| blob | 12845eefd6b144bd5177289ef038ecaa31799eef |
1 /* copy.c -- core functions for copying files and directories
2 Copyright (C) 1989-2024 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <https://www.gnu.org/licenses/>. */
17 /* Extracted from cp.c and librarified by Jim Meyering. */
19 #include <config.h>
20 #include <stdio.h>
21 #include <sys/ioctl.h>
22 #include <sys/types.h>
23 #include <selinux/selinux.h>
25 #if HAVE_HURD_H
26 # include <hurd.h>
27 #endif
28 #if HAVE_PRIV_H
29 # include <priv.h>
30 #endif
66 #ifndef USE_XATTR
67 # define USE_XATTR false
68 #endif
70 #if USE_XATTR
71 # include <attr/error_context.h>
72 # include <attr/libattr.h>
73 # include <stdarg.h>
75 #endif
77 #if HAVE_LINUX_FALLOC_H
78 # include <linux/falloc.h>
79 #endif
81 /* See HAVE_FALLOCATE workaround when including this file. */
82 #ifdef HAVE_LINUX_FS_H
83 # include <linux/fs.h>
84 #endif
86 #if !defined FICLONE && defined __linux__
87 # define FICLONE _IOW (0x94, 9, int)
88 #endif
90 #if HAVE_FCLONEFILEAT && !USE_XATTR
91 # include <sys/clonefile.h>
92 #endif
94 #ifndef USE_ACL
95 # define USE_ACL 0
96 #endif
98 #define SAME_OWNER(A, B) ((A).st_uid == (B).st_uid)
99 #define SAME_GROUP(A, B) ((A).st_gid == (B).st_gid)
100 #define SAME_OWNER_AND_GROUP(A, B) (SAME_OWNER (A, B) && SAME_GROUP (A, B))
102 /* LINK_FOLLOWS_SYMLINKS is tri-state; if it is -1, we don't know
103 how link() behaves, so assume we can't hardlink symlinks in that case. */
104 #if (defined HAVE_LINKAT && ! LINKAT_SYMLINK_NOTSUP) || ! LINK_FOLLOWS_SYMLINKS
105 # define CAN_HARDLINK_SYMLINKS 1
106 #else
107 # define CAN_HARDLINK_SYMLINKS 0
108 #endif
110 struct dir_list
111 {
113 ino_t ino;
114 dev_t dev;
115 };
117 /* Initial size of the cp.dest_info hash table. */
118 #define DEST_INFO_INITIAL_CAPACITY 61
131 /* Pointers to the file names: they're used in the diagnostic that is issued
132 when we detect the user is trying to copy a directory into itself. */
136 enum copy_debug_val
137 {
138 COPY_DEBUG_UNKNOWN,
139 COPY_DEBUG_NO,
140 COPY_DEBUG_YES,
141 COPY_DEBUG_EXTERNAL,
142 COPY_DEBUG_EXTERNAL_INTERNAL,
143 COPY_DEBUG_AVOIDED,
144 COPY_DEBUG_UNSUPPORTED,
145 };
147 /* debug info about the last file copy. */
148 static struct copy_debug
149 {
157 {
159 {
165 }
166 }
170 {
172 {
178 }
179 }
181 /* Print --debug output on standard output. */
182 static void
184 {
190 }
192 #ifndef DEV_FD_MIGHT_BE_CHR
193 # define DEV_FD_MIGHT_BE_CHR false
194 #endif
196 /* Act like fstat (DIRFD, FILENAME, ST, FLAGS), except when following
197 symbolic links on Solaris-like systems, treat any character-special
198 device like /dev/fd/0 as if it were the file it is open on. */
199 static int
201 {
206 {
210 {
214 {
217 }
218 else
220 }
223 }
226 }
228 /* Attempt to punch a hole to avoid any permanent
229 speculative preallocation on file systems such as XFS.
230 Return values as per fallocate(2) except ENOSYS etc. are ignored. */
232 static int
234 {
236 /* +0 is to work around older <linux/fs.h> defining HAVE_FALLOCATE to empty. */
237 #if HAVE_FALLOCATE + 0
238 # if defined FALLOC_FL_PUNCH_HOLE && defined FALLOC_FL_KEEP_SIZE
243 # endif
244 #endif
246 }
248 /* Create a hole at the end of a file,
249 avoiding preallocation if requested. */
251 static bool
253 {
257 {
260 }
262 /* Some file systems (like XFS) preallocate when write extending a file.
263 I.e., a previous write() may have preallocated extra space
264 that the seek above will not discard. A subsequent write() could
265 then make this allocation permanent. */
267 {
270 }
273 }
276 /* Whether an errno value ERR, set by FICLONE or copy_file_range,
277 indicates that the copying operation has terminally failed, even
278 though it was invoked correctly (so that, e.g, EBADF cannot occur)
279 and even though !is_CLONENOTSUP (ERR). */
281 static bool
283 {
285 }
287 /* Similarly, whether ERR indicates that the copying operation is not
288 supported or allowed for this file or process, even though the
289 operation was invoked correctly. */
291 static bool
293 {
298 }
301 /* Copy the regular file open on SRC_FD/SRC_NAME to DST_FD/DST_NAME,
302 honoring the MAKE_HOLES setting and using the BUF_SIZE-byte buffer
303 *ABUF for temporary storage, allocating it lazily if *ABUF is null.
304 Copy no more than MAX_N_READ bytes.
305 Return true upon successful completion;
306 print a diagnostic and return false upon error.
307 Note that for best results, BUF should be "well"-aligned.
308 Set *LAST_WRITE_MADE_HOLE to true if the final operation on
309 DEST_FD introduced a hole. Set *TOTAL_N_READ to the number of
310 bytes read. */
311 static bool
317 {
326 /* If not looking for holes, use copy_file_range if functional,
327 but don't use if reflink disallowed as that may be implicit. */
330 {
331 /* Copy at most COPY_MAX bytes at a time; this is min
332 (SSIZE_MAX, SIZE_MAX) truncated to a value that is
333 surely aligned well. */
338 {
339 /* copy_file_range incorrectly returns 0 when reading from
340 the proc file system on the Linux kernel through at
341 least 5.6.19 (2020), so fall back on 'read' if the
342 input file seems empty. */
347 }
349 {
352 /* Consider operation unsupported only if no data copied.
353 For example, EPERM could occur if copy_file_range not enabled
354 in seccomp filters, so retry with a standard copy. EPERM can
355 also occur for immutable files, but that would only be in the
356 edge case where the file is made immutable after creating,
357 in which case the (more accurate) error is still shown. */
361 /* ENOENT was seen sometimes across CIFS shares, resulting in
362 no data being copied, but subsequent standard copies succeed. */
368 else
369 {
373 }
374 }
378 }
379 else
387 {
393 {
398 }
404 /* Loop over the input buffer in chunks of hole_size. */
410 {
421 {
426 {
428 {
432 }
433 }
434 else
435 {
438 }
444 {
450 else
452 }
453 }
455 {
457 {
460 }
461 }
465 }
469 /* It's tempting to break early here upon a short read from
470 a regular file. That would save the final read syscall
471 for each file. Unfortunately that doesn't work for
472 certain files in /proc or /sys with linux kernels. */
473 }
475 /* Ensure a trailing hole is created, so that subsequent
476 calls of sparse_copy() start at the correct offset. */
479 else
481 }
483 /* Perform the O(1) btrfs clone operation, if possible.
484 Upon success, return 0. Otherwise, return -1 and set errno. */
487 {
488 #ifdef FICLONE
490 #else
495 #endif
496 }
498 /* Write N_BYTES zero bytes to file descriptor FD. Return true if successful.
499 Upon write failure, set errno and return false. */
500 static bool
502 {
506 /* Attempt to use a relatively large calloc'd source buffer for
507 efficiency, but if that allocation fails, resort to a smaller
508 statically allocated one. */
510 {
514 {
517 }
518 }
521 {
526 }
529 }
531 #ifdef SEEK_HOLE
532 /* Perform an efficient extent copy, if possible. This avoids
533 the overhead of detecting holes in hole-introducing/preserving
534 copy, and thus makes copying sparse files much more efficient.
535 Copy from SRC_FD to DEST_FD, using *ABUF (of size BUF_SIZE) for a buffer.
536 Allocate *ABUF lazily if *ABUF is null.
537 Look for holes of size HOLE_SIZE in the input.
538 The input file is of size SRC_TOTAL_SIZE.
539 Use SPARSE_MODE to determine whether to create holes in the output.
540 SRC_NAME and DST_NAME are the input and output file names.
541 Return true if successful, false (with a diagnostic) otherwise. */
543 static bool
549 {
558 {
561 {
566 {
567 /* The input file grew; get its current size. */
572 /* If the input file shrank after growing, stop copying. */
577 }
578 }
579 /* If the input file must have grown, increase its measured size. */
590 {
592 {
595 ext_hole_size))
598 }
599 else
600 {
601 /* When not inducing holes and when there is a hole between
602 the end of the previous extent and the beginning of the
603 current one, write zeros to the destination file. */
605 {
609 }
610 }
611 }
617 /* Copy this extent, looking for further opportunities to not
618 bother to write zeros if --sparse=always, since SEEK_HOLE
619 is conservative and may miss some holes. */
620 off_t n_read;
632 {
633 /* The input file shrank. */
636 }
641 }
643 /* When the source file ends with a hole, we have to do a little more work,
644 since the above copied only up to and including the final extent.
645 In order to complete the copy, we may have to insert a hole or write
646 zeros in the destination corresponding to the source file's hole-at-EOF.
648 In addition, if the final extent was a block of zeros at EOF and we've
649 just converted them to a hole in the destination, we must call ftruncate
650 here in order to record the proper length in the destination. */
655 {
658 }
662 {
665 }
669 cannot_lseek:
672 }
673 #endif
675 /* FIXME: describe */
676 /* FIXME: rewrite this to use a hash table so we avoid the quadratic
677 performance hit that's probably noticeable only on trees deeper
678 than a few hundred levels. See use of active_dir_map in remove.c */
680 ATTRIBUTE_PURE
681 static bool
683 {
685 {
689 }
691 }
693 static bool
695 {
697 }
699 #if USE_XATTR
701 static void
704 {
706 {
710 /* use verror module to print error message */
714 }
715 }
718 static void
721 {
725 /* use verror module to print error message */
729 }
733 {
735 }
737 static void
740 {
741 }
743 /* Exclude SELinux extended attributes that are otherwise handled,
744 and are problematic to copy again. Also honor attributes
745 configured for exclusion in /etc/xattr.conf.
746 FIXME: Should we handle POSIX ACLs similarly?
747 Return zero to skip. */
748 static int
750 {
753 }
755 /* If positive SRC_FD and DST_FD descriptors are passed,
756 then copy by fd, otherwise copy by name. */
758 static bool
761 {
768 # if 4 < __GNUC__ + (8 <= __GNUC_MINOR__)
769 /* Pacify gcc -Wsuggest-attribute=format through at least GCC 13.2.1. */
770 # pragma GCC diagnostic push
772 # endif
779 })
781 # if 4 < __GNUC__ + (8 <= __GNUC_MINOR__)
782 # pragma GCC diagnostic pop
783 # endif
788 }
791 static bool
797 {
799 }
802 /* Read the contents of the directory SRC_NAME_IN, and recursively
803 copy the contents to DST_NAME_IN aka DST_DIRFD+DST_RELNAME_IN.
804 NEW_DST is true if DST_NAME_IN is a directory
805 that was created previously in the recursion.
806 SRC_SB and ANCESTORS describe SRC_NAME_IN.
807 Set *COPY_INTO_SELF if SRC_NAME_IN is a parent of
808 (or the same as) DST_NAME_IN; otherwise, clear it.
809 Propagate *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG from
810 caller to each invocation of copy_internal. Be careful to
811 pass the address of a temporary, and to update
812 *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG only upon completion.
813 Return true if successful. */
815 static bool
822 {
830 {
831 /* This diagnostic is a bit vague because savedir can fail in
832 several different ways. */
835 }
837 /* For cp's -H option, dereference command line arguments, but do not
838 dereference symlinks that are found via recursive traversal. */
845 {
863 /* If we're copying into self, there's no point in continuing,
864 and in fact, that would even infloop, now that we record only
865 the first created directory per command line argument. */
871 }
876 }
878 /* Change the file mode bits of the file identified by DESC or
879 DIRFD+NAME to MODE. Use DESC if DESC is valid and fchmod is
880 available, DIRFD+NAME otherwise. */
882 static int
884 {
885 #if HAVE_FCHMOD
888 #endif
890 }
892 /* Change the ownership of the file identified by DESC or
893 DIRFD+NAME to UID+GID. Use DESC if DESC is valid and fchown is
894 available, DIRFD+NAME otherwise. */
896 static int
898 {
899 #if HAVE_FCHOWN
902 #endif
904 }
906 /* Set the owner and owning group of DEST_DESC to the st_uid and
907 st_gid fields of SRC_SB. If DEST_DESC is undefined (-1), set
908 the owner and owning group of DST_NAME aka DST_DIRFD+DST_RELNAME
909 instead; for safety prefer lchownat since no
910 symbolic links should be involved. DEST_DESC must
911 refer to the same file as DST_NAME if defined.
912 Upon failure to set both UID and GID, try to set only the GID.
913 NEW_DST is true if the file was newly created; otherwise,
914 DST_SB is the status of the destination.
915 Return 1 if the initial syscall succeeds, 0 if it fails but it's OK
916 not to preserve ownership, -1 otherwise. */
918 static int
923 {
927 /* Naively changing the ownership of an already-existing file before
928 changing its permissions would create a window of vulnerability if
929 the file's old permissions are too generous for the new owner and
930 group. Avoid the window by first changing to a restrictive
931 temporary mode if necessary. */
934 {
936 mode_t new_mode =
944 {
949 }
950 }
955 /* The ownership change failed. If the failure merely means we lack
956 privileges to change owner+group, try to change just the group
957 and ignore any failure of this. Otherwise, report an error. */
961 else
962 {
967 }
970 }
972 /* Set the st_author field of DEST_DESC to the st_author field of
973 SRC_SB. If DEST_DESC is undefined (-1), set the st_author field
974 of DST_NAME instead. DEST_DESC must refer to the same file as
975 DST_NAME if defined. */
977 static void
979 {
980 #if HAVE_STRUCT_STAT_ST_AUTHOR
981 /* FIXME: Modify the following code so that it does not
982 follow symbolic links. */
984 /* Preserve the st_author field. */
990 else
991 {
997 }
998 #else
1002 #endif
1003 }
1005 /* Set the default security context for the process. New files will
1006 have this security context set. Also existing files can have their
1007 context adjusted based on this process context, by
1008 set_file_security_ctx() called with PROCESS_LOCAL=true.
1009 This should be called before files are created so there is no race
1010 where a file may be present without an appropriate security context.
1011 Based on CP_OPTIONS, diagnose warnings and fail when appropriate.
1012 Return FALSE on failure, TRUE on success. */
1014 bool
1017 {
1019 {
1020 /* Set the default context for the process to match the source. */
1026 {
1028 {
1034 {
1037 }
1038 }
1040 }
1041 else
1042 {
1044 {
1048 }
1051 }
1052 }
1054 {
1055 /* With -Z, adjust the default context for the process
1056 to have the type component adjusted as per the destination path. */
1059 {
1063 }
1064 }
1067 }
1069 /* Reset the security context of DST_NAME, to that already set
1070 as the process default if !X->set_security_context. Otherwise
1071 adjust the type component of DST_NAME's security context as
1072 per the system default for that path. Issue warnings upon
1073 failure, when allowed by various settings in X.
1074 Return false on failure, true on success. */
1076 bool
1079 {
1085 {
1090 }
1093 }
1095 #ifndef HAVE_STRUCT_STAT_ST_BLOCKS
1096 # define HAVE_STRUCT_STAT_ST_BLOCKS 0
1097 #endif
1099 /* Type of scan being done on the input when looking for sparseness. */
1100 enum scantype
1101 {
1102 /* An error was found when determining scantype. */
1103 ERROR_SCANTYPE,
1105 /* No fancy scanning; just read and write. */
1106 PLAIN_SCANTYPE,
1108 /* Read and examine data looking for zero blocks; useful when
1109 attempting to create sparse output. */
1110 ZERO_SCANTYPE,
1112 /* lseek information is available. */
1113 LSEEK_SCANTYPE,
1114 };
1116 /* Result of infer_scantype. */
1117 union scan_inference
1118 {
1119 /* Used if infer_scantype returns LSEEK_SCANTYPE. This is the
1120 offset of the first data block, or -1 if the file has no data. */
1121 off_t ext_start;
1122 };
1124 /* Return how to scan a file with descriptor FD and stat buffer SB.
1125 *SCAN_INFERENCE is set to a valid value if returning LSEEK_SCANTYPE. */
1126 static enum scantype
1129 {
1132 /* Only attempt SEEK_HOLE if this heuristic
1133 suggests the file is sparse. */
1139 #ifdef SEEK_HOLE
1142 {
1145 }
1148 #endif
1151 }
1153 #if HAVE_FCLONEFILEAT && !USE_XATTR
1154 # include <sys/acl.h>
1155 /* Return true if FD has a nontrivial ACL. */
1156 static bool
1158 {
1159 /* Every platform with fclonefileat (macOS 10.12 or later) also has
1160 acl_get_fd_np. */
1164 {
1165 acl_entry_t ace;
1168 }
1170 }
1171 #endif
1173 /* Handle failure from FICLONE or fclonefileat.
1174 Return FALSE if it's a terminal failure for this file. */
1176 static bool
1180 {
1181 /* When the clone operation fails, report failure only with errno values
1182 known to mean trouble when the clone is supported and called properly.
1183 Do not report failure merely because !is_CLONENOTSUP (errno),
1184 as systems may yield oddball errno values here with FICLONE,
1185 and is_CLONENOTSUP is not appropriate for fclonefileat. */
1192 /* Remove the destination if cp --reflink=always created it
1193 but cloned no data. */
1207 }
1210 /* Copy a regular file from SRC_NAME to DST_NAME aka DST_DIRFD+DST_RELNAME.
1211 If the source file contains holes, copies holes and blocks of zeros
1212 in the source file as holes in the destination file.
1213 (Holes are read as zeroes by the 'read' system call.)
1214 When creating the destination, use DST_MODE & ~OMITTED_PERMISSIONS
1215 as the third argument in the call to open, adding
1216 OMITTED_PERMISSIONS after copying as needed.
1217 X provides many option settings.
1218 Return true if successful.
1219 *NEW_DST is initially as in copy_internal.
1220 If successful, set *NEW_DST to true if the destination file was created and
1221 to false otherwise; if unsuccessful, perhaps set *NEW_DST to some value.
1222 SRC_SB is the result of calling follow_fstatat on SRC_NAME;
1223 it might be updated by calling fstat again on the same file,
1224 to give it slightly more up-to-date contents. */
1226 static bool
1232 {
1237 mode_t extra_permissions;
1253 {
1256 }
1259 {
1263 }
1265 /* Compare the source dev/ino from the open file to the incoming,
1266 saved ones obtained via a previous call to stat. */
1268 {
1274 }
1276 /* Might as well tell the caller about the latest version of the
1277 source file status, since we have it already. */
1281 /* The semantics of the following open calls are mandated
1282 by the specs for both cp and mv. */
1284 {
1290 /* When using cp --preserve=context to copy to an existing destination,
1291 reset the context as per the default context, which has already been
1292 set according to the src.
1293 When using the mutually exclusive -Z option, then adjust the type of
1294 the existing context according to the system default for the dest.
1295 Note we set the context here, _after_ the file is opened, lest the
1296 new context disallow that. */
1299 {
1301 {
1303 {
1306 }
1307 }
1308 }
1312 {
1314 {
1317 }
1319 {
1323 }
1326 }
1329 {
1330 /* Ensure there is no race where a file may be left without
1331 an appropriate security context. */
1333 {
1336 {
1339 }
1340 }
1342 /* Tell caller that the destination file is created. */
1344 }
1345 }
1348 {
1349 #if HAVE_FCLONEFILEAT && !USE_XATTR
1350 # ifndef CLONE_ACL
1352 # endif
1353 # ifndef CLONE_NOOWNERCOPY
1355 # endif
1356 /* Try fclonefileat if copying data in reflink mode.
1357 Use CLONE_NOFOLLOW to avoid security issues that could occur
1358 if writing through dangling symlinks. Although the circa
1359 2023 macOS documentation doesn't say so, CLONE_NOFOLLOW
1360 affects the destination file too. */
1363 {
1364 /* Try fclonefileat so long as it won't create the
1365 destination with unwanted permissions, which could lead
1366 to a security race. */
1369 mode_t desired_mode
1375 {
1376 int fc_flags
1377 = (CLONE_NOFOLLOW
1381 fc_flags);
1383 {
1386 fc_flags);
1387 }
1389 {
1392 /* Update the clone's timestamps and permissions
1393 as needed. */
1396 {
1400 AT_SYMLINK_NOFOLLOW)
1402 {
1407 }
1408 }
1414 {
1416 }
1418 /* Either some desired permissions were not cloned,
1419 or ACLs were not cloned despite that being requested. */
1423 }
1425 dst_name,
1428 {
1431 }
1432 }
1433 else
1435 }
1437 {
1440 }
1441 #endif
1443 /* To allow copying xattrs on read-only files, create with u+w.
1444 This satisfies an inode permission check done by
1445 xattr_permission in fs/xattr.c of the GNU/Linux kernel. */
1446 mode_t open_mode =
1453 open_mode);
1456 /* When trying to copy through a dangling destination symlink,
1457 the above open fails with EEXIST. If that happens, and
1458 readlinkat shows that it is a symlink, then we
1459 have a problem: trying to resolve this dangling symlink to
1460 a directory/destination-entry pair is fundamentally racy,
1461 so punt. If x->open_dangling_dest_symlink is set (cp sets
1462 that when POSIXLY_CORRECT is set in the environment), simply
1463 call open again, but without O_EXCL (potentially dangerous).
1464 If not, fail with a diagnostic. These shenanigans are necessary
1465 only when copying, i.e., not in move_mode. */
1467 {
1470 {
1472 {
1476 }
1477 else
1478 {
1483 }
1484 }
1485 }
1487 /* Improve quality of diagnostic when a nonexistent dst_name
1488 ends in a slash and open fails with errno == EISDIR. */
1492 }
1493 else
1494 {
1496 }
1499 {
1504 }
1506 /* --attributes-only overrides --reflink. */
1508 {
1510 {
1513 }
1514 else
1515 {
1518 {
1521 }
1522 }
1523 }
1528 {
1532 }
1534 /* If extra permissions needed for copy_xattr didn't happen (e.g.,
1535 due to umask) chmod to add them temporarily; if that fails give
1536 up with extra permissions, letting copy_attr fail later. */
1544 {
1545 /* Choose a suitable buffer size; it may be adjusted later. */
1549 /* Deal with sparse files. */
1553 {
1557 }
1558 bool make_holes
1566 /* If not making a sparse file, try to use a more-efficient
1567 buffer size. */
1569 {
1570 /* Compute the least common multiple of the input and output
1571 buffer sizes, adjusting for outlandish values.
1572 Note we read in multiples of the reported block size
1573 to support (unusual) devices that have this constraint. */
1576 blcm_max);
1578 /* Do not bother with a buffer larger than the input file, plus one
1579 byte to make sure the file has not grown while reading it. */
1583 /* However, stick with a block size that is a positive multiple of
1584 blcm, overriding the above adjustments. Watch out for
1585 overflow. */
1590 }
1592 off_t n_read;
1595 #ifdef SEEK_HOLE
1596 scantype == LSEEK_SCANTYPE
1602 :
1603 #endif
1610 {
1613 }
1615 {
1619 }
1620 }
1623 {
1629 {
1632 {
1635 }
1636 }
1637 }
1639 /* Set ownership before xattrs as changing owners will
1640 clear capabilities. */
1642 {
1645 {
1653 }
1654 }
1657 {
1661 }
1665 #if HAVE_FCLONEFILEAT && !USE_XATTR
1666 set_dest_mode:
1667 #endif
1669 {
1673 }
1675 {
1678 }
1680 {
1683 }
1685 {
1691 {
1696 }
1697 }
1702 close_src_and_dst_desc:
1704 {
1707 }
1708 close_src_desc:
1710 {
1713 }
1715 /* Output debug info for data copying operations. */
1721 }
1723 /* Return whether it's OK that two files are the "same" by some measure.
1724 The first file is SRC_NAME and has status SRC_SB.
1725 The second is DST_DIRFD+DST_RELNAME and has status DST_SB.
1726 The copying options are X. The goal is to avoid
1727 making the 'copy' operation remove both copies of the file
1728 in that case, while still allowing the user to e.g., move or
1729 copy a regular file onto a symlink that points to it.
1730 Try to minimize the cost of this function in the common case.
1731 Set *RETURN_NOW if we've determined that the caller has no more
1732 work to do and should return successfully, right away. */
1734 static bool
1738 {
1749 /* FIXME: this should (at the very least) be moved into the following
1750 if-block. More likely, it should be removed, because it inhibits
1751 making backups. But removing it will result in a change in behavior
1752 that will probably have to be documented -- and tests will have to
1753 be updated. */
1755 {
1758 }
1761 {
1764 /* If both the source and destination files are symlinks (and we'll
1765 know this here IFF preserving symlinks), then it's usually ok
1766 when they are distinct. */
1768 {
1771 {
1772 /* It's fine when we're making any type of backup. */
1776 /* Here we have two symlinks that are hard-linked together,
1777 and we're not making backups. In this unusual case, simply
1778 returning true would lead to mv calling "rename(A,B)",
1779 which would do nothing and return 0. */
1781 {
1784 }
1785 }
1788 }
1792 }
1793 else
1794 {
1808 /* If both are symlinks, then it's ok, but only if the destination
1809 will be unlinked before being opened. This is like the test
1810 above, but with the addition of the unlink_dest_before_opening
1811 conjunct because otherwise, with two symlinks to the same target,
1812 we'd end up truncating the source file. */
1816 }
1818 /* The backup code ensures there's a copy, so it's usually ok to
1819 remove any destination file. One exception is when both
1820 source and destination are the same directory entry. In that
1821 case, moving the destination file aside (in making the backup)
1822 would also rename the source file and result in an error. */
1824 {
1826 {
1827 /* In copy mode when dereferencing symlinks, if the source is a
1828 symlink and the dest is not, then backing up the destination
1829 (moving it aside) would make it a dangling symlink, and the
1830 subsequent attempt to open it in copy_reg would fail with
1831 a misleading diagnostic. Avoid that by returning zero in
1832 that case so the caller can make cp (or mv when it has to
1833 resort to reading the source file) fail now. */
1835 /* FIXME-note: even with the following kludge, we can still provoke
1836 the offending diagnostic. It's just a little harder to do :-)
1837 $ rm -f a b c; touch c; ln -s c b; ln -s b a; cp -b a b
1838 cp: cannot open 'a' for reading: No such file or directory
1839 That's misleading, since a subsequent 'ls' shows that 'a'
1840 is still there.
1841 One solution would be to open the source file *before* moving
1842 aside the destination, but that'd involve a big rewrite. */
1850 }
1852 /* FIXME: What about case insensitive file systems ? */
1854 }
1856 #if 0
1857 /* FIXME: use or remove */
1859 /* If we're making a backup, we'll detect the problem case in
1860 copy_reg because SRC_NAME will no longer exist. Allowing
1861 the test to be deferred lets cp do some useful things.
1862 But when creating hardlinks and SRC_NAME is a symlink
1863 but DST_RELNAME is not we must test anyway. */
1871 #endif
1874 {
1875 /* They may refer to the same file if we're in move mode and the
1876 target is a symlink. That is ok, since we remove any existing
1877 destination file before opening it -- via 'rename' if they're on
1878 the same file system, via unlinkat otherwise. */
1882 /* It's not ok if they're distinct hard links to the same file as
1883 this causes a race condition and we may lose data in this case. */
1888 }
1890 /* If neither is a symlink, then it's ok as long as they aren't
1891 hard links to the same file. */
1893 {
1897 /* If they are the same file, it's ok if we're making hard links. */
1899 {
1902 }
1903 }
1905 /* At this point, it is normally an error (data loss) to move a symlink
1906 onto its referent, but in at least one narrow case, it is not:
1907 In move mode, when
1908 1) src is a symlink,
1909 2) dest has a link count of 2 or more and
1910 3) dest and the referent of src are not the same directory entry,
1911 then it's ok, since while we'll lose one of those hard links,
1912 src will still point to a remaining link.
1913 Note that technically, condition #3 obviates condition #2, but we
1914 retain the 1 < st_nlink condition because that means fewer invocations
1915 of the more expensive #3.
1917 Given this,
1918 $ touch f && ln f l && ln -s f s
1919 $ ls -og f l s
1920 -rw-------. 2 0 Jan 4 22:46 f
1921 -rw-------. 2 0 Jan 4 22:46 l
1922 lrwxrwxrwx. 1 1 Jan 4 22:46 s -> f
1923 this must fail: mv s f
1924 this must succeed: mv s l */
1928 {
1931 {
1936 }
1937 }
1939 /* It's ok to recreate a destination symlink. */
1944 {
1959 {
1960 /* It's ok to attempt to hardlink the same file,
1961 and return early if not replacing a symlink.
1962 Note we need to return early to avoid a later
1963 unlink() of DST (when SRC is a symlink). */
1966 }
1967 }
1970 }
1972 /* Return whether DST_DIRFD+DST_RELNAME, with mode MODE,
1973 is writable in the sense of 'mv'.
1974 Always consider a symbolic link to be writable. */
1975 static bool
1977 {
1981 }
1983 static bool
1987 {
1989 {
2001 }
2002 else
2003 {
2006 }
2009 }
2011 /* Initialize the hash table implementing a set of F_triple entries
2012 corresponding to destination files. */
2015 {
2016 x->dest_info
2019 triple_hash,
2020 triple_compare,
2021 triple_free);
2024 }
2026 /* Initialize the hash table implementing a set of F_triple entries
2027 corresponding to source files listed on the command line. */
2030 {
2032 /* Note that we use triple_hash_no_name here.
2033 Contrast with the use of triple_hash above.
2034 That is necessary because a source file may be specified
2035 in many different ways. We want to warn about this
2036 cp a a d/
2037 as well as this:
2038 cp a ./a d/
2039 */
2040 x->src_info
2043 triple_hash_no_name,
2044 triple_compare,
2045 triple_free);
2048 }
2050 /* When effecting a move (e.g., for mv(1)), and given the name DST_NAME
2051 aka DST_DIRFD+DST_RELNAME
2052 of the destination and a corresponding stat buffer, DST_SB, return
2053 true if the logical 'move' operation should _not_ proceed.
2054 Otherwise, return false.
2055 Depending on options specified in X, this code may issue an
2056 interactive prompt asking whether it's ok to overwrite DST_NAME. */
2057 static bool
2062 {
2072 }
2074 /* Print --verbose output on standard output, e.g. 'new' -> 'old'.
2075 If BACKUP_DST_NAME is non-null, then also indicate that it is
2076 the name of a backup file. */
2077 static void
2079 {
2084 }
2086 /* A wrapper around "setfscreatecon (nullptr)" that exits upon failure. */
2087 static void
2089 {
2093 }
2095 /* Return a newly-allocated string that is like STR
2096 except replace its suffix SUFFIX with NEWSUFFIX. */
2099 {
2105 }
2107 /* Create a hard link to SRC_NAME aka SRC_DIRFD+SRC_RELNAME;
2108 the new link is at DST_NAME aka DST_DIRFD+DST_RELNAME.
2109 A null SRC_NAME stands for the file whose name is like DST_NAME
2110 except with DST_RELNAME replaced with SRC_RELNAME.
2111 Honor the REPLACE, VERBOSE and DEREFERENCE settings.
2112 Return true upon success. Otherwise, diagnose the
2113 failure and return false. If SRC_NAME is a symbolic link, then it will not
2114 be followed unless DEREFERENCE is true.
2115 If the system doesn't support hard links to symbolic links, then DST_NAME
2116 will be created as a symbolic link to SRC_NAME. */
2117 static bool
2121 {
2126 {
2131 src_relname);
2136 }
2140 }
2142 /* Return true if the current file should be (tried to be) dereferenced:
2143 either for DEREF_ALWAYS or for DEREF_COMMAND_LINE_ARGUMENTS in the case
2144 where the current file is a COMMAND_LINE_ARG; otherwise return false. */
2145 ATTRIBUTE_PURE
2148 {
2152 }
2154 /* Return true if the source file with basename SRCBASE and status SRC_ST
2155 is likely to be the simple backup file for DST_DIRFD+DST_RELNAME. */
2156 static bool
2159 {
2170 simple_backup_suffix);
2175 }
2177 /* Copy the file SRC_NAME to the file DST_NAME aka DST_DIRFD+DST_RELNAME.
2178 If NONEXISTENT_DST is positive, DST_NAME does not exist even as a
2179 dangling symlink; if negative, it does not exist except possibly
2180 as a dangling symlink; if zero, its existence status is unknown.
2181 A non-null PARENT describes the parent directory.
2182 ANCESTORS points to a linked, null terminated list of
2183 devices and inodes of parent directories of SRC_NAME.
2184 X summarizes the command-line options.
2185 COMMAND_LINE_ARG means SRC_NAME was specified on the command line.
2186 FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG is both input and output.
2187 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
2188 same as) DST_NAME; otherwise, clear it.
2189 If X->move_mode, set *RENAME_SUCCEEDED according to whether
2190 the source was simply renamed to the destination.
2191 Return true if successful. */
2192 static bool
2203 {
2208 mode_t dst_mode_bits;
2209 mode_t omitted_permissions;
2223 {
2226 RENAME_NOREPLACE)
2229 }
2235 {
2239 int fstatat_flags
2242 {
2245 }
2250 {
2256 }
2257 }
2258 else
2259 {
2260 #if defined lint && (defined __clang__ || defined __COVERITY__)
2263 #endif
2264 }
2266 /* Detect the case in which the same source file appears more than
2267 once on the command line and no backup option has been selected.
2268 If so, simply warn and don't copy it the second time.
2269 This check is enabled only if x->src_info is non-null. */
2271 {
2275 {
2279 }
2282 }
2286 /* Whether the destination is (or was) known to be new, updated as
2287 more info comes in. This may become true if the destination is a
2288 dangling symlink, in contexts where dangling symlinks should be
2289 treated the same as nonexistent files. */
2293 {
2294 /* Normally, fill in DST_SB or set NEW_DST so that later code
2295 can use DST_SB if NEW_DST is false. However, don't bother
2296 doing this when rename_errno == EEXIST and X->interactive is
2297 I_ALWAYS_NO or I_ALWAYS_SKIP, something that can happen only
2298 with mv in which case x->update must be false which means
2299 that even if !NEW_DST the move will be abandoned without
2300 looking at DST_SB. */
2304 {
2305 /* Regular files can be created by writing through symbolic
2306 links, but other files cannot. So use stat on the
2307 destination when copying a regular file, and lstat otherwise.
2308 However, if we intend to unlink or remove the destination
2309 first, use lstat, since a copy won't actually be made to the
2310 destination in that case. */
2311 bool use_lstat
2322 {
2325 }
2330 {
2331 /* cp -f's destination might be a symlink loop.
2332 Leave new_dst=false so that we try to unlink later. */
2333 }
2334 else
2335 {
2338 }
2339 }
2342 {
2350 {
2354 }
2357 {
2358 /* When preserving timestamps (but not moving within a file
2359 system), don't worry if the destination timestamp is
2360 less than the source merely because of timestamp
2361 truncation. */
2365 ? UTIMECMP_TRUNCATE_SOURCE
2370 {
2371 /* We're using --update and the destination is not older
2372 than the source, so do not copy or move. Pretend the
2373 rename succeeded, so the caller (if it's mv) doesn't
2374 end up removing the source file. */
2378 /* However, we still must record that we've processed
2379 this src/dest pair, in case this source file is
2380 hard-linked to another one. In that case, we'll use
2381 the mapping information to link the corresponding
2382 destination names. */
2386 {
2387 /* Note we currently replace DST_NAME unconditionally,
2388 even if it was a newer separate file. */
2393 {
2395 }
2396 }
2400 }
2401 }
2403 /* When there is an existing destination file, we may end up
2404 returning early, and hence not copying/moving the file.
2405 This may be due to an interactive 'negative' reply to the
2406 prompt about the existing file. It may also be due to the
2407 use of the --no-clobber option.
2409 cp and mv treat -i and -f differently. */
2411 {
2413 {
2414 /* Pretend the rename succeeded, so the caller (mv)
2415 doesn't end up removing the source file. */
2421 }
2422 }
2423 else
2424 {
2431 {
2434 }
2435 }
2437 skip:
2439 {
2446 }
2452 {
2454 {
2456 {
2457 /* Moving a directory onto an existing
2458 non-directory is ok only with --backup. */
2459 }
2460 else
2461 {
2466 }
2467 }
2469 /* Don't let the user destroy their data, even if they try hard:
2470 This mv command must fail (likewise for cp):
2471 rm -rf a b c; mkdir a b c; touch a/f b/f; mv a/f b/f c
2472 Otherwise, the contents of b/f would be lost.
2473 In the case of 'cp', b/f would be lost if the user simulated
2474 a move using cp and rm.
2475 Note that it works fine if you use --backup=numbered. */
2479 {
2484 }
2485 }
2488 {
2490 {
2492 {
2493 /* Moving a non-directory onto an existing
2494 directory is ok only with --backup. */
2495 }
2496 else
2497 {
2502 }
2503 }
2504 }
2507 {
2508 /* Don't allow user to move a directory onto a non-directory. */
2511 {
2516 }
2517 }
2521 /* Don't try to back up a destination if the last
2522 component of src_name is "." or "..". */
2524 /* Create a backup of each destination directory in move mode,
2525 but not in copy mode. FIXME: it might make sense to add an
2526 option to suppress backup creation also for move mode.
2527 That would let one use mv to merge new content into an
2528 existing hierarchy. */
2530 {
2531 /* Fail if creating the backup file would likely destroy
2532 the source file. Otherwise, the commands:
2533 cd /tmp; rm -f a a~; : > a; echo A > a~; cp --b=simple a~ a
2534 would leave two zero-length files: a and a~. */
2538 {
2547 }
2552 /* FIXME: use fts:
2553 Using alloca for a file name that may be arbitrarily
2554 long is not recommended. In fact, even forming such a name
2555 should be discouraged. Eventually, this code will be rewritten
2556 to use fts, so using alloca here will be less of a problem. */
2558 {
2565 }
2567 {
2570 }
2572 }
2574 /* Never unlink dst_name when in move mode. */
2581 ))
2582 {
2584 {
2587 }
2591 }
2592 }
2593 }
2595 /* Ensure we don't try to copy through a symlink that was
2596 created by a prior call to this function. */
2601 {
2602 /* If we did not follow symlinks above, good: use that data.
2603 Otherwise, use AT_SYMLINK_NOFOLLOW, in case dst_name is a symlink. */
2610 /* Never copy through a symlink we've just created. */
2614 {
2619 }
2620 }
2622 /* If the source is a directory, we don't always create the destination
2623 directory. So --verbose should not announce anything until we're
2624 sure we'll create a directory. Also don't announce yet when moving
2625 so we can distinguish renames versus copies. */
2629 /* Associate the destination file name with the source device and inode
2630 so that if we encounter a matching dev/ino pair in the source tree
2631 we can arrange to create a hard link between the corresponding names
2632 in the destination tree.
2634 When using the --link (-l) option, there is no need to take special
2635 measures, because (barring race conditions) files that are hard-linked
2636 in the source tree will also be hard-linked in the destination tree.
2638 Sometimes, when preserving links, we have to record dev/ino even
2639 though st_nlink == 1:
2640 - when in move_mode, since we may be moving a group of N hard-linked
2641 files (via two or more command line arguments) to a different
2642 partition; the links may be distributed among the command line
2643 arguments (possibly hierarchies) so that the link count of
2644 the final, once-linked source file is reduced to 1 when it is
2645 considered below. But in this case (for mv) we don't need to
2646 incur the expense of recording the dev/ino => name mapping; all we
2647 really need is a lookup, to see if the dev/ino pair has already
2648 been copied.
2649 - when using -H and processing a command line argument;
2650 that command line argument could be a symlink pointing to another
2651 command line argument. With 'cp -H --preserve=link', we hard-link
2652 those two destination files.
2653 - likewise for -L except that it applies to all files, not just
2654 command line arguments.
2656 Also, with --recursive, record dev/ino of each command-line directory.
2657 We'll use that info to detect this problem: cp -R dir dir. */
2662 {
2666 else
2668 }
2670 {
2672 }
2676 || (command_line_arg
2679 {
2682 }
2684 /* Did we copy this inode somewhere else (in this command line argument)
2685 and therefore this is a second hard link to the inode? */
2688 {
2689 /* Avoid damaging the destination file system by refusing to preserve
2690 hard-linked directories (which are found at least in Netapp snapshot
2691 directories). */
2693 {
2694 /* If src_name and earlier_file refer to the same directory entry,
2695 then warn about copying a directory into itself. */
2697 {
2703 }
2706 {
2710 /* In move mode, if a previous rename succeeded, then
2711 we won't be in this path as the source is missing. If the
2712 rename previously failed, then that has been handled, so
2713 pretend this attempt succeeded so the source isn't removed. */
2716 /* We only do backups in move mode, and for non directories.
2717 So just ignore this repeated entry. */
2719 }
2721 || (command_line_arg
2723 {
2724 /* This happens when e.g., encountering a directory for the
2725 second or subsequent time via symlinks when cp is invoked
2726 with -R and -L. E.g.,
2727 rm -rf a b c d; mkdir a b c d; ln -s ../c a; ln -s ../c b;
2728 cp -RL a b d
2729 */
2730 }
2731 else
2732 {
2734 earlier_file);
2739 }
2740 }
2741 else
2742 {
2749 }
2750 }
2753 {
2759 {
2761 {
2764 }
2767 {
2768 /* -Z failures are only warnings currently. */
2770 }
2776 {
2777 /* Record destination dev/ino/name, so that if we are asked
2778 to overwrite that file again, we can detect it and fail. */
2779 /* It's fine to use the _source_ stat buffer (src_sb) to get the
2780 _destination_ dev/ino, since the rename above can't have
2781 changed those, and 'mv' always uses lstat.
2782 We could limit it further by operating
2783 only on non-directories. */
2785 }
2788 }
2790 /* FIXME: someday, consider what to do when moving a directory into
2791 itself but when source and destination are on different devices. */
2793 /* This happens when attempting to rename a directory to a
2794 subdirectory of itself. */
2796 {
2797 /* FIXME: this is a little fragile in that it relies on rename(2)
2798 failing with a specific errno value. Expect problems on
2799 non-POSIX systems. */
2804 /* Note that there is no need to call forget_created here,
2805 (compare with the other calls in this file) since the
2806 destination directory didn't exist before. */
2809 /* FIXME-cleanup: Don't return true here; adjust mv.c accordingly.
2810 The only caller that uses this code (mv.c) ends up setting its
2811 exit status to nonzero when copy_into_self is nonzero. */
2813 }
2815 /* WARNING: there probably exist systems for which an inter-device
2816 rename fails with a value of errno not handled here.
2817 If/as those are reported, add them to the condition below.
2818 If this happens to you, please do the following and send the output
2819 to the bug-reporting address (e.g., in the output of cp --help):
2820 touch k; perl -e 'rename "k","/tmp/k" or print "$!(",$!+0,")\n"'
2821 where your current directory is on one partition and /tmp is the other.
2822 Also, please try to find the E* errno macro name corresponding to
2823 the diagnostic and parenthesized integer, and include that in your
2824 e-mail. One way to do that is to run a command like this
2825 find /usr/include/. -type f \
2826 | xargs grep 'define.*\<E[A-Z]*\>.*\<18\>' /dev/null
2827 where you'd replace '18' with the integer in parentheses that
2828 was output from the perl one-liner above.
2829 If necessary, of course, change '/tmp' to some other directory. */
2831 {
2832 /* There are many ways this can happen due to a race condition.
2833 When something happens between the initial follow_fstatat and the
2834 subsequent rename, we can get many different types of errors.
2835 For example, if the destination is initially a non-directory
2836 or non-existent, but it is created as a directory, the rename
2837 fails. If two 'mv' commands try to rename the same file at
2838 about the same time, one will succeed and the other will fail.
2839 If the permissions on the directory containing the source or
2840 destination file are made too restrictive, the rename will
2841 fail. Etc. */
2844 {
2847 #if ENOTEMPTY != EEXIST
2849 #endif
2850 /* The destination must be the problem. Don't mention
2851 the source as that is more likely to confuse the user
2852 than be helpful. */
2854 quoted_dst_name);
2861 }
2864 }
2866 /* The rename attempt has failed. Remove any existing destination
2867 file so that a cross-device 'mv' acts as if it were really using
2868 the rename syscall. Note both src and dst must both be directories
2869 or not, and this is enforced above. Therefore we check the src_mode
2870 and operate on dst_name here as a tighter constraint and also because
2871 src_mode is readily available here. */
2876 {
2882 }
2885 {
2888 }
2890 }
2892 /* If the ownership might change, or if it is a directory (whose
2893 special mode bits may change after the directory is created),
2894 omit some permissions at first, so unauthorized users cannot nip
2895 in before the file is ready. */
2897 omitted_permissions =
2898 (dst_mode_bits
2905 /* If required, set the default security context for new files.
2906 Also for existing files this is used as a reference
2907 when copying the context with --preserve=context.
2908 FIXME: Do we need to consider dst_mode_bits here? */
2913 {
2916 /* If this directory has been copied before during the
2917 recursion, there is a symbolic link to an ancestor
2918 directory of the symbolic link. It is impossible to
2919 continue to copy this, unless we've got an infinite file system. */
2922 {
2926 }
2928 /* Insert the current directory in the list of parents. */
2936 {
2937 /* POSIX says mkdir's behavior is implementation-defined when
2938 (src_mode & ~S_IRWXUGO) != 0. However, common practice is
2939 to ask mkdir to copy all the CHMOD_MODE_BITS, letting mkdir
2940 decide what to do with S_ISUID | S_ISGID | S_ISVTX. */
2943 {
2947 }
2949 /* We need search and write permissions to the new directory
2950 for writing the directory's contents. Check if these
2951 permissions are there. */
2954 {
2957 }
2959 {
2960 /* Make the new directory searchable and writable. */
2966 {
2970 }
2971 }
2973 /* Record the created directory's inode and device numbers into
2974 the search structure, so that we can avoid copying it again.
2975 Do this only for the first directory that is created for each
2976 source command line argument. */
2978 {
2981 }
2984 {
2987 else
2989 }
2990 }
2991 else
2992 {
2995 /* For directories, the process global context could be reset for
2996 descendants, so use it to set the context for existing dirs here.
2997 This will also give earlier indication of failure to set ctx. */
3000 {
3003 }
3004 }
3006 /* Decide whether to copy the contents of the directory. */
3008 {
3009 /* Here, we are crossing a file system boundary and cp's -x option
3010 is in effect: so don't copy the contents of this directory. */
3011 }
3012 else
3013 {
3014 /* Copy the contents of the directory. Don't just return if
3015 this fails -- otherwise, the failure to read a single file
3016 in a source directory would cause the containing destination
3017 directory not to have owner/perms set properly. */
3020 first_dir_created_per_command_line_arg,
3021 copy_into_self);
3022 }
3023 }
3025 {
3028 {
3029 /* Check that DST_NAME denotes a file in the current directory. */
3038 /* If either stat call fails, it's ok not to report
3039 the failure and say dst_name is in the current
3040 directory. Other things will fail later. */
3048 {
3053 }
3054 }
3059 {
3063 }
3064 }
3066 /* POSIX 2008 states that it is implementation-defined whether
3067 link() on a symlink creates a hard-link to the symlink, or only
3068 to the referent (effectively dereferencing the symlink) (POSIX
3069 2001 required the latter behavior, although many systems provided
3070 the former). Yet cp, invoked with '--link --no-dereference',
3071 should not follow the link. We can approximate the desired
3072 behavior by skipping this hard-link creating block and instead
3073 copying the symlink, via the 'S_ISLNK'- copying code below.
3075 Note gnulib's linkat module, guarantees that the symlink is not
3076 dereferenced. However its emulation currently doesn't maintain
3077 timestamps or ownership so we only call it when we know the
3078 emulation will not be needed. */
3082 {
3089 }
3092 {
3094 /* POSIX says the permission bits of the source file must be
3095 used as the 3rd argument in the open call. Historical
3096 practice passed all the source mode bits to 'open', but the extra
3097 bits were ignored, so it should be the same either way.
3099 This call uses DST_MODE_BITS, not SRC_MODE. These are
3100 normally the same, and the exception (where x->set_mode) is
3101 used only by 'install', which POSIX does not specify and
3102 where DST_MODE_BITS is what's wanted. */
3107 }
3109 {
3110 /* Use mknodat, rather than mkfifoat, because the former preserves
3111 the special mode bits of a fifo on Solaris 10, while mkfifoat
3112 does not. But fall back on mkfifoat, because on some BSD systems,
3113 mknodat always fails when asked to create a FIFO. */
3117 {
3120 }
3121 }
3123 {
3126 {
3130 }
3131 }
3133 {
3137 {
3141 }
3147 {
3148 /* See if the destination is already the desired symlink.
3149 FIXME: This behavior isn't documented, and seems wrong
3150 in some cases, e.g., if the destination symlink has the
3151 wrong ownership, permissions, or timestamps. */
3155 {
3159 }
3160 }
3163 {
3167 }
3173 {
3174 /* Preserve the owner and group of the just-'copied'
3175 symbolic link, if possible. */
3181 {
3183 dst_name);
3186 }
3187 else
3188 {
3189 /* Can't preserve ownership of symlinks.
3190 FIXME: maybe give a warning or even error for symlinks
3191 in directories with the sticky bit set -- there, not
3192 preserving owner/group is a potential security problem. */
3193 }
3194 }
3195 }
3196 else
3197 {
3200 }
3202 /* With -Z or --preserve=context, set the context for existing files.
3203 Note this is done already for copy_reg() for reasons described therein. */
3206 {
3208 {
3211 }
3212 }
3215 {
3216 /* Now that the destination file is very likely to exist,
3217 add its info to the set. */
3221 }
3223 /* If we've just created a hard-link due to cp's --link option,
3224 we're done. */
3233 /* POSIX says that 'cp -p' must restore the following:
3234 - permission bits
3235 - setuid, setgid bits
3236 - owner and group
3237 If it fails to restore any of those, we may give a warning but
3238 the destination must not be removed.
3239 FIXME: implement the above. */
3241 /* Adjust the times (and if possible, ownership) for the copy.
3242 chown turns off set[ug]id bits for non-root,
3243 so do the chmod last. */
3246 {
3253 {
3257 }
3258 }
3260 /* Avoid calling chown if we know it's not necessary. */
3263 {
3266 {
3273 }
3274 }
3276 /* Set xattrs after ownership as changing owners will clear capabilities. */
3281 /* The operations beyond this point may dereference a symlink. */
3288 {
3292 }
3294 {
3297 }
3299 {
3304 }
3305 else
3306 {
3308 {
3312 {
3313 /* Permissions were deliberately omitted when the file
3314 was created due to security concerns. See whether
3315 they need to be re-added now. It'd be faster to omit
3316 the lstat, but deducing the current destination mode
3317 is tricky in the presence of implementation-defined
3318 rules for special mode bits. */
3320 AT_SYMLINK_NOFOLLOW)
3322 {
3325 }
3329 }
3330 }
3333 {
3336 {
3341 }
3342 }
3343 }
3347 un_backup:
3352 /* We have failed to create the destination file.
3353 If we've just added a dev/ino entry via the remember_copied
3354 call above (i.e., unless we've just failed to create a hard link),
3355 remove the entry associating the source dev/ino with the
3356 destination file name, so we don't try to 'preserve' a link
3357 to a file we didn't create. */
3362 {
3366 else
3367 {
3371 }
3372 }
3374 }
3376 static void
3378 {
3386 }
3388 /* Copy the file SRC_NAME to the file DST_NAME aka DST_DIRFD+DST_RELNAME.
3389 If NONEXISTENT_DST is positive, DST_NAME does not exist even as a
3390 dangling symlink; if negative, it does not exist except possibly
3391 as a dangling symlink; if zero, its existence status is unknown.
3392 OPTIONS summarizes the command-line options.
3393 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
3394 same as) DST_NAME; otherwise, set clear it.
3395 If X->move_mode, set *RENAME_SUCCEEDED according to whether
3396 the source was simply renamed to the destination.
3397 Return true if successful. */
3404 {
3407 /* Record the file names: they're used in case of error, when copying
3408 a directory into itself. I don't like to make these tools do *any*
3409 extra work in the common case when that work is solely to handle
3410 exceptional cases, but in this case, I don't see a way to derive the
3411 top level source and destination directory names where they're used.
3412 An alternative is to use COPY_INTO_SELF and print the diagnostic
3413 from every caller -- but I don't want to do that. */
3423 }
3425 /* Set *X to the default options for a value of type struct cp_options. */
3429 {
3431 #ifdef PRIV_FILE_CHOWN
3432 {
3437 {
3440 }
3442 }
3443 #else
3445 #endif
3447 }
3449 /* Return true if it's OK for chown to fail, where errno is
3450 the error number that chown failed with and X is the copying
3451 option set. */
3455 {
3456 /* If non-root uses -p, it's ok if we can't preserve ownership.
3457 But root probably wants to know, e.g. if NFS disallows it,
3458 or if the target system doesn't support file ownership.
3460 Treat EACCES like EPERM and EINVAL to work around a bug in Linux
3461 CIFS <https://bugs.gnu.org/65599>. Although this means coreutils
3462 will ignore EACCES errors that it should report, problems should
3463 occur only when some other process is racing with coreutils and
3464 coreutils is not immune to races anyway. */
3468 }
3470 /* Similarly, return true if it's OK for chmod and similar operations
3471 to fail, where errno is the error number that chmod failed with and
3472 X is the copying option set. */
3474 static bool
3476 {
3479 }
3481 /* Return the user's umask, caching the result.
3483 FIXME: If the destination's parent directory has has a default ACL,
3484 some operating systems (e.g., GNU/Linux's "POSIX" ACLs) use that
3485 ACL's mask rather than the process umask. Currently, the callers
3486 of cached_umask incorrectly assume that this situation cannot occur. */
3487 extern mode_t
3489 {
3492 {
3495 }
3497 }