| blob | e1cd5fa21cf41acd6fe38a915cb3a4cbb454c23b |
1 /* copy.c -- core functions for copying files and directories
2 Copyright (C) 89, 90, 91, 1995-2007 Free Software Foundation.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>. */
17 /* Extracted from cp.c and librarified by Jim Meyering. */
19 #include <config.h>
20 #include <stdio.h>
21 #include <assert.h>
22 #include <sys/types.h>
23 #include <selinux/selinux.h>
25 #if HAVE_HURD_H
26 # include <hurd.h>
27 #endif
28 #if HAVE_PRIV_H
29 # include <priv.h>
30 #endif
60 #ifndef HAVE_FCHOWN
61 # define HAVE_FCHOWN false
62 # define fchown(fd, uid, gid) (-1)
63 #endif
65 #ifndef HAVE_LCHOWN
66 # define HAVE_LCHOWN false
67 # define lchown(name, uid, gid) chown (name, uid, gid)
68 #endif
70 #define SAME_OWNER(A, B) ((A).st_uid == (B).st_uid)
71 #define SAME_GROUP(A, B) ((A).st_gid == (B).st_gid)
72 #define SAME_OWNER_AND_GROUP(A, B) (SAME_OWNER (A, B) && SAME_GROUP (A, B))
74 struct dir_list
75 {
77 ino_t ino;
78 dev_t dev;
79 };
81 /* Initial size of the cp.dest_info hash table. */
82 #define DEST_INFO_INITIAL_CAPACITY 61
92 /* Pointers to the file names: they're used in the diagnostic that is issued
93 when we detect the user is trying to copy a directory into itself. */
97 /* The invocation name of this program. */
100 /* FIXME: describe */
101 /* FIXME: rewrite this to use a hash table so we avoid the quadratic
102 performance hit that's probably noticeable only on trees deeper
103 than a few hundred levels. See use of active_dir_map in remove.c */
105 static bool
107 {
109 {
113 }
115 }
117 /* Read the contents of the directory SRC_NAME_IN, and recursively
118 copy the contents to DST_NAME_IN. NEW_DST is true if
119 DST_NAME_IN is a directory that was created previously in the
120 recursion. SRC_SB and ANCESTORS describe SRC_NAME_IN.
121 Set *COPY_INTO_SELF if SRC_NAME_IN is a parent of
122 (or the same as) DST_NAME_IN; otherwise, clear it.
123 Return true if successful. */
125 static bool
129 {
137 {
138 /* This diagnostic is a bit vague because savedir can fail in
139 several different ways. */
142 }
144 /* For cp's -H option, dereference command line arguments, but do not
145 dereference symlinks that are found via recursive traversal. */
151 {
165 }
168 }
170 /* Set the owner and owning group of DEST_DESC to the st_uid and
171 st_gid fields of SRC_SB. If DEST_DESC is undefined (-1), set
172 the owner and owning group of DST_NAME instead; for
173 safety prefer lchown if the system supports it since no
174 symbolic links should be involved. DEST_DESC must
175 refer to the same file as DEST_NAME if defined.
176 Return 1 if the syscall succeeds, 0 if it fails but it's OK
177 not to preserve ownership, -1 otherwise. */
179 static int
182 {
184 {
187 }
188 else
189 {
192 }
195 {
200 }
203 }
205 /* Set the st_author field of DEST_DESC to the st_author field of
206 SRC_SB. If DEST_DESC is undefined (-1), set the st_author field
207 of DST_NAME instead. DEST_DESC must refer to the same file as
208 DEST_NAME if defined. */
210 static void
212 {
213 #if HAVE_STRUCT_STAT_ST_AUTHOR
214 /* FIXME: Modify the following code so that it does not
215 follow symbolic links. */
217 /* Preserve the st_author field. */
223 else
224 {
230 }
231 #endif
232 }
234 /* Change the file mode bits of the file identified by DESC or NAME to MODE.
235 Use DESC if DESC is valid and fchmod is available, NAME otherwise. */
237 static int
239 {
240 #if HAVE_FCHMOD
243 #endif
245 }
247 /* Copy a regular file from SRC_NAME to DST_NAME.
248 If the source file contains holes, copies holes and blocks of zeros
249 in the source file as holes in the destination file.
250 (Holes are read as zeroes by the `read' system call.)
251 When creating the destination, use DST_MODE & ~OMITTED_PERMISSIONS
252 as the third argument in the call to open, adding
253 OMITTED_PERMISSIONS after copying as needed.
254 X provides many option settings.
255 Return true if successful.
256 *NEW_DST is as in copy_internal.
257 SRC_SB is the result of calling XSTAT (aka stat) on SRC_NAME. */
259 static bool
264 {
281 {
284 }
287 {
291 }
293 /* Compare the source dev/ino from the open file to the incoming,
294 saved ones obtained via a previous call to stat. */
296 {
302 }
304 /* The semantics of the following open calls are mandated
305 by the specs for both cp and mv. */
307 {
311 /* When using cp --preserve=context to copy to an existing destination,
312 use the default context rather than that of the source. Why?
313 1) the src context may prohibit writing, and
314 2) because it's more consistent to use the same context
315 that is used when the destination file doesn't already exist. */
317 {
320 {
323 {
326 }
327 }
330 {
332 {
337 {
341 }
342 }
344 }
345 }
348 {
350 {
354 }
358 /* Tell caller that the destination file was unlinked. */
360 }
361 }
364 {
370 /* When trying to copy through a dangling destination symlink,
371 the above open fails with EEXIST. If that happens, and
372 lstat'ing the DST_NAME shows that it is a symlink, repeat
373 the open call, but this time with the name of the final,
374 missing directory entry. */
376 {
380 {
381 /* FIXME: This is way overkill, since all that's needed
382 is to follow the symlink that is the last file name
383 component. */
384 name_alloc =
387 {
392 }
393 }
394 }
395 }
396 else
400 {
405 }
408 {
412 }
414 {
418 /* Choose a suitable buffer size; it may be adjusted later. */
423 /* Deal with sparse files. */
428 {
429 /* Even with --sparse=always, try to create holes only
430 if the destination is a regular file. */
434 #if HAVE_STRUCT_STAT_ST_BLOCKS
435 /* Use a heuristic to determine whether SRC_NAME contains any sparse
436 blocks. If the file has fewer blocks than would normally be
437 needed for a file of its size, then at least one of the blocks in
438 the file is a hole. */
442 #endif
443 }
445 /* If not making a sparse file, try to use a more-efficient
446 buffer size. */
448 {
449 /* These days there's no point ever messing with buffers smaller
450 than 8 KiB. It would be nice to configure SMALL_BUF_SIZE
451 dynamically for this host and pair of files, but there doesn't
452 seem to be a good way to get readahead info portably. */
455 /* Compute the least common multiple of the input and output
456 buffer sizes, adjusting for outlandish values. */
459 blcm_max);
461 /* Do not use a block size that is too small. */
464 /* Do not bother with a buffer larger than the input file, plus one
465 byte to make sure the file has not grown while reading it. */
469 /* However, stick with a block size that is a positive multiple of
470 blcm, overriding the above adjustments. Watch out for
471 overflow. */
476 }
478 /* Make a buffer with space for a sentinel at the end. */
483 {
488 {
489 #ifdef EINTR
492 #endif
496 }
503 {
506 /* Sentinel to stop loop. */
508 #ifdef lint
509 /* Usually, buf[n_read] is not the byte just before a "word"
510 (aka uintptr_t) boundary. In that case, the word-oriented
511 test below (*wp++ == 0) would read some uninitialized bytes
512 after the sentinel. To avoid false-positive reports about
513 this condition (e.g., from a tool like valgrind), set the
514 remaining bytes -- to any value. */
516 #endif
518 /* Find first nonzero *word*, or the word with the sentinel. */
524 /* Find the first nonzero *byte*, or the sentinel. */
531 /* Clear to indicate that a normal write is needed. */
533 else
534 {
535 /* We found the sentinel, so the whole input block was zero.
536 Make a hole. */
538 {
542 }
544 }
545 }
548 {
551 {
555 }
558 /* A short read on a regular file means EOF. */
561 }
562 }
564 /* If the file ends with a `hole', we need to do something to record
565 the length of the file. On modern systems, calling ftruncate does
566 the job. On systems without native ftruncate support, we have to
567 write a byte at the ending position. Otherwise the kernel would
568 truncate the file at the end of the last write operation. */
571 {
574 so there is no need for a write. */
579 {
583 }
584 }
585 }
588 {
594 {
597 {
600 }
601 }
602 }
605 {
608 {
616 }
617 }
622 {
626 }
628 {
631 }
633 {
637 {
642 }
643 }
645 close_src_and_dst_desc:
647 {
650 }
651 close_src_desc:
653 {
656 }
661 }
663 /* Return true if it's ok that the source and destination
664 files are the `same' by some measure. The goal is to avoid
665 making the `copy' operation remove both copies of the file
666 in that case, while still allowing the user to e.g., move or
667 copy a regular file onto a symlink that points to it.
668 Try to minimize the cost of this function in the common case.
669 Set *RETURN_NOW if we've determined that the caller has no more
670 work to do and should return successfully, right away.
672 Set *UNLINK_SRC if we've determined that the caller wants to do
673 `rename (a, b)' where `a' and `b' are distinct hard links to the same
674 file. In that case, the caller should try to unlink `a' and then return
675 successfully. Ideally, we wouldn't have to do that, and we'd be
676 able to rely on rename to remove the source file. However, POSIX
677 mistakenly requires that such a rename call do *nothing* and return
678 successfully. */
680 static bool
684 {
696 /* FIXME: this should (at the very least) be moved into the following
697 if-block. More likely, it should be removed, because it inhibits
698 making backups. But removing it will result in a change in behavior
699 that will probably have to be documented -- and tests will have to
700 be updated. */
702 {
705 }
708 {
711 /* If both the source and destination files are symlinks (and we'll
712 know this here IFF preserving symlinks), then it's ok -- as long
713 as they are distinct. */
719 }
720 else
721 {
734 /* If both are symlinks, then it's ok, but only if the destination
735 will be unlinked before being opened. This is like the test
736 above, but with the addition of the unlink_dest_before_opening
737 conjunct because otherwise, with two symlinks to the same target,
738 we'd end up truncating the source file. */
742 }
744 /* The backup code ensures there's a copy, so it's usually ok to
745 remove any destination file. One exception is when both
746 source and destination are the same directory entry. In that
747 case, moving the destination file aside (in making the backup)
748 would also rename the source file and result in an error. */
750 {
752 {
753 /* In copy mode when dereferencing symlinks, if the source is a
754 symlink and the dest is not, then backing up the destination
755 (moving it aside) would make it a dangling symlink, and the
756 subsequent attempt to open it in copy_reg would fail with
757 a misleading diagnostic. Avoid that by returning zero in
758 that case so the caller can make cp (or mv when it has to
759 resort to reading the source file) fail now. */
761 /* FIXME-note: even with the following kludge, we can still provoke
762 the offending diagnostic. It's just a little harder to do :-)
763 $ rm -f a b c; touch c; ln -s c b; ln -s b a; cp -b a b
764 cp: cannot open `a' for reading: No such file or directory
765 That's misleading, since a subsequent `ls' shows that `a'
766 is still there.
767 One solution would be to open the source file *before* moving
768 aside the destination, but that'd involve a big rewrite. */
776 }
779 }
781 #if 0
782 /* FIXME: use or remove */
784 /* If we're making a backup, we'll detect the problem case in
785 copy_reg because SRC_NAME will no longer exist. Allowing
786 the test to be deferred lets cp do some useful things.
787 But when creating hardlinks and SRC_NAME is a symlink
788 but DST_NAME is not we must test anyway. */
796 #endif
798 /* They may refer to the same file if we're in move mode and the
799 target is a symlink. That is ok, since we remove any existing
800 destination file before opening it -- via `rename' if they're on
801 the same file system, via `unlink (DST_NAME)' otherwise.
802 It's also ok if they're distinct hard links to the same file. */
804 {
811 {
813 {
816 }
818 }
819 }
821 /* If neither is a symlink, then it's ok as long as they aren't
822 hard links to the same file. */
824 {
828 /* If they are the same file, it's ok if we're making hard links. */
830 {
833 }
834 }
836 /* It's ok to remove a destination symlink. But that works only when we
837 unlink before opening the destination and when the source and destination
838 files are on the same partition. */
844 {
858 /* FIXME: shouldn't this be testing whether we're making symlinks? */
860 {
863 }
864 }
867 }
869 /* Return true if FILE, with mode MODE, is writable in the sense of 'mv'.
870 Always consider a symbolic link to be writable. */
871 static bool
873 {
877 }
879 static void
881 {
883 {
892 }
893 else
894 {
897 }
898 }
900 /* Initialize the hash table implementing a set of F_triple entries
901 corresponding to destination files. */
904 {
905 x->dest_info
907 NULL,
908 triple_hash,
909 triple_compare,
910 triple_free);
911 }
913 /* Initialize the hash table implementing a set of F_triple entries
914 corresponding to source files listed on the command line. */
917 {
919 /* Note that we use triple_hash_no_name here.
920 Contrast with the use of triple_hash above.
921 That is necessary because a source file may be specified
922 in many different ways. We want to warn about this
923 cp a a d/
924 as well as this:
925 cp a ./a d/
926 */
927 x->src_info
929 NULL,
930 triple_hash_no_name,
931 triple_compare,
932 triple_free);
933 }
935 /* When effecting a move (e.g., for mv(1)), and given the name DST_NAME
936 of the destination and a corresponding stat buffer, DST_SB, return
937 true if the logical `move' operation should _not_ proceed.
938 Otherwise, return false.
939 Depending on options specified in X, this code may issue an
940 interactive prompt asking whether it's ok to overwrite DST_NAME. */
941 static bool
945 {
954 }
956 /* Print --verbose output on standard output, e.g. `new' -> `old'.
957 If BACKUP_DST_NAME is non-NULL, then also indicate that it is
958 the name of a backup file. */
959 static void
961 {
966 }
968 /* A wrapper around "setfscreatecon (NULL)" that exits upon failure. */
969 static void
971 {
975 }
977 /* Copy the file SRC_NAME to the file DST_NAME. The files may be of
978 any type. NEW_DST should be true if the file DST_NAME cannot
979 exist because its parent directory was just created; NEW_DST should
980 be false if DST_NAME might already exist. DEVICE is the device
981 number of the parent directory, or 0 if the parent of this file is
982 not known. ANCESTORS points to a linked, null terminated list of
983 devices and inodes of parent directories of SRC_NAME. COMMAND_LINE_ARG
984 is true iff SRC_NAME was specified on the command line.
985 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
986 same as) DST_NAME; otherwise, clear it.
987 Return true if successful. */
988 static bool
991 dev_t device,
997 {
1000 mode_t src_mode;
1002 mode_t dst_mode_bits;
1003 mode_t omitted_permissions;
1019 {
1022 }
1027 {
1030 }
1032 /* Detect the case in which the same source file appears more than
1033 once on the command line and no backup option has been selected.
1034 If so, simply warn and don't copy it the second time.
1035 This check is enabled only if x->src_info is non-NULL. */
1037 {
1041 {
1045 }
1048 }
1051 {
1052 /* Regular files can be created by writing through symbolic
1053 links, but other files cannot. So use stat on the
1054 destination when copying a regular file, and lstat otherwise.
1055 However, if we intend to unlink or remove the destination
1056 first, use lstat, since a copy won't actually be made to the
1057 destination in that case. */
1069 {
1071 {
1074 }
1075 else
1076 {
1078 }
1079 }
1080 else
1082 that it is stat'able or lstat'able. */
1089 {
1093 }
1096 {
1097 /* When preserving time stamps (but not moving within a file
1098 system), don't worry if the destination time stamp is
1099 less than the source merely because of time stamp
1100 truncation. */
1104 ? UTIMECMP_TRUNCATE_SOURCE
1108 {
1109 /* We're using --update and the destination is not older
1110 than the source, so do not copy or move. Pretend the
1111 rename succeeded, so the caller (if it's mv) doesn't
1112 end up removing the source file. */
1116 }
1117 }
1119 /* When there is an existing destination file, we may end up
1120 returning early, and hence not copying/moving the file.
1121 This may be due to an interactive `negative' reply to the
1122 prompt about the existing file. It may also be due to the
1123 use of the --reply=no option.
1125 cp and mv treat -i and -f differently. */
1127 {
1130 {
1131 /* Pretend the rename succeeded, so the caller (mv)
1132 doesn't end up removing the source file. */
1138 }
1140 {
1143 }
1144 }
1145 else
1146 {
1153 }
1159 {
1161 {
1163 {
1164 /* Moving a directory onto an existing
1165 non-directory is ok only with --backup. */
1166 }
1167 else
1168 {
1173 }
1174 }
1176 /* Don't let the user destroy their data, even if they try hard:
1177 This mv command must fail (likewise for cp):
1178 rm -rf a b c; mkdir a b c; touch a/f b/f; mv a/f b/f c
1179 Otherwise, the contents of b/f would be lost.
1180 In the case of `cp', b/f would be lost if the user simulated
1181 a move using cp and rm.
1182 Note that it works fine if you use --backup=numbered. */
1186 {
1191 }
1192 }
1195 {
1197 {
1199 {
1200 /* Moving a non-directory onto an existing
1201 directory is ok only with --backup. */
1202 }
1203 else
1204 {
1209 }
1210 }
1211 }
1214 {
1215 /* Don't allow user to move a directory onto a non-directory. */
1218 {
1223 }
1224 }
1227 /* Don't try to back up a destination if the last
1228 component of src_name is "." or "..". */
1230 /* Create a backup of each destination directory in move mode,
1231 but not in copy mode. FIXME: it might make sense to add an
1232 option to suppress backup creation also for move mode.
1233 That would let one use mv to merge new content into an
1234 existing hierarchy. */
1236 {
1240 /* Detect (and fail) when creating the backup file would
1241 destroy the source file. Before, running the commands
1242 cd /tmp; rm -f a a~; : > a; echo A > a~; cp --b=simple a~ a
1243 would leave two zero-length files: a and a~. */
1244 /* FIXME: but simply change e.g., the final a~ to `./a~'
1245 and the source will still be destroyed. */
1247 {
1257 }
1259 /* FIXME: use fts:
1260 Using alloca for a file name that may be arbitrarily
1261 long is not recommended. In fact, even forming such a name
1262 should be discouraged. Eventually, this code will be rewritten
1263 to use fts, so using alloca here will be less of a problem. */
1267 {
1269 {
1272 }
1273 else
1274 {
1276 }
1277 }
1278 else
1279 {
1281 }
1283 }
1290 ))
1291 {
1293 {
1296 }
1300 }
1301 }
1302 }
1304 /* Ensure we don't try to copy through a symlink that was
1305 created by a prior call to this function. */
1310 {
1315 /* If we called lstat above, good: use that data.
1316 Otherwise, call lstat here, in case dst_name is a symlink. */
1319 else
1320 {
1323 else
1325 }
1327 /* Never copy through a symlink we've just created. */
1331 {
1336 }
1337 }
1339 /* If the source is a directory, we don't always create the destination
1340 directory. So --verbose should not announce anything until we're
1341 sure we'll create a directory. */
1345 /* Associate the destination file name with the source device and inode
1346 so that if we encounter a matching dev/ino pair in the source tree
1347 we can arrange to create a hard link between the corresponding names
1348 in the destination tree.
1350 Sometimes, when preserving links, we have to record dev/ino even
1351 though st_nlink == 1:
1352 - when in move_mode, since we may be moving a group of N hard-linked
1353 files (via two or more command line arguments) to a different
1354 partition; the links may be distributed among the command line
1355 arguments (possibly hierarchies) so that the link count of
1356 the final, once-linked source file is reduced to 1 when it is
1357 considered below. But in this case (for mv) we don't need to
1358 incur the expense of recording the dev/ino => name mapping; all we
1359 really need is a lookup, to see if the dev/ino pair has already
1360 been copied.
1361 - when using -H and processing a command line argument;
1362 that command line argument could be a symlink pointing to another
1363 command line argument. With `cp -H --preserve=link', we hard-link
1364 those two destination files.
1365 - likewise for -L except that it applies to all files, not just
1366 command line arguments.
1368 Also record directory dev/ino when using --recursive. We'll use that
1369 info to detect this problem: cp -R dir dir. FIXME-maybe: ideally,
1370 directory info would be recorded in a separate hash table, since
1371 such entries are useful only while a single command line hierarchy
1372 is being copied -- so that separate table could be cleared between
1373 command line args. Using the same hash table to preserve hard
1374 links means that it may not be cleared. */
1377 {
1379 }
1382 || (command_line_arg
1386 {
1388 }
1390 /* Did we copy this inode somewhere else (in this command line argument)
1391 and therefore this is a second hard link to the inode? */
1394 {
1395 /* Avoid damaging the destination file system by refusing to preserve
1396 hard-linked directories (which are found at least in Netapp snapshot
1397 directories). */
1399 {
1400 /* If src_name and earlier_file refer to the same directory entry,
1401 then warn about copying a directory into itself. */
1403 {
1409 }
1411 {
1412 /* This happens when e.g., encountering a directory for the
1413 second or subsequent time via symlinks when cp is invoked
1414 with -R and -L. E.g.,
1415 rm -rf a b c d; mkdir a b c d; ln -s ../c a; ln -s ../c b;
1416 cp -RL a b d
1417 */
1418 }
1419 else
1420 {
1424 }
1425 }
1426 else
1427 {
1430 /* If the link failed because of an existing destination,
1431 remove that file and then call link again. */
1433 {
1435 {
1438 }
1442 }
1445 {
1449 }
1452 }
1453 }
1456 {
1458 {
1467 {
1468 /* Record destination dev/ino/name, so that if we are asked
1469 to overwrite that file again, we can detect it and fail. */
1470 /* It's fine to use the _source_ stat buffer (src_sb) to get the
1471 _destination_ dev/ino, since the rename above can't have
1472 changed those, and `mv' always uses lstat.
1473 We could limit it further by operating
1474 only on non-directories. */
1476 }
1479 }
1481 /* FIXME: someday, consider what to do when moving a directory into
1482 itself but when source and destination are on different devices. */
1484 /* This happens when attempting to rename a directory to a
1485 subdirectory of itself. */
1487 {
1488 /* FIXME: this is a little fragile in that it relies on rename(2)
1489 failing with a specific errno value. Expect problems on
1490 non-POSIX systems. */
1495 /* Note that there is no need to call forget_created here,
1496 (compare with the other calls in this file) since the
1497 destination directory didn't exist before. */
1500 /* FIXME-cleanup: Don't return true here; adjust mv.c accordingly.
1501 The only caller that uses this code (mv.c) ends up setting its
1502 exit status to nonzero when copy_into_self is nonzero. */
1504 }
1506 /* WARNING: there probably exist systems for which an inter-device
1507 rename fails with a value of errno not handled here.
1508 If/as those are reported, add them to the condition below.
1509 If this happens to you, please do the following and send the output
1510 to the bug-reporting address (e.g., in the output of cp --help):
1511 touch k; perl -e 'rename "k","/tmp/k" or print "$!(",$!+0,")\n"'
1512 where your current directory is on one partion and /tmp is the other.
1513 Also, please try to find the E* errno macro name corresponding to
1514 the diagnostic and parenthesized integer, and include that in your
1515 e-mail. One way to do that is to run a command like this
1516 find /usr/include/. -type f \
1517 | xargs grep 'define.*\<E[A-Z]*\>.*\<18\>' /dev/null
1518 where you'd replace `18' with the integer in parentheses that
1519 was output from the perl one-liner above.
1520 If necessary, of course, change `/tmp' to some other directory. */
1522 {
1523 /* There are many ways this can happen due to a race condition.
1524 When something happens between the initial XSTAT and the
1525 subsequent rename, we can get many different types of errors.
1526 For example, if the destination is initially a non-directory
1527 or non-existent, but it is created as a directory, the rename
1528 fails. If two `mv' commands try to rename the same file at
1529 about the same time, one will succeed and the other will fail.
1530 If the permissions on the directory containing the source or
1531 destination file are made too restrictive, the rename will
1532 fail. Etc. */
1538 }
1540 /* The rename attempt has failed. Remove any existing destination
1541 file so that a cross-device `mv' acts as if it were really using
1542 the rename syscall. */
1544 {
1550 }
1553 }
1555 /* If the ownership might change, or if it is a directory (whose
1556 special mode bits may change after the directory is created),
1557 omit some permissions at first, so unauthorized users cannot nip
1558 in before the file is ready. */
1560 omitted_permissions =
1561 (dst_mode_bits
1569 {
1570 security_context_t con;
1573 {
1575 {
1580 {
1583 }
1584 }
1586 }
1587 else
1588 {
1590 {
1596 }
1597 }
1598 }
1600 /* In certain modes (cp's --symbolic-link), and for certain file types
1601 (symlinks and hard links) it doesn't make sense to preserve metadata,
1602 or it's possible to preserve only some of it.
1603 In such cases, set this variable to zero. */
1607 {
1610 /* If this directory has been copied before during the
1611 recursion, there is a symbolic link to an ancestor
1612 directory of the symbolic link. It is impossible to
1613 continue to copy this, unless we've got an infinite disk. */
1616 {
1620 }
1622 /* Insert the current directory in the list of parents. */
1630 {
1631 /* POSIX says mkdir's behavior is implementation-defined when
1632 (src_mode & ~S_IRWXUGO) != 0. However, common practice is
1633 to ask mkdir to copy all the CHMOD_MODE_BITS, letting mkdir
1634 decide what to do with S_ISUID | S_ISGID | S_ISVTX. */
1636 {
1640 }
1642 /* We need search and write permissions to the new directory
1643 for writing the directory's contents. Check if these
1644 permissions are there. */
1647 {
1650 }
1652 {
1653 /* Make the new directory searchable and writable. */
1659 {
1663 }
1664 }
1666 /* Insert the created directory's inode and device
1667 numbers into the search structure, so that we can
1668 avoid copying it again. */
1674 }
1676 /* Decide whether to copy the contents of the directory. */
1678 {
1679 /* Here, we are crossing a file system boundary and cp's -x option
1680 is in effect: so don't copy the contents of this directory. */
1681 }
1682 else
1683 {
1684 /* Copy the contents of the directory. Don't just return if
1685 this fails -- otherwise, the failure to read a single file
1686 in a source directory would cause the containing destination
1687 directory not to have owner/perms set properly. */
1689 copy_into_self);
1690 }
1691 }
1693 {
1697 {
1698 /* Check that DST_NAME denotes a file in the current directory. */
1707 /* If either stat call fails, it's ok not to report
1708 the failure and say dst_name is in the current
1709 directory. Other things will fail later. */
1716 {
1721 }
1722 }
1724 {
1728 }
1729 }
1732 #ifdef LINK_FOLLOWS_SYMLINKS
1733 /* A POSIX-conforming link syscall dereferences a symlink, yet cp,
1734 invoked with `--link --no-dereference', should not. Thus, with
1735 a POSIX-conforming link system call, we can't use link() here,
1736 since that would create a hard link to the referent (effectively
1737 dereferencing the symlink), rather than to the symlink itself.
1738 We can approximate the desired behavior by skipping this hard-link
1739 creating block and instead copying the symlink, via the `S_ISLNK'-
1740 copying code below.
1741 When link operates on the symlinks themselves, we use this block
1742 and just call link(). */
1744 #endif
1745 )
1746 {
1749 {
1752 }
1753 }
1756 {
1758 /* POSIX says the permission bits of the source file must be
1759 used as the 3rd argument in the open call. Historical
1760 practice passed all the source mode bits to 'open', but the extra
1761 bits were ignored, so it should be the same either way. */
1765 }
1767 {
1768 /* Use mknod, rather than mkfifo, because the former preserves
1769 the special mode bits of a fifo on Solaris 10, while mkfifo
1770 does not. But fall back on mkfifo, because on some BSD systems,
1771 mknod always fails when asked to create a FIFO. */
1773 #if HAVE_MKFIFO
1775 #endif
1776 {
1779 }
1780 }
1782 {
1785 {
1789 }
1790 }
1792 {
1795 {
1798 }
1802 else
1803 {
1808 {
1809 /* See if the destination is already the desired symlink.
1810 FIXME: This behavior isn't documented, and seems wrong
1811 in some cases, e.g., if the destination symlink has the
1812 wrong ownership, permissions, or time stamps. */
1818 }
1822 {
1826 }
1827 }
1832 /* There's no need to preserve timestamps or permissions. */
1836 {
1837 /* Preserve the owner and group of the just-`copied'
1838 symbolic link, if possible. */
1842 {
1844 dst_name);
1846 }
1847 else
1848 {
1849 /* Can't preserve ownership of symlinks.
1850 FIXME: maybe give a warning or even error for symlinks
1851 in directories with the sticky bit set -- there, not
1852 preserving owner/group is a potential security problem. */
1853 }
1854 }
1855 }
1856 else
1857 {
1860 }
1863 {
1864 /* Now that the destination file is very likely to exist,
1865 add its info to the set. */
1869 }
1877 /* POSIX says that `cp -p' must restore the following:
1878 - permission bits
1879 - setuid, setgid bits
1880 - owner and group
1881 If it fails to restore any of those, we may give a warning but
1882 the destination must not be removed.
1883 FIXME: implement the above. */
1885 /* Adjust the times (and if possible, ownership) for the copy.
1886 chown turns off set[ug]id bits for non-root,
1887 so do the chmod last. */
1890 {
1896 {
1900 }
1901 }
1903 /* Avoid calling chown if we know it's not necessary. */
1906 {
1908 {
1915 }
1916 }
1921 {
1925 }
1927 {
1930 }
1931 else
1932 {
1934 {
1938 {
1939 /* Permissions were deliberately omitted when the file
1940 was created due to security concerns. See whether
1941 they need to be re-added now. It'd be faster to omit
1942 the lstat, but deducing the current destination mode
1943 is tricky in the presence of implementation-defined
1944 rules for special mode bits. */
1946 {
1949 }
1953 }
1954 }
1957 {
1959 {
1964 }
1965 }
1966 }
1970 un_backup:
1975 /* We have failed to create the destination file.
1976 If we've just added a dev/ino entry via the remember_copied
1977 call above (i.e., unless we've just failed to create a hard link),
1978 remove the entry associating the source dev/ino with the
1979 destination file name, so we don't try to `preserve' a link
1980 to a file we didn't create. */
1985 {
1988 else
1989 {
1993 }
1994 }
1996 }
1998 static bool
2000 {
2006 }
2008 /* Copy the file SRC_NAME to the file DST_NAME. The files may be of
2009 any type. NONEXISTENT_DST should be true if the file DST_NAME
2010 is known not to exist (e.g., because its parent directory was just
2011 created); NONEXISTENT_DST should be false if DST_NAME might already
2012 exist. OPTIONS is ... FIXME-describe
2013 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
2014 same as) DST_NAME; otherwise, set clear it.
2015 Return true if successful. */
2021 {
2024 /* Record the file names: they're used in case of error, when copying
2025 a directory into itself. I don't like to make these tools do *any*
2026 extra work in the common case when that work is solely to handle
2027 exceptional cases, but in this case, I don't see a way to derive the
2028 top level source and destination directory names where they're used.
2029 An alternative is to use COPY_INTO_SELF and print the diagnostic
2030 from every caller -- but I don't want to do that. */
2036 }
2038 /* Return true if this process has appropriate privileges to chown a
2039 file whose owner is not the effective user ID. */
2043 {
2044 #ifdef PRIV_FILE_CHOWN
2053 #else
2055 #endif
2056 }
2058 /* Return true if it's OK for chown to fail, where errno is
2059 the error number that chown failed with and X is the copying
2060 option set. */
2064 {
2065 /* If non-root uses -p, it's ok if we can't preserve ownership.
2066 But root probably wants to know, e.g. if NFS disallows it,
2067 or if the target system doesn't support file ownership. */
2070 }
2072 /* Return the user's umask, caching the result. */
2074 extern mode_t
2076 {
2079 {
2082 }
2084 }