dest
1930 to backup, then rename src to dest. */
1932 {
1934 {
1937 }
1938 else
1939 {
1941 }
1942 }
1943 else
1944 {
1946 }
1948 }
1950 /* Never unlink dst_name when in move mode. */
1956 ))
1957 {
1959 {
1962 }
1966 }
1967 }
1968 }
1970 /* Ensure we don't try to copy through a symlink that was
1971 created by a prior call to this function. */
1976 {
1981 /* If we called lstat above, good: use that data.
1982 Otherwise, call lstat here, in case dst_name is a symlink. */
1985 else
1986 {
1989 else
1991 }
1993 /* Never copy through a symlink we've just created. */
1997 {
2002 }
2003 }
2005 /* If the source is a directory, we don't always create the destination
2006 directory. So --verbose should not announce anything until we're
2007 sure we'll create a directory. */
2011 /* Associate the destination file name with the source device and inode
2012 so that if we encounter a matching dev/ino pair in the source tree
2013 we can arrange to create a hard link between the corresponding names
2014 in the destination tree.
2016 When using the --link (-l) option, there is no need to take special
2017 measures, because (barring race conditions) files that are hard-linked
2018 in the source tree will also be hard-linked in the destination tree.
2020 Sometimes, when preserving links, we have to record dev/ino even
2021 though st_nlink == 1:
2022 - when in move_mode, since we may be moving a group of N hard-linked
2023 files (via two or more command line arguments) to a different
2024 partition; the links may be distributed among the command line
2025 arguments (possibly hierarchies) so that the link count of
2026 the final, once-linked source file is reduced to 1 when it is
2027 considered below. But in this case (for mv) we don't need to
2028 incur the expense of recording the dev/ino => name mapping; all we
2029 really need is a lookup, to see if the dev/ino pair has already
2030 been copied.
2031 - when using -H and processing a command line argument;
2032 that command line argument could be a symlink pointing to another
2033 command line argument. With 'cp -H --preserve=link', we hard-link
2034 those two destination files.
2035 - likewise for -L except that it applies to all files, not just
2036 command line arguments.
2038 Also, with --recursive, record dev/ino of each command-line directory.
2039 We'll use that info to detect this problem: cp -R dir dir. */
2042 {
2044 }
2048 || (command_line_arg
2051 {
2053 }
2055 {
2058 else
2060 }
2062 /* Did we copy this inode somewhere else (in this command line argument)
2063 and therefore this is a second hard link to the inode? */
2066 {
2067 /* Avoid damaging the destination file system by refusing to preserve
2068 hard-linked directories (which are found at least in Netapp snapshot
2069 directories). */
2071 {
2072 /* If src_name and earlier_file refer to the same directory entry,
2073 then warn about copying a directory into itself. */
2075 {
2081 }
2083 {
2084 /* This happens when e.g., encountering a directory for the
2085 second or subsequent time via symlinks when cp is invoked
2086 with -R and -L. E.g.,
2087 rm -rf a b c d; mkdir a b c d; ln -s ../c a; ln -s ../c b;
2088 cp -RL a b d
2089 */
2090 }
2091 else
2092 {
2096 }
2097 }
2098 else
2099 {
2101 dereference))
2105 }
2106 }
2109 {
2111 {
2120 {
2121 /* Record destination dev/ino/name, so that if we are asked
2122 to overwrite that file again, we can detect it and fail. */
2123 /* It's fine to use the _source_ stat buffer (src_sb) to get the
2124 _destination_ dev/ino, since the rename above can't have
2125 changed those, and 'mv' always uses lstat.
2126 We could limit it further by operating
2127 only on non-directories. */
2129 }
2132 }
2134 /* FIXME: someday, consider what to do when moving a directory into
2135 itself but when source and destination are on different devices. */
2137 /* This happens when attempting to rename a directory to a
2138 subdirectory of itself. */
2140 {
2141 /* FIXME: this is a little fragile in that it relies on rename(2)
2142 failing with a specific errno value. Expect problems on
2143 non-POSIX systems. */
2148 /* Note that there is no need to call forget_created here,
2149 (compare with the other calls in this file) since the
2150 destination directory didn't exist before. */
2153 /* FIXME-cleanup: Don't return true here; adjust mv.c accordingly.
2154 The only caller that uses this code (mv.c) ends up setting its
2155 exit status to nonzero when copy_into_self is nonzero. */
2157 }
2159 /* WARNING: there probably exist systems for which an inter-device
2160 rename fails with a value of errno not handled here.
2161 If/as those are reported, add them to the condition below.
2162 If this happens to you, please do the following and send the output
2163 to the bug-reporting address (e.g., in the output of cp --help):
2164 touch k; perl -e 'rename "k","/tmp/k" or print "$!(",$!+0,")\n"'
2165 where your current directory is on one partion and /tmp is the other.
2166 Also, please try to find the E* errno macro name corresponding to
2167 the diagnostic and parenthesized integer, and include that in your
2168 e-mail. One way to do that is to run a command like this
2169 find /usr/include/. -type f \
2170 | xargs grep 'define.*\<E[A-Z]*\>.*\<18\>' /dev/null
2171 where you'd replace '18' with the integer in parentheses that
2172 was output from the perl one-liner above.
2173 If necessary, of course, change '/tmp' to some other directory. */
2175 {
2176 /* There are many ways this can happen due to a race condition.
2177 When something happens between the initial XSTAT and the
2178 subsequent rename, we can get many different types of errors.
2179 For example, if the destination is initially a non-directory
2180 or non-existent, but it is created as a directory, the rename
2181 fails. If two 'mv' commands try to rename the same file at
2182 about the same time, one will succeed and the other will fail.
2183 If the permissions on the directory containing the source or
2184 destination file are made too restrictive, the rename will
2185 fail. Etc. */
2191 }
2193 /* The rename attempt has failed. Remove any existing destination
2194 file so that a cross-device 'mv' acts as if it were really using
2195 the rename syscall. Note both src and dst must both be directories
2196 or not, and this is enforced above. Therefore we check the src_mode
2197 and operate on dst_name here as a tighter constraint and also because
2198 src_mode is readily available here. */
2201 {
2207 }
2210 }
2212 /* If the ownership might change, or if it is a directory (whose
2213 special mode bits may change after the directory is created),
2214 omit some permissions at first, so unauthorized users cannot nip
2215 in before the file is ready. */
2217 omitted_permissions =
2218 (dst_mode_bits
2226 {
2229 security_context_t con;
2232 {
2234 {
2240 {
2243 }
2244 }
2246 }
2247 else
2248 {
2250 {
2254 }
2257 }
2258 }
2261 {
2264 /* If this directory has been copied before during the
2265 recursion, there is a symbolic link to an ancestor
2266 directory of the symbolic link. It is impossible to
2267 continue to copy this, unless we've got an infinite disk. */
2270 {
2274 }
2276 /* Insert the current directory in the list of parents. */
2284 {
2285 /* POSIX says mkdir's behavior is implementation-defined when
2286 (src_mode & ~S_IRWXUGO) != 0. However, common practice is
2287 to ask mkdir to copy all the CHMOD_MODE_BITS, letting mkdir
2288 decide what to do with S_ISUID | S_ISGID | S_ISVTX. */
2290 {
2294 }
2296 /* We need search and write permissions to the new directory
2297 for writing the directory's contents. Check if these
2298 permissions are there. */
2301 {
2304 }
2306 {
2307 /* Make the new directory searchable and writable. */
2313 {
2317 }
2318 }
2320 /* Record the created directory's inode and device numbers into
2321 the search structure, so that we can avoid copying it again.
2322 Do this only for the first directory that is created for each
2323 source command line argument. */
2325 {
2328 }
2332 }
2333 else
2334 {
2336 }
2338 /* Decide whether to copy the contents of the directory. */
2340 {
2341 /* Here, we are crossing a file system boundary and cp's -x option
2342 is in effect: so don't copy the contents of this directory. */
2343 }
2344 else
2345 {
2346 /* Copy the contents of the directory. Don't just return if
2347 this fails -- otherwise, the failure to read a single file
2348 in a source directory would cause the containing destination
2349 directory not to have owner/perms set properly. */
2351 first_dir_created_per_command_line_arg,
2352 copy_into_self);
2353 }
2354 }
2356 {
2359 {
2360 /* Check that DST_NAME denotes a file in the current directory. */
2369 /* If either stat call fails, it's ok not to report
2370 the failure and say dst_name is in the current
2371 directory. Other things will fail later. */
2378 {
2383 }
2384 }
2386 {
2390 }
2391 }
2393 /* POSIX 2008 states that it is implementation-defined whether
2394 link() on a symlink creates a hard-link to the symlink, or only
2395 to the referent (effectively dereferencing the symlink) (POSIX
2396 2001 required the latter behavior, although many systems provided
2397 the former). Yet cp, invoked with '--link --no-dereference',
2398 should not follow the link. We can approximate the desired
2399 behavior by skipping this hard-link creating block and instead
2400 copying the symlink, via the 'S_ISLNK'- copying code below.
2401 LINK_FOLLOWS_SYMLINKS is tri-state; if it is -1, we don't know
2402 how link() behaves, so we use the fallback case for safety.
2404 Note gnulib's linkat module, guarantees that the symlink is not
2405 dereferenced. However its emulation currently doesn't maintain
2406 timestamps or ownership so we only call it when we know the
2407 emulation will not be needed. */
2411 {
2414 }
2417 {
2419 /* POSIX says the permission bits of the source file must be
2420 used as the 3rd argument in the open call. Historical
2421 practice passed all the source mode bits to 'open', but the extra
2422 bits were ignored, so it should be the same either way.
2424 This call uses DST_MODE_BITS, not SRC_MODE. These are
2425 normally the same, and the exception (where x->set_mode) is
2426 used only by 'install', which POSIX does not specify and
2427 where DST_MODE_BITS is what's wanted. */
2431 }
2433 {
2434 /* Use mknod, rather than mkfifo, because the former preserves
2435 the special mode bits of a fifo on Solaris 10, while mkfifo
2436 does not. But fall back on mkfifo, because on some BSD systems,
2437 mknod always fails when asked to create a FIFO. */
2440 {
2443 }
2444 }
2446 {
2449 {
2453 }
2454 }
2456 {
2460 {
2463 }
2467 else
2468 {
2473 {
2474 /* See if the destination is already the desired symlink.
2475 FIXME: This behavior isn't documented, and seems wrong
2476 in some cases, e.g., if the destination symlink has the
2477 wrong ownership, permissions, or time stamps. */
2483 }
2487 {
2491 }
2492 }
2498 {
2499 /* Preserve the owner and group of the just-'copied'
2500 symbolic link, if possible. */
2504 {
2506 dst_name);
2508 }
2509 else
2510 {
2511 /* Can't preserve ownership of symlinks.
2512 FIXME: maybe give a warning or even error for symlinks
2513 in directories with the sticky bit set -- there, not
2514 preserving owner/group is a potential security problem. */
2515 }
2516 }
2517 }
2518 else
2519 {
2522 }
2525 {
2526 /* Now that the destination file is very likely to exist,
2527 add its info to the set. */
2531 }
2533 /* If we've just created a hard-link due to cp's --link option,
2534 we're done. */
2543 /* POSIX says that 'cp -p' must restore the following:
2544 - permission bits
2545 - setuid, setgid bits
2546 - owner and group
2547 If it fails to restore any of those, we may give a warning but
2548 the destination must not be removed.
2549 FIXME: implement the above. */
2551 /* Adjust the times (and if possible, ownership) for the copy.
2552 chown turns off set[ug]id bits for non-root,
2553 so do the chmod last. */
2556 {
2565 {
2569 }
2570 }
2572 /* The operations beyond this point may dereference a symlink. */
2576 /* Avoid calling chown if we know it's not necessary. */
2579 {
2581 {
2588 }
2589 }
2598 {
2602 }
2604 {
2607 }
2609 {
2612 }
2613 else
2614 {
2616 {
2620 {
2621 /* Permissions were deliberately omitted when the file
2622 was created due to security concerns. See whether
2623 they need to be re-added now. It'd be faster to omit
2624 the lstat, but deducing the current destination mode
2625 is tricky in the presence of implementation-defined
2626 rules for special mode bits. */
2628 {
2631 }
2635 }
2636 }
2639 {
2641 {
2646 }
2647 }
2648 }
2652 un_backup:
2657 /* We have failed to create the destination file.
2658 If we've just added a dev/ino entry via the remember_copied
2659 call above (i.e., unless we've just failed to create a hard link),
2660 remove the entry associating the source dev/ino with the
2661 destination file name, so we don't try to 'preserve' a link
2662 to a file we didn't create. */
2667 {
2670 else
2671 {
2675 }
2676 }
2678 }
2680 static bool _GL_ATTRIBUTE_PURE
2682 {
2692 }
2694 /* Copy the file SRC_NAME to the file DST_NAME. The files may be of
2695 any type. NONEXISTENT_DST should be true if the file DST_NAME
2696 is known not to exist (e.g., because its parent directory was just
2697 created); NONEXISTENT_DST should be false if DST_NAME might already
2698 exist. OPTIONS is ... FIXME-describe
2699 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
2700 same as) DST_NAME; otherwise, set clear it.
2701 Return true if successful. */
2707 {
2710 /* Record the file names: they're used in case of error, when copying
2711 a directory into itself. I don't like to make these tools do *any*
2712 extra work in the common case when that work is solely to handle
2713 exceptional cases, but in this case, I don't see a way to derive the
2714 top level source and destination directory names where they're used.
2715 An alternative is to use COPY_INTO_SELF and print the diagnostic
2716 from every caller -- but I don't want to do that. */
2725 }
2727 /* Set *X to the default options for a value of type struct cp_options. */
2731 {
2733 #ifdef PRIV_FILE_CHOWN
2734 {
2739 {
2742 }
2744 }
2745 #else
2747 #endif
2748 }
2750 /* Return true if it's OK for chown to fail, where errno is
2751 the error number that chown failed with and X is the copying
2752 option set. */
2756 {
2757 /* If non-root uses -p, it's ok if we can't preserve ownership.
2758 But root probably wants to know, e.g. if NFS disallows it,
2759 or if the target system doesn't support file ownership. */
2762 }
2764 /* Similarly, return true if it's OK for chmod and similar operations
2765 to fail, where errno is the error number that chmod failed with and
2766 X is the copying option set. */
2768 static bool
2770 {
2772 }
2774 /* Return the user's umask, caching the result.
2776 FIXME: If the destination's parent directory has has a default ACL,
2777 some operating systems (e.g., GNU/Linux's "POSIX" ACLs) use that
2778 ACL's mask rather than the process umask. Currently, the callers
2779 of cached_umask incorrectly assume that this situation cannot occur. */
2780 extern mode_t
2782 {
2785 {
2788 }
2790 }