| blob | 4a7d9b5d9cbc7e4b96f3682d45bb13f2856ead75 |
1 /* copy.c -- core functions for copying files and directories
2 Copyright (C) 1989-2022 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <https://www.gnu.org/licenses/>. */
17 /* Extracted from cp.c and librarified by Jim Meyering. */
19 #include <config.h>
20 #include <stdio.h>
21 #include <assert.h>
22 #include <sys/ioctl.h>
23 #include <sys/types.h>
24 #include <selinux/selinux.h>
26 #if HAVE_HURD_H
27 # include <hurd.h>
28 #endif
29 #if HAVE_PRIV_H
30 # include <priv.h>
31 #endif
68 #ifndef USE_XATTR
69 # define USE_XATTR false
70 #endif
72 #if USE_XATTR
73 # include <attr/error_context.h>
74 # include <attr/libattr.h>
75 # include <stdarg.h>
77 #endif
79 #if HAVE_LINUX_FALLOC_H
80 # include <linux/falloc.h>
81 #endif
83 /* See HAVE_FALLOCATE workaround when including this file. */
84 #ifdef HAVE_LINUX_FS_H
85 # include <linux/fs.h>
86 #endif
88 #if !defined FICLONE && defined __linux__
89 # define FICLONE _IOW (0x94, 9, int)
90 #endif
92 #if HAVE_FCLONEFILEAT && !USE_XATTR
93 # include <sys/clonefile.h>
94 #endif
96 #ifndef HAVE_FCHOWN
97 # define HAVE_FCHOWN false
98 # define fchown(fd, uid, gid) (-1)
99 #endif
101 #ifndef USE_ACL
102 # define USE_ACL 0
103 #endif
105 #define SAME_OWNER(A, B) ((A).st_uid == (B).st_uid)
106 #define SAME_GROUP(A, B) ((A).st_gid == (B).st_gid)
107 #define SAME_OWNER_AND_GROUP(A, B) (SAME_OWNER (A, B) && SAME_GROUP (A, B))
109 /* LINK_FOLLOWS_SYMLINKS is tri-state; if it is -1, we don't know
110 how link() behaves, so assume we can't hardlink symlinks in that case. */
111 #if (defined HAVE_LINKAT && ! LINKAT_SYMLINK_NOTSUP) || ! LINK_FOLLOWS_SYMLINKS
112 # define CAN_HARDLINK_SYMLINKS 1
113 #else
114 # define CAN_HARDLINK_SYMLINKS 0
115 #endif
117 struct dir_list
118 {
120 ino_t ino;
121 dev_t dev;
122 };
124 /* Initial size of the cp.dest_info hash table. */
125 #define DEST_INFO_INITIAL_CAPACITY 61
138 /* Pointers to the file names: they're used in the diagnostic that is issued
139 when we detect the user is trying to copy a directory into itself. */
143 #ifndef DEV_FD_MIGHT_BE_CHR
144 # define DEV_FD_MIGHT_BE_CHR false
145 #endif
147 /* Act like fstat (DIRFD, FILENAME, ST, FLAGS), except when following
148 symbolic links on Solaris-like systems, treat any character-special
149 device like /dev/fd/0 as if it were the file it is open on. */
150 static int
152 {
157 {
161 {
165 {
168 }
169 else
171 }
174 }
177 }
179 /* Attempt to punch a hole to avoid any permanent
180 speculative preallocation on file systems such as XFS.
181 Return values as per fallocate(2) except ENOSYS etc. are ignored. */
183 static int
185 {
187 /* +0 is to work around older <linux/fs.h> defining HAVE_FALLOCATE to empty. */
188 #if HAVE_FALLOCATE + 0
189 # if defined FALLOC_FL_PUNCH_HOLE && defined FALLOC_FL_KEEP_SIZE
194 # endif
195 #endif
197 }
199 /* Create a hole at the end of a file,
200 avoiding preallocation if requested. */
202 static bool
204 {
208 {
211 }
213 /* Some file systems (like XFS) preallocate when write extending a file.
214 I.e., a previous write() may have preallocated extra space
215 that the seek above will not discard. A subsequent write() could
216 then make this allocation permanent. */
218 {
221 }
224 }
227 /* Copy the regular file open on SRC_FD/SRC_NAME to DST_FD/DST_NAME,
228 honoring the MAKE_HOLES setting and using the BUF_SIZE-byte buffer
229 BUF for temporary storage. Copy no more than MAX_N_READ bytes.
230 Return true upon successful completion;
231 print a diagnostic and return false upon error.
232 Note that for best results, BUF should be "well"-aligned.
233 Set *LAST_WRITE_MADE_HOLE to true if the final operation on
234 DEST_FD introduced a hole. Set *TOTAL_N_READ to the number of
235 bytes read. */
236 static bool
242 {
246 /* If not looking for holes, use copy_file_range if functional,
247 but don't use if reflink disallowed as that may be implicit. */
250 {
251 /* Copy at most COPY_MAX bytes at a time; this is min
252 (SSIZE_MAX, SIZE_MAX) truncated to a value that is
253 surely aligned well. */
258 {
259 /* copy_file_range incorrectly returns 0 when reading from
260 the proc file system on the Linux kernel through at
261 least 5.6.19 (2020), so fall back on 'read' if the
262 input file seems empty. */
266 }
268 {
274 /* copy_file_range might not be enabled in seccomp filters,
275 so retry with a standard copy. EPERM can also occur
276 for immutable files, but that would only be in the edge case
277 where the file is made immutable after creating/truncating,
278 in which case the (more accurate) error is still shown. */
284 else
285 {
289 }
290 }
293 }
299 {
302 {
307 }
313 /* Loop over the input buffer in chunks of hole_size. */
319 {
330 {
335 {
337 {
341 }
342 }
343 else
344 {
347 }
353 {
359 else
361 }
362 }
364 {
366 {
369 }
370 }
374 }
378 /* It's tempting to break early here upon a short read from
379 a regular file. That would save the final read syscall
380 for each file. Unfortunately that doesn't work for
381 certain files in /proc or /sys with linux kernels. */
382 }
384 /* Ensure a trailing hole is created, so that subsequent
385 calls of sparse_copy() start at the correct offset. */
388 else
390 }
392 /* Perform the O(1) btrfs clone operation, if possible.
393 Upon success, return 0. Otherwise, return -1 and set errno. */
396 {
397 #ifdef FICLONE
399 #else
404 #endif
405 }
407 /* Write N_BYTES zero bytes to file descriptor FD. Return true if successful.
408 Upon write failure, set errno and return false. */
409 static bool
411 {
415 /* Attempt to use a relatively large calloc'd source buffer for
416 efficiency, but if that allocation fails, resort to a smaller
417 statically allocated one. */
419 {
423 {
426 }
427 }
430 {
435 }
438 }
440 #ifdef SEEK_HOLE
441 /* Perform an efficient extent copy, if possible. This avoids
442 the overhead of detecting holes in hole-introducing/preserving
443 copy, and thus makes copying sparse files much more efficient.
444 Copy from SRC_FD to DEST_FD, using BUF (of size BUF_SIZE) for a buffer.
445 Look for holes of size HOLE_SIZE in the input.
446 The input file is of size SRC_TOTAL_SIZE.
447 Use SPARSE_MODE to determine whether to create holes in the output.
448 SRC_NAME and DST_NAME are the input and output file names.
449 Return true if successful, false (with a diagnostic) otherwise. */
451 static bool
457 {
464 {
467 {
472 {
473 /* The input file grew; get its current size. */
478 /* If the input file shrank after growing, stop copying. */
483 }
484 }
485 /* If the input file must have grown, increase its measured size. */
496 {
498 {
501 ext_hole_size))
504 }
505 else
506 {
507 /* When not inducing holes and when there is a hole between
508 the end of the previous extent and the beginning of the
509 current one, write zeros to the destination file. */
511 {
515 }
516 }
517 }
523 /* Copy this extent, looking for further opportunities to not
524 bother to write zeros unless --sparse=never, since SEEK_HOLE
525 is conservative and may miss some holes. */
526 off_t n_read;
538 {
539 /* The input file shrank. */
542 }
547 }
549 /* When the source file ends with a hole, we have to do a little more work,
550 since the above copied only up to and including the final extent.
551 In order to complete the copy, we may have to insert a hole or write
552 zeros in the destination corresponding to the source file's hole-at-EOF.
554 In addition, if the final extent was a block of zeros at EOF and we've
555 just converted them to a hole in the destination, we must call ftruncate
556 here in order to record the proper length in the destination. */
561 {
564 }
568 {
571 }
575 cannot_lseek:
578 }
579 #endif
581 /* FIXME: describe */
582 /* FIXME: rewrite this to use a hash table so we avoid the quadratic
583 performance hit that's probably noticeable only on trees deeper
584 than a few hundred levels. See use of active_dir_map in remove.c */
586 ATTRIBUTE_PURE
587 static bool
589 {
591 {
595 }
597 }
599 static bool
601 {
603 }
605 #if USE_XATTR
607 static void
610 {
612 {
616 /* use verror module to print error message */
620 }
621 }
624 static void
627 {
631 /* use verror module to print error message */
635 }
639 {
641 }
643 static void
646 {
647 }
649 /* Exclude SELinux extended attributes that are otherwise handled,
650 and are problematic to copy again. Also honor attributes
651 configured for exclusion in /etc/xattr.conf.
652 FIXME: Should we handle POSIX ACLs similarly?
653 Return zero to skip. */
654 static int
656 {
659 }
661 /* If positive SRC_FD and DST_FD descriptors are passed,
662 then copy by fd, otherwise copy by name. */
664 static bool
667 {
674 # if 4 < __GNUC__ + (8 <= __GNUC_MINOR__)
675 /* Pacify gcc -Wsuggest-attribute=format through at least GCC 11.2.1. */
676 # pragma GCC diagnostic push
678 # endif
685 })
687 # if 4 < __GNUC__ + (8 <= __GNUC_MINOR__)
688 # pragma GCC diagnostic pop
689 # endif
694 }
697 static bool
703 {
705 }
708 /* Read the contents of the directory SRC_NAME_IN, and recursively
709 copy the contents to DST_NAME_IN aka DST_DIRFD+DST_RELNAME_IN.
710 NEW_DST is true if DST_NAME_IN is a directory
711 that was created previously in the recursion.
712 SRC_SB and ANCESTORS describe SRC_NAME_IN.
713 Set *COPY_INTO_SELF if SRC_NAME_IN is a parent of
714 (or the same as) DST_NAME_IN; otherwise, clear it.
715 Propagate *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG from
716 caller to each invocation of copy_internal. Be careful to
717 pass the address of a temporary, and to update
718 *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG only upon completion.
719 Return true if successful. */
721 static bool
728 {
736 {
737 /* This diagnostic is a bit vague because savedir can fail in
738 several different ways. */
741 }
743 /* For cp's -H option, dereference command line arguments, but do not
744 dereference symlinks that are found via recursive traversal. */
751 {
769 /* If we're copying into self, there's no point in continuing,
770 and in fact, that would even infloop, now that we record only
771 the first created directory per command line argument. */
777 }
782 }
784 /* Set the owner and owning group of DEST_DESC to the st_uid and
785 st_gid fields of SRC_SB. If DEST_DESC is undefined (-1), set
786 the owner and owning group of DST_NAME aka DST_DIRFD+DST_RELNAME
787 instead; for safety prefer lchownat since no
788 symbolic links should be involved. DEST_DESC must
789 refer to the same file as DST_NAME if defined.
790 Upon failure to set both UID and GID, try to set only the GID.
791 NEW_DST is true if the file was newly created; otherwise,
792 DST_SB is the status of the destination.
793 Return 1 if the initial syscall succeeds, 0 if it fails but it's OK
794 not to preserve ownership, -1 otherwise. */
796 static int
801 {
805 /* Naively changing the ownership of an already-existing file before
806 changing its permissions would create a window of vulnerability if
807 the file's old permissions are too generous for the new owner and
808 group. Avoid the window by first changing to a restrictive
809 temporary mode if necessary. */
812 {
814 mode_t new_mode =
822 {
827 }
828 }
831 {
835 {
836 /* We've failed to set *both*. Now, try to set just the group
837 ID, but ignore any failure here, and don't change errno. */
841 }
842 }
843 else
844 {
848 {
849 /* We've failed to set *both*. Now, try to set just the group
850 ID, but ignore any failure here, and don't change errno. */
854 }
855 }
858 {
863 }
866 }
868 /* Set the st_author field of DEST_DESC to the st_author field of
869 SRC_SB. If DEST_DESC is undefined (-1), set the st_author field
870 of DST_NAME instead. DEST_DESC must refer to the same file as
871 DST_NAME if defined. */
873 static void
875 {
876 #if HAVE_STRUCT_STAT_ST_AUTHOR
877 /* FIXME: Modify the following code so that it does not
878 follow symbolic links. */
880 /* Preserve the st_author field. */
886 else
887 {
893 }
894 #else
898 #endif
899 }
901 /* Set the default security context for the process. New files will
902 have this security context set. Also existing files can have their
903 context adjusted based on this process context, by
904 set_file_security_ctx() called with PROCESS_LOCAL=true.
905 This should be called before files are created so there is no race
906 where a file may be present without an appropriate security context.
907 Based on CP_OPTIONS, diagnose warnings and fail when appropriate.
908 Return FALSE on failure, TRUE on success. */
910 bool
913 {
915 {
916 /* Set the default context for the process to match the source. */
922 {
924 {
930 {
933 }
934 }
936 }
937 else
938 {
940 {
944 }
947 }
948 }
950 {
951 /* With -Z, adjust the default context for the process
952 to have the type component adjusted as per the destination path. */
955 {
959 }
960 }
963 }
965 /* Reset the security context of DST_NAME, to that already set
966 as the process default if !X->set_security_context. Otherwise
967 adjust the type component of DST_NAME's security context as
968 per the system default for that path. Issue warnings upon
969 failure, when allowed by various settings in X.
970 Return false on failure, true on success. */
972 bool
975 {
981 {
986 }
989 }
991 /* Change the file mode bits of the file identified by DESC or
992 DIRFD+NAME to MODE. Use DESC if DESC is valid and fchmod is
993 available, DIRFD+NAME otherwise. */
995 static int
997 {
998 #if HAVE_FCHMOD
1001 #endif
1003 }
1005 #ifndef HAVE_STRUCT_STAT_ST_BLOCKS
1006 # define HAVE_STRUCT_STAT_ST_BLOCKS 0
1007 #endif
1009 /* Type of scan being done on the input when looking for sparseness. */
1010 enum scantype
1011 {
1012 /* An error was found when determining scantype. */
1013 ERROR_SCANTYPE,
1015 /* No fancy scanning; just read and write. */
1016 PLAIN_SCANTYPE,
1018 /* Read and examine data looking for zero blocks; useful when
1019 attempting to create sparse output. */
1020 ZERO_SCANTYPE,
1022 /* lseek information is available. */
1023 LSEEK_SCANTYPE,
1024 };
1026 /* Result of infer_scantype. */
1027 union scan_inference
1028 {
1029 /* Used if infer_scantype returns LSEEK_SCANTYPE. This is the
1030 offset of the first data block, or -1 if the file has no data. */
1031 off_t ext_start;
1032 };
1034 /* Return how to scan a file with descriptor FD and stat buffer SB.
1035 Store any information gathered into *SCAN_INFERENCE. */
1036 static enum scantype
1039 {
1045 #ifdef SEEK_HOLE
1051 #endif
1054 }
1057 /* Copy a regular file from SRC_NAME to DST_NAME aka DST_DIRFD+DST_RELNAME.
1058 If the source file contains holes, copies holes and blocks of zeros
1059 in the source file as holes in the destination file.
1060 (Holes are read as zeroes by the 'read' system call.)
1061 When creating the destination, use DST_MODE & ~OMITTED_PERMISSIONS
1062 as the third argument in the call to open, adding
1063 OMITTED_PERMISSIONS after copying as needed.
1064 X provides many option settings.
1065 Return true if successful.
1066 *NEW_DST is initially as in copy_internal.
1067 If successful, set *NEW_DST to true if the destination file was created and
1068 to false otherwise; if unsuccessful, perhaps set *NEW_DST to some value.
1069 SRC_SB is the result of calling follow_fstatat on SRC_NAME. */
1071 static bool
1077 {
1083 mode_t extra_permissions;
1095 {
1098 }
1101 {
1105 }
1107 /* Compare the source dev/ino from the open file to the incoming,
1108 saved ones obtained via a previous call to stat. */
1110 {
1116 }
1118 /* The semantics of the following open calls are mandated
1119 by the specs for both cp and mv. */
1121 {
1127 /* When using cp --preserve=context to copy to an existing destination,
1128 reset the context as per the default context, which has already been
1129 set according to the src.
1130 When using the mutually exclusive -Z option, then adjust the type of
1131 the existing context according to the system default for the dest.
1132 Note we set the context here, _after_ the file is opened, lest the
1133 new context disallow that. */
1136 {
1138 {
1140 {
1143 }
1144 }
1145 }
1149 {
1151 {
1154 }
1156 {
1160 }
1163 }
1166 {
1167 /* Ensure there is no race where a file may be left without
1168 an appropriate security context. */
1170 {
1173 {
1176 }
1177 }
1179 /* Tell caller that the destination file is created. */
1181 }
1182 }
1185 {
1186 #if HAVE_FCLONEFILEAT && !USE_XATTR
1193 #endif
1195 /* To allow copying xattrs on read-only files, create with u+w.
1196 This satisfies an inode permission check done by
1197 xattr_permission in fs/xattr.c of the GNU/Linux kernel. */
1198 mode_t open_mode =
1205 open_mode);
1208 /* When trying to copy through a dangling destination symlink,
1209 the above open fails with EEXIST. If that happens, and
1210 readlinkat shows that it is a symlink, then we
1211 have a problem: trying to resolve this dangling symlink to
1212 a directory/destination-entry pair is fundamentally racy,
1213 so punt. If x->open_dangling_dest_symlink is set (cp sets
1214 that when POSIXLY_CORRECT is set in the environment), simply
1215 call open again, but without O_EXCL (potentially dangerous).
1216 If not, fail with a diagnostic. These shenanigans are necessary
1217 only when copying, i.e., not in move_mode. */
1219 {
1222 {
1224 {
1228 }
1229 else
1230 {
1235 }
1236 }
1237 }
1239 /* Improve quality of diagnostic when a nonexistent dst_name
1240 ends in a slash and open fails with errno == EISDIR. */
1244 }
1245 else
1246 {
1248 }
1251 {
1256 }
1258 /* --attributes-only overrides --reflink. */
1260 {
1264 {
1269 }
1270 }
1275 {
1279 }
1281 /* If extra permissions needed for copy_xattr didn't happen (e.g.,
1282 due to umask) chmod to add them temporarily; if that fails give
1283 up with extra permissions, letting copy_attr fail later. */
1291 {
1292 /* Choose a suitable buffer size; it may be adjusted later. */
1296 /* Deal with sparse files. */
1300 {
1304 }
1305 bool make_holes
1313 /* If not making a sparse file, try to use a more-efficient
1314 buffer size. */
1316 {
1317 /* Compute the least common multiple of the input and output
1318 buffer sizes, adjusting for outlandish values. */
1321 blcm_max);
1323 /* Do not bother with a buffer larger than the input file, plus one
1324 byte to make sure the file has not grown while reading it. */
1328 /* However, stick with a block size that is a positive multiple of
1329 blcm, overriding the above adjustments. Watch out for
1330 overflow. */
1335 }
1339 off_t n_read;
1342 #ifdef SEEK_HOLE
1343 scantype == LSEEK_SCANTYPE
1349 :
1350 #endif
1357 {
1360 }
1362 {
1366 }
1367 }
1370 {
1376 {
1379 {
1382 }
1383 }
1384 }
1386 /* Set ownership before xattrs as changing owners will
1387 clear capabilities. */
1389 {
1392 {
1400 }
1401 }
1404 {
1408 }
1413 {
1417 }
1419 {
1422 }
1424 {
1427 }
1429 {
1435 {
1440 }
1441 }
1443 close_src_and_dst_desc:
1445 {
1448 }
1449 close_src_desc:
1451 {
1454 }
1458 }
1460 /* Return whether it's OK that two files are the "same" by some measure.
1461 The first file is SRC_NAME and has status SRC_SB.
1462 The second is DST_DIRFD+DST_RELNAME and has status DST_SB.
1463 The copying options are X. The goal is to avoid
1464 making the 'copy' operation remove both copies of the file
1465 in that case, while still allowing the user to e.g., move or
1466 copy a regular file onto a symlink that points to it.
1467 Try to minimize the cost of this function in the common case.
1468 Set *RETURN_NOW if we've determined that the caller has no more
1469 work to do and should return successfully, right away. */
1471 static bool
1475 {
1486 /* FIXME: this should (at the very least) be moved into the following
1487 if-block. More likely, it should be removed, because it inhibits
1488 making backups. But removing it will result in a change in behavior
1489 that will probably have to be documented -- and tests will have to
1490 be updated. */
1492 {
1495 }
1498 {
1501 /* If both the source and destination files are symlinks (and we'll
1502 know this here IFF preserving symlinks), then it's usually ok
1503 when they are distinct. */
1505 {
1508 {
1509 /* It's fine when we're making any type of backup. */
1513 /* Here we have two symlinks that are hard-linked together,
1514 and we're not making backups. In this unusual case, simply
1515 returning true would lead to mv calling "rename(A,B)",
1516 which would do nothing and return 0. */
1518 {
1521 }
1522 }
1525 }
1529 }
1530 else
1531 {
1544 /* If both are symlinks, then it's ok, but only if the destination
1545 will be unlinked before being opened. This is like the test
1546 above, but with the addition of the unlink_dest_before_opening
1547 conjunct because otherwise, with two symlinks to the same target,
1548 we'd end up truncating the source file. */
1552 }
1554 /* The backup code ensures there's a copy, so it's usually ok to
1555 remove any destination file. One exception is when both
1556 source and destination are the same directory entry. In that
1557 case, moving the destination file aside (in making the backup)
1558 would also rename the source file and result in an error. */
1560 {
1562 {
1563 /* In copy mode when dereferencing symlinks, if the source is a
1564 symlink and the dest is not, then backing up the destination
1565 (moving it aside) would make it a dangling symlink, and the
1566 subsequent attempt to open it in copy_reg would fail with
1567 a misleading diagnostic. Avoid that by returning zero in
1568 that case so the caller can make cp (or mv when it has to
1569 resort to reading the source file) fail now. */
1571 /* FIXME-note: even with the following kludge, we can still provoke
1572 the offending diagnostic. It's just a little harder to do :-)
1573 $ rm -f a b c; touch c; ln -s c b; ln -s b a; cp -b a b
1574 cp: cannot open 'a' for reading: No such file or directory
1575 That's misleading, since a subsequent 'ls' shows that 'a'
1576 is still there.
1577 One solution would be to open the source file *before* moving
1578 aside the destination, but that'd involve a big rewrite. */
1586 }
1588 /* FIXME: What about case insensitive file systems ? */
1590 }
1592 #if 0
1593 /* FIXME: use or remove */
1595 /* If we're making a backup, we'll detect the problem case in
1596 copy_reg because SRC_NAME will no longer exist. Allowing
1597 the test to be deferred lets cp do some useful things.
1598 But when creating hardlinks and SRC_NAME is a symlink
1599 but DST_RELNAME is not we must test anyway. */
1607 #endif
1610 {
1611 /* They may refer to the same file if we're in move mode and the
1612 target is a symlink. That is ok, since we remove any existing
1613 destination file before opening it -- via 'rename' if they're on
1614 the same file system, via unlinkat otherwise. */
1618 /* It's not ok if they're distinct hard links to the same file as
1619 this causes a race condition and we may lose data in this case. */
1624 }
1626 /* If neither is a symlink, then it's ok as long as they aren't
1627 hard links to the same file. */
1629 {
1633 /* If they are the same file, it's ok if we're making hard links. */
1635 {
1638 }
1639 }
1641 /* At this point, it is normally an error (data loss) to move a symlink
1642 onto its referent, but in at least one narrow case, it is not:
1643 In move mode, when
1644 1) src is a symlink,
1645 2) dest has a link count of 2 or more and
1646 3) dest and the referent of src are not the same directory entry,
1647 then it's ok, since while we'll lose one of those hard links,
1648 src will still point to a remaining link.
1649 Note that technically, condition #3 obviates condition #2, but we
1650 retain the 1 < st_nlink condition because that means fewer invocations
1651 of the more expensive #3.
1653 Given this,
1654 $ touch f && ln f l && ln -s f s
1655 $ ls -og f l s
1656 -rw-------. 2 0 Jan 4 22:46 f
1657 -rw-------. 2 0 Jan 4 22:46 l
1658 lrwxrwxrwx. 1 1 Jan 4 22:46 s -> f
1659 this must fail: mv s f
1660 this must succeed: mv s l */
1664 {
1667 {
1672 }
1673 }
1675 /* It's ok to recreate a destination symlink. */
1680 {
1695 {
1696 /* It's ok to attempt to hardlink the same file,
1697 and return early if not replacing a symlink.
1698 Note we need to return early to avoid a later
1699 unlink() of DST (when SRC is a symlink). */
1702 }
1703 }
1706 }
1708 /* Return whether DST_DIRFD+DST_RELNAME, with mode MODE,
1709 is writable in the sense of 'mv'.
1710 Always consider a symbolic link to be writable. */
1711 static bool
1713 {
1717 }
1719 static bool
1723 {
1725 {
1737 }
1738 else
1739 {
1742 }
1745 }
1747 /* Initialize the hash table implementing a set of F_triple entries
1748 corresponding to destination files. */
1751 {
1752 x->dest_info
1754 NULL,
1755 triple_hash,
1756 triple_compare,
1757 triple_free);
1760 }
1762 #ifdef lint
1765 {
1769 }
1770 #endif
1772 /* Initialize the hash table implementing a set of F_triple entries
1773 corresponding to source files listed on the command line. */
1776 {
1778 /* Note that we use triple_hash_no_name here.
1779 Contrast with the use of triple_hash above.
1780 That is necessary because a source file may be specified
1781 in many different ways. We want to warn about this
1782 cp a a d/
1783 as well as this:
1784 cp a ./a d/
1785 */
1786 x->src_info
1788 NULL,
1789 triple_hash_no_name,
1790 triple_compare,
1791 triple_free);
1794 }
1796 #ifdef lint
1799 {
1803 }
1804 #endif
1806 /* When effecting a move (e.g., for mv(1)), and given the name DST_NAME
1807 aka DST_DIRFD+DST_RELNAME
1808 of the destination and a corresponding stat buffer, DST_SB, return
1809 true if the logical 'move' operation should _not_ proceed.
1810 Otherwise, return false.
1811 Depending on options specified in X, this code may issue an
1812 interactive prompt asking whether it's ok to overwrite DST_NAME. */
1813 static bool
1818 {
1827 }
1829 /* Print --verbose output on standard output, e.g. 'new' -> 'old'.
1830 If BACKUP_DST_NAME is non-NULL, then also indicate that it is
1831 the name of a backup file. */
1832 static void
1834 {
1839 }
1841 /* A wrapper around "setfscreatecon (NULL)" that exits upon failure. */
1842 static void
1844 {
1848 }
1850 /* Return a newly-allocated string that is like STR
1851 except replace its suffix SUFFIX with NEWSUFFIX. */
1854 {
1860 }
1862 /* Create a hard link to SRC_NAME aka SRC_DIRFD+SRC_RELNAME;
1863 the new link is at DST_NAME aka DST_DIRFD+DST_RELNAME.
1864 A null SRC_NAME stands for the file whose name is like DST_NAME
1865 except with DST_RELNAME replaced with SRC_RELNAME.
1866 Honor the REPLACE, VERBOSE and DEREFERENCE settings.
1867 Return true upon success. Otherwise, diagnose the
1868 failure and return false. If SRC_NAME is a symbolic link, then it will not
1869 be followed unless DEREFERENCE is true.
1870 If the system doesn't support hard links to symbolic links, then DST_NAME
1871 will be created as a symbolic link to SRC_NAME. */
1872 static bool
1876 {
1881 {
1886 src_relname);
1891 }
1895 }
1897 /* Return true if the current file should be (tried to be) dereferenced:
1898 either for DEREF_ALWAYS or for DEREF_COMMAND_LINE_ARGUMENTS in the case
1899 where the current file is a COMMAND_LINE_ARG; otherwise return false. */
1900 ATTRIBUTE_PURE
1903 {
1907 }
1909 /* Return true if the source file with basename SRCBASE and status SRC_ST
1910 is likely to be the simple backup file for DST_DIRFD+DST_RELNAME. */
1911 static bool
1914 {
1925 simple_backup_suffix);
1930 }
1932 /* Copy the file SRC_NAME to the file DST_NAME aka DST_DIRFD+DST_RELNAME.
1933 If NONEXISTENT_DST is positive, DST_NAME does not exist even as a
1934 dangling symlink; if negative, it does not exist except possibly
1935 as a dangling symlink; if zero, its existence status is unknown.
1936 A non-null PARENT describes the parent directory.
1937 ANCESTORS points to a linked, null terminated list of
1938 devices and inodes of parent directories of SRC_NAME.
1939 X summarizes the command-line options.
1940 COMMAND_LINE_ARG means SRC_NAME was specified on the command line.
1941 FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG is both input and output.
1942 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
1943 same as) DST_NAME; otherwise, clear it.
1944 If X->move_mode, set *RENAME_SUCCEEDED according to whether
1945 the source was simply renamed to the destination.
1946 Return true if successful. */
1947 static bool
1958 {
1963 mode_t dst_mode_bits;
1964 mode_t omitted_permissions;
1973 /* Whether the destination is (or was) known to be new, updated as
1974 more info comes in. This may become true if the destination is a
1975 dangling symlink, in contexts where dangling symlinks should be
1976 treated the same as nonexistent files. */
1983 {
1986 RENAME_NOREPLACE)
1989 }
1994 {
1998 int fstatat_flags
2001 {
2004 }
2009 {
2015 }
2016 }
2017 #ifdef lint
2018 else
2019 {
2022 }
2023 #endif
2025 /* Detect the case in which the same source file appears more than
2026 once on the command line and no backup option has been selected.
2027 If so, simply warn and don't copy it the second time.
2028 This check is enabled only if x->src_info is non-NULL. */
2030 {
2034 {
2038 }
2041 }
2046 {
2048 {
2049 /* Regular files can be created by writing through symbolic
2050 links, but other files cannot. So use stat on the
2051 destination when copying a regular file, and lstat otherwise.
2052 However, if we intend to unlink or remove the destination
2053 first, use lstat, since a copy won't actually be made to the
2054 destination in that case. */
2055 bool use_lstat
2066 fstatat_flags)
2068 {
2071 }
2072 else
2073 {
2077 {
2080 }
2081 else
2083 }
2084 }
2087 {
2093 {
2097 }
2100 {
2101 /* When preserving timestamps (but not moving within a file
2102 system), don't worry if the destination timestamp is
2103 less than the source merely because of timestamp
2104 truncation. */
2108 ? UTIMECMP_TRUNCATE_SOURCE
2113 {
2114 /* We're using --update and the destination is not older
2115 than the source, so do not copy or move. Pretend the
2116 rename succeeded, so the caller (if it's mv) doesn't
2117 end up removing the source file. */
2121 /* However, we still must record that we've processed
2122 this src/dest pair, in case this source file is
2123 hard-linked to another one. In that case, we'll use
2124 the mapping information to link the corresponding
2125 destination names. */
2129 {
2130 /* Note we currently replace DST_NAME unconditionally,
2131 even if it was a newer separate file. */
2136 {
2138 }
2139 }
2142 }
2143 }
2145 /* When there is an existing destination file, we may end up
2146 returning early, and hence not copying/moving the file.
2147 This may be due to an interactive 'negative' reply to the
2148 prompt about the existing file. It may also be due to the
2149 use of the --no-clobber option.
2151 cp and mv treat -i and -f differently. */
2153 {
2155 {
2156 /* Pretend the rename succeeded, so the caller (mv)
2157 doesn't end up removing the source file. */
2161 }
2162 }
2163 else
2164 {
2171 }
2177 {
2179 {
2181 {
2182 /* Moving a directory onto an existing
2183 non-directory is ok only with --backup. */
2184 }
2185 else
2186 {
2191 }
2192 }
2194 /* Don't let the user destroy their data, even if they try hard:
2195 This mv command must fail (likewise for cp):
2196 rm -rf a b c; mkdir a b c; touch a/f b/f; mv a/f b/f c
2197 Otherwise, the contents of b/f would be lost.
2198 In the case of 'cp', b/f would be lost if the user simulated
2199 a move using cp and rm.
2200 Note that it works fine if you use --backup=numbered. */
2204 {
2209 }
2210 }
2213 {
2215 {
2217 {
2218 /* Moving a non-directory onto an existing
2219 directory is ok only with --backup. */
2220 }
2221 else
2222 {
2227 }
2228 }
2229 }
2232 {
2233 /* Don't allow user to move a directory onto a non-directory. */
2236 {
2241 }
2242 }
2246 /* Don't try to back up a destination if the last
2247 component of src_name is "." or "..". */
2249 /* Create a backup of each destination directory in move mode,
2250 but not in copy mode. FIXME: it might make sense to add an
2251 option to suppress backup creation also for move mode.
2252 That would let one use mv to merge new content into an
2253 existing hierarchy. */
2255 {
2256 /* Fail if creating the backup file would likely destroy
2257 the source file. Otherwise, the commands:
2258 cd /tmp; rm -f a a~; : > a; echo A > a~; cp --b=simple a~ a
2259 would leave two zero-length files: a and a~. */
2263 {
2272 }
2277 /* FIXME: use fts:
2278 Using alloca for a file name that may be arbitrarily
2279 long is not recommended. In fact, even forming such a name
2280 should be discouraged. Eventually, this code will be rewritten
2281 to use fts, so using alloca here will be less of a problem. */
2283 {
2290 }
2292 {
2295 }
2297 }
2299 /* Never unlink dst_name when in move mode. */
2306 ))
2307 {
2309 {
2312 }
2316 }
2317 }
2318 }
2320 /* Ensure we don't try to copy through a symlink that was
2321 created by a prior call to this function. */
2326 {
2331 /* If we did not follow symlinks above, good: use that data.
2332 Otherwise, call lstatat here, in case dst_name is a symlink. */
2335 else
2336 {
2339 else
2341 }
2343 /* Never copy through a symlink we've just created. */
2347 {
2352 }
2353 }
2355 /* If the source is a directory, we don't always create the destination
2356 directory. So --verbose should not announce anything until we're
2357 sure we'll create a directory. Also don't announce yet when moving
2358 so we can distinguish renames versus copies. */
2362 /* Associate the destination file name with the source device and inode
2363 so that if we encounter a matching dev/ino pair in the source tree
2364 we can arrange to create a hard link between the corresponding names
2365 in the destination tree.
2367 When using the --link (-l) option, there is no need to take special
2368 measures, because (barring race conditions) files that are hard-linked
2369 in the source tree will also be hard-linked in the destination tree.
2371 Sometimes, when preserving links, we have to record dev/ino even
2372 though st_nlink == 1:
2373 - when in move_mode, since we may be moving a group of N hard-linked
2374 files (via two or more command line arguments) to a different
2375 partition; the links may be distributed among the command line
2376 arguments (possibly hierarchies) so that the link count of
2377 the final, once-linked source file is reduced to 1 when it is
2378 considered below. But in this case (for mv) we don't need to
2379 incur the expense of recording the dev/ino => name mapping; all we
2380 really need is a lookup, to see if the dev/ino pair has already
2381 been copied.
2382 - when using -H and processing a command line argument;
2383 that command line argument could be a symlink pointing to another
2384 command line argument. With 'cp -H --preserve=link', we hard-link
2385 those two destination files.
2386 - likewise for -L except that it applies to all files, not just
2387 command line arguments.
2389 Also, with --recursive, record dev/ino of each command-line directory.
2390 We'll use that info to detect this problem: cp -R dir dir. */
2395 {
2399 else
2401 }
2403 {
2405 }
2409 || (command_line_arg
2412 {
2415 }
2417 /* Did we copy this inode somewhere else (in this command line argument)
2418 and therefore this is a second hard link to the inode? */
2421 {
2422 /* Avoid damaging the destination file system by refusing to preserve
2423 hard-linked directories (which are found at least in Netapp snapshot
2424 directories). */
2426 {
2427 /* If src_name and earlier_file refer to the same directory entry,
2428 then warn about copying a directory into itself. */
2430 {
2436 }
2439 {
2443 /* In move mode, if a previous rename succeeded, then
2444 we won't be in this path as the source is missing. If the
2445 rename previously failed, then that has been handled, so
2446 pretend this attempt succeeded so the source isn't removed. */
2449 /* We only do backups in move mode, and for non directories.
2450 So just ignore this repeated entry. */
2452 }
2454 || (command_line_arg
2456 {
2457 /* This happens when e.g., encountering a directory for the
2458 second or subsequent time via symlinks when cp is invoked
2459 with -R and -L. E.g.,
2460 rm -rf a b c d; mkdir a b c d; ln -s ../c a; ln -s ../c b;
2461 cp -RL a b d
2462 */
2463 }
2464 else
2465 {
2467 earlier_file);
2472 }
2473 }
2474 else
2475 {
2482 }
2483 }
2486 {
2493 {
2495 {
2498 }
2501 {
2502 /* -Z failures are only warnings currently. */
2504 }
2510 {
2511 /* Record destination dev/ino/name, so that if we are asked
2512 to overwrite that file again, we can detect it and fail. */
2513 /* It's fine to use the _source_ stat buffer (src_sb) to get the
2514 _destination_ dev/ino, since the rename above can't have
2515 changed those, and 'mv' always uses lstat.
2516 We could limit it further by operating
2517 only on non-directories. */
2519 }
2522 }
2524 /* FIXME: someday, consider what to do when moving a directory into
2525 itself but when source and destination are on different devices. */
2527 /* This happens when attempting to rename a directory to a
2528 subdirectory of itself. */
2530 {
2531 /* FIXME: this is a little fragile in that it relies on rename(2)
2532 failing with a specific errno value. Expect problems on
2533 non-POSIX systems. */
2538 /* Note that there is no need to call forget_created here,
2539 (compare with the other calls in this file) since the
2540 destination directory didn't exist before. */
2543 /* FIXME-cleanup: Don't return true here; adjust mv.c accordingly.
2544 The only caller that uses this code (mv.c) ends up setting its
2545 exit status to nonzero when copy_into_self is nonzero. */
2547 }
2549 /* WARNING: there probably exist systems for which an inter-device
2550 rename fails with a value of errno not handled here.
2551 If/as those are reported, add them to the condition below.
2552 If this happens to you, please do the following and send the output
2553 to the bug-reporting address (e.g., in the output of cp --help):
2554 touch k; perl -e 'rename "k","/tmp/k" or print "$!(",$!+0,")\n"'
2555 where your current directory is on one partition and /tmp is the other.
2556 Also, please try to find the E* errno macro name corresponding to
2557 the diagnostic and parenthesized integer, and include that in your
2558 e-mail. One way to do that is to run a command like this
2559 find /usr/include/. -type f \
2560 | xargs grep 'define.*\<E[A-Z]*\>.*\<18\>' /dev/null
2561 where you'd replace '18' with the integer in parentheses that
2562 was output from the perl one-liner above.
2563 If necessary, of course, change '/tmp' to some other directory. */
2565 {
2566 /* There are many ways this can happen due to a race condition.
2567 When something happens between the initial follow_fstatat and the
2568 subsequent rename, we can get many different types of errors.
2569 For example, if the destination is initially a non-directory
2570 or non-existent, but it is created as a directory, the rename
2571 fails. If two 'mv' commands try to rename the same file at
2572 about the same time, one will succeed and the other will fail.
2573 If the permissions on the directory containing the source or
2574 destination file are made too restrictive, the rename will
2575 fail. Etc. */
2581 }
2583 /* The rename attempt has failed. Remove any existing destination
2584 file so that a cross-device 'mv' acts as if it were really using
2585 the rename syscall. Note both src and dst must both be directories
2586 or not, and this is enforced above. Therefore we check the src_mode
2587 and operate on dst_name here as a tighter constraint and also because
2588 src_mode is readily available here. */
2593 {
2599 }
2602 {
2605 }
2607 }
2609 /* If the ownership might change, or if it is a directory (whose
2610 special mode bits may change after the directory is created),
2611 omit some permissions at first, so unauthorized users cannot nip
2612 in before the file is ready. */
2614 omitted_permissions =
2615 (dst_mode_bits
2622 /* If required, set the default security context for new files.
2623 Also for existing files this is used as a reference
2624 when copying the context with --preserve=context.
2625 FIXME: Do we need to consider dst_mode_bits here? */
2630 {
2633 /* If this directory has been copied before during the
2634 recursion, there is a symbolic link to an ancestor
2635 directory of the symbolic link. It is impossible to
2636 continue to copy this, unless we've got an infinite file system. */
2639 {
2643 }
2645 /* Insert the current directory in the list of parents. */
2653 {
2654 /* POSIX says mkdir's behavior is implementation-defined when
2655 (src_mode & ~S_IRWXUGO) != 0. However, common practice is
2656 to ask mkdir to copy all the CHMOD_MODE_BITS, letting mkdir
2657 decide what to do with S_ISUID | S_ISGID | S_ISVTX. */
2660 {
2664 }
2666 /* We need search and write permissions to the new directory
2667 for writing the directory's contents. Check if these
2668 permissions are there. */
2671 {
2674 }
2676 {
2677 /* Make the new directory searchable and writable. */
2683 {
2687 }
2688 }
2690 /* Record the created directory's inode and device numbers into
2691 the search structure, so that we can avoid copying it again.
2692 Do this only for the first directory that is created for each
2693 source command line argument. */
2695 {
2698 }
2701 {
2704 else
2706 }
2707 }
2708 else
2709 {
2712 /* For directories, the process global context could be reset for
2713 descendents, so use it to set the context for existing dirs here.
2714 This will also give earlier indication of failure to set ctx. */
2717 {
2720 }
2721 }
2723 /* Decide whether to copy the contents of the directory. */
2725 {
2726 /* Here, we are crossing a file system boundary and cp's -x option
2727 is in effect: so don't copy the contents of this directory. */
2728 }
2729 else
2730 {
2731 /* Copy the contents of the directory. Don't just return if
2732 this fails -- otherwise, the failure to read a single file
2733 in a source directory would cause the containing destination
2734 directory not to have owner/perms set properly. */
2737 first_dir_created_per_command_line_arg,
2738 copy_into_self);
2739 }
2740 }
2742 {
2745 {
2746 /* Check that DST_NAME denotes a file in the current directory. */
2755 /* If either stat call fails, it's ok not to report
2756 the failure and say dst_name is in the current
2757 directory. Other things will fail later. */
2765 {
2770 }
2771 }
2776 {
2780 }
2781 }
2783 /* POSIX 2008 states that it is implementation-defined whether
2784 link() on a symlink creates a hard-link to the symlink, or only
2785 to the referent (effectively dereferencing the symlink) (POSIX
2786 2001 required the latter behavior, although many systems provided
2787 the former). Yet cp, invoked with '--link --no-dereference',
2788 should not follow the link. We can approximate the desired
2789 behavior by skipping this hard-link creating block and instead
2790 copying the symlink, via the 'S_ISLNK'- copying code below.
2792 Note gnulib's linkat module, guarantees that the symlink is not
2793 dereferenced. However its emulation currently doesn't maintain
2794 timestamps or ownership so we only call it when we know the
2795 emulation will not be needed. */
2799 {
2806 }
2809 {
2811 /* POSIX says the permission bits of the source file must be
2812 used as the 3rd argument in the open call. Historical
2813 practice passed all the source mode bits to 'open', but the extra
2814 bits were ignored, so it should be the same either way.
2816 This call uses DST_MODE_BITS, not SRC_MODE. These are
2817 normally the same, and the exception (where x->set_mode) is
2818 used only by 'install', which POSIX does not specify and
2819 where DST_MODE_BITS is what's wanted. */
2824 }
2826 {
2827 /* Use mknodat, rather than mkfifoat, because the former preserves
2828 the special mode bits of a fifo on Solaris 10, while mkfifoat
2829 does not. But fall back on mkfifoat, because on some BSD systems,
2830 mknodat always fails when asked to create a FIFO. */
2834 {
2837 }
2838 }
2840 {
2843 {
2847 }
2848 }
2850 {
2854 {
2858 }
2864 {
2865 /* See if the destination is already the desired symlink.
2866 FIXME: This behavior isn't documented, and seems wrong
2867 in some cases, e.g., if the destination symlink has the
2868 wrong ownership, permissions, or timestamps. */
2872 {
2876 }
2877 }
2880 {
2884 }
2890 {
2891 /* Preserve the owner and group of the just-'copied'
2892 symbolic link, if possible. */
2898 {
2900 dst_name);
2903 }
2904 else
2905 {
2906 /* Can't preserve ownership of symlinks.
2907 FIXME: maybe give a warning or even error for symlinks
2908 in directories with the sticky bit set -- there, not
2909 preserving owner/group is a potential security problem. */
2910 }
2911 }
2912 }
2913 else
2914 {
2917 }
2919 /* With -Z or --preserve=context, set the context for existing files.
2920 Note this is done already for copy_reg() for reasons described therein. */
2923 {
2925 {
2928 }
2929 }
2932 {
2933 /* Now that the destination file is very likely to exist,
2934 add its info to the set. */
2938 }
2940 /* If we've just created a hard-link due to cp's --link option,
2941 we're done. */
2950 /* POSIX says that 'cp -p' must restore the following:
2951 - permission bits
2952 - setuid, setgid bits
2953 - owner and group
2954 If it fails to restore any of those, we may give a warning but
2955 the destination must not be removed.
2956 FIXME: implement the above. */
2958 /* Adjust the times (and if possible, ownership) for the copy.
2959 chown turns off set[ug]id bits for non-root,
2960 so do the chmod last. */
2963 {
2970 {
2974 }
2975 }
2977 /* Avoid calling chown if we know it's not necessary. */
2980 {
2983 {
2990 }
2991 }
2993 /* Set xattrs after ownership as changing owners will clear capabilities. */
2998 /* The operations beyond this point may dereference a symlink. */
3005 {
3009 }
3011 {
3014 }
3016 {
3021 }
3022 else
3023 {
3025 {
3029 {
3030 /* Permissions were deliberately omitted when the file
3031 was created due to security concerns. See whether
3032 they need to be re-added now. It'd be faster to omit
3033 the lstat, but deducing the current destination mode
3034 is tricky in the presence of implementation-defined
3035 rules for special mode bits. */
3037 {
3040 }
3044 }
3045 }
3048 {
3051 {
3056 }
3057 }
3058 }
3062 un_backup:
3067 /* We have failed to create the destination file.
3068 If we've just added a dev/ino entry via the remember_copied
3069 call above (i.e., unless we've just failed to create a hard link),
3070 remove the entry associating the source dev/ino with the
3071 destination file name, so we don't try to 'preserve' a link
3072 to a file we didn't create. */
3077 {
3081 else
3082 {
3086 }
3087 }
3089 }
3091 ATTRIBUTE_PURE
3092 static bool
3094 {
3103 }
3105 /* Copy the file SRC_NAME to the file DST_NAME aka DST_DIRFD+DST_RELNAME.
3106 If NONEXISTENT_DST is positive, DST_NAME does not exist even as a
3107 dangling symlink; if negative, it does not exist except possibly
3108 as a dangling symlink; if zero, its existence status is unknown.
3109 OPTIONS summarizes the command-line options.
3110 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
3111 same as) DST_NAME; otherwise, set clear it.
3112 If X->move_mode, set *RENAME_SUCCEEDED according to whether
3113 the source was simply renamed to the destination.
3114 Return true if successful. */
3121 {
3124 /* Record the file names: they're used in case of error, when copying
3125 a directory into itself. I don't like to make these tools do *any*
3126 extra work in the common case when that work is solely to handle
3127 exceptional cases, but in this case, I don't see a way to derive the
3128 top level source and destination directory names where they're used.
3129 An alternative is to use COPY_INTO_SELF and print the diagnostic
3130 from every caller -- but I don't want to do that. */
3140 }
3142 /* Set *X to the default options for a value of type struct cp_options. */
3146 {
3148 #ifdef PRIV_FILE_CHOWN
3149 {
3154 {
3157 }
3159 }
3160 #else
3162 #endif
3164 }
3166 /* Return true if it's OK for chown to fail, where errno is
3167 the error number that chown failed with and X is the copying
3168 option set. */
3172 {
3173 /* If non-root uses -p, it's ok if we can't preserve ownership.
3174 But root probably wants to know, e.g. if NFS disallows it,
3175 or if the target system doesn't support file ownership. */
3178 }
3180 /* Similarly, return true if it's OK for chmod and similar operations
3181 to fail, where errno is the error number that chmod failed with and
3182 X is the copying option set. */
3184 static bool
3186 {
3188 }
3190 /* Return the user's umask, caching the result.
3192 FIXME: If the destination's parent directory has has a default ACL,
3193 some operating systems (e.g., GNU/Linux's "POSIX" ACLs) use that
3194 ACL's mask rather than the process umask. Currently, the callers
3195 of cached_umask incorrectly assume that this situation cannot occur. */
3196 extern mode_t
3198 {
3201 {
3204 }
3206 }