| blob | 104652d0637af2339d111efc3d9c210fdecae5b2 |
1 /* copy.c -- core functions for copying files and directories
2 Copyright (C) 1989-1991, 1995-2011 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>. */
17 /* Extracted from cp.c and librarified by Jim Meyering. */
19 #include <config.h>
20 #include <stdio.h>
21 #include <assert.h>
22 #include <sys/ioctl.h>
23 #include <sys/types.h>
24 #include <selinux/selinux.h>
26 #if HAVE_HURD_H
27 # include <hurd.h>
28 #endif
29 #if HAVE_PRIV_H
30 # include <priv.h>
31 #endif
59 #if USE_XATTR
60 # include <attr/error_context.h>
61 # include <attr/libattr.h>
62 # include <stdarg.h>
64 #endif
66 #ifndef HAVE_FCHOWN
67 # define HAVE_FCHOWN false
68 # define fchown(fd, uid, gid) (-1)
69 #endif
71 #ifndef HAVE_LCHOWN
72 # define HAVE_LCHOWN false
73 # define lchown(name, uid, gid) chown (name, uid, gid)
74 #endif
76 #ifndef HAVE_MKFIFO
77 static int
79 {
82 }
83 # define mkfifo rpl_mkfifo
84 #endif
86 #ifndef USE_ACL
87 # define USE_ACL 0
88 #endif
90 #define SAME_OWNER(A, B) ((A).st_uid == (B).st_uid)
91 #define SAME_GROUP(A, B) ((A).st_gid == (B).st_gid)
92 #define SAME_OWNER_AND_GROUP(A, B) (SAME_OWNER (A, B) && SAME_GROUP (A, B))
94 struct dir_list
95 {
97 ino_t ino;
98 dev_t dev;
99 };
101 /* Initial size of the cp.dest_info hash table. */
102 #define DEST_INFO_INITIAL_CAPACITY 61
114 /* Pointers to the file names: they're used in the diagnostic that is issued
115 when we detect the user is trying to copy a directory into itself. */
119 /* Set the timestamp of symlink, FILE, to TIMESPEC.
120 If this system lacks support for that, simply return 0. */
123 {
125 /* When configuring on a system with new headers and libraries, and
126 running on one with a kernel that is old enough to lack the syscall,
127 utimensat fails with ENOSYS. Ignore that. */
131 }
133 /* Copy the regular file open on SRC_FD/SRC_NAME to DST_FD/DST_NAME,
134 honoring the MAKE_HOLES setting and using the BUF_SIZE-byte buffer
135 BUF for temporary storage. Copy no more than MAX_N_READ bytes.
136 Return true upon successful completion;
137 print a diagnostic and return false upon error.
138 Note that for best results, BUF should be "well"-aligned.
139 BUF must have sizeof(uintptr_t)-1 bytes of additional space
140 beyond BUF[BUF_SIZE-1].
141 Set *LAST_WRITE_MADE_HOLE to true if the final operation on
142 DEST_FD introduced a hole. Set *TOTAL_N_READ to the number of
143 bytes read. */
144 static bool
150 {
156 {
161 {
166 }
173 {
176 /* Sentinel to stop loop. */
178 #ifdef lint
179 /* Usually, buf[n_read] is not the byte just before a "word"
180 (aka uintptr_t) boundary. In that case, the word-oriented
181 test below (*wp++ == 0) would read some uninitialized bytes
182 after the sentinel. To avoid false-positive reports about
183 this condition (e.g., from a tool like valgrind), set the
184 remaining bytes -- to any value. */
186 #endif
188 /* Find first nonzero *word*, or the word with the sentinel. */
194 /* Find the first nonzero *byte*, or the sentinel. */
201 /* Clear to indicate that a normal write is needed. */
203 else
204 {
205 /* We found the sentinel, so the whole input block was zero.
206 Make a hole. */
208 {
211 }
213 }
214 }
217 {
220 {
223 }
226 /* It is tempting to return early here upon a short read from a
227 regular file. That would save the final read syscall for each
228 file. Unfortunately that doesn't work for certain files in
229 /proc with linux kernels from at least 2.6.9 .. 2.6.29. */
230 }
231 }
234 }
236 /* Perform the O(1) btrfs clone operation, if possible.
237 Upon success, return 0. Otherwise, return -1 and set errno. */
240 {
241 #ifdef __linux__
242 # undef BTRFS_IOCTL_MAGIC
243 # define BTRFS_IOCTL_MAGIC 0x94
244 # undef BTRFS_IOC_CLONE
245 # define BTRFS_IOC_CLONE _IOW (BTRFS_IOCTL_MAGIC, 9, int)
247 #else
252 #endif
253 }
255 /* Write N_BYTES zero bytes to file descriptor FD. Return true if successful.
256 Upon write failure, set errno and return false. */
257 static bool
259 {
263 /* Attempt to use a relatively large calloc'd source buffer for
264 efficiency, but if that allocation fails, resort to a smaller
265 statically allocated one. */
267 {
271 {
274 }
275 }
278 {
283 }
286 }
288 /* Perform an efficient extent copy, if possible. This avoids
289 the overhead of detecting holes in hole-introducing/preserving
290 copy, and thus makes copying sparse files much more efficient.
291 Upon a successful copy, return true. If the initial extent scan
292 fails, set *NORMAL_COPY_REQUIRED to true and return false.
293 Upon any other failure, set *NORMAL_COPY_REQUIRED to false and
294 return false. */
295 static bool
300 {
305 /* Keep track of the output position.
306 We may need this at the end, for a final ftruncate. */
313 do
314 {
317 {
322 {
325 }
330 }
334 {
340 {
342 {
344 fail:
347 }
350 {
352 {
355 }
356 }
357 else
358 {
359 /* When not inducing holes and when there is a hole between
360 the end of the previous extent and the beginning of the
361 current one, write zeros to the destination file. */
363 {
366 }
367 }
368 }
373 off_t n_read;
381 }
383 /* Release the space allocated to scan->ext_info. */
386 }
389 /* When the source file ends with a hole, we have to do a little more work,
390 since the above copied only up to and including the final extent.
391 In order to complete the copy, we may have to insert a hole or write
392 zeros in the destination corresponding to the source file's hole-at-EOF.
394 In addition, if the final extent was a block of zeros at EOF and we've
395 just converted them to a hole in the destination, we must call ftruncate
396 here in order to record the proper length in the destination. */
401 {
404 }
407 }
409 /* FIXME: describe */
410 /* FIXME: rewrite this to use a hash table so we avoid the quadratic
411 performance hit that's probably noticeable only on trees deeper
412 than a few hundred levels. See use of active_dir_map in remove.c */
414 static bool
416 {
418 {
422 }
424 }
426 static bool
428 {
430 }
432 #if USE_XATTR
433 static void
436 {
438 {
442 /* use verror module to print error message */
446 }
447 }
449 static void
452 {
456 /* use verror module to print error message */
460 }
464 {
466 }
468 static void
471 {
472 }
474 /* If positive SRC_FD and DST_FD descriptors are passed,
475 then copy by fd, otherwise copy by name. */
477 static bool
480 {
485 {
489 };
493 else
498 }
501 static bool
507 {
509 }
512 /* Read the contents of the directory SRC_NAME_IN, and recursively
513 copy the contents to DST_NAME_IN. NEW_DST is true if
514 DST_NAME_IN is a directory that was created previously in the
515 recursion. SRC_SB and ANCESTORS describe SRC_NAME_IN.
516 Set *COPY_INTO_SELF if SRC_NAME_IN is a parent of
517 FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG FIXME
518 (or the same as) DST_NAME_IN; otherwise, clear it.
519 Return true if successful. */
521 static bool
527 {
535 {
536 /* This diagnostic is a bit vague because savedir can fail in
537 several different ways. */
540 }
542 /* For cp's -H option, dereference command line arguments, but do not
543 dereference symlinks that are found via recursive traversal. */
549 {
556 first_dir_created_per_command_line_arg,
563 /* If we're copying into self, there's no point in continuing,
564 and in fact, that would even infloop, now that we record only
565 the first created directory per command line argument. */
570 }
573 }
575 /* Set the owner and owning group of DEST_DESC to the st_uid and
576 st_gid fields of SRC_SB. If DEST_DESC is undefined (-1), set
577 the owner and owning group of DST_NAME instead; for
578 safety prefer lchown if the system supports it since no
579 symbolic links should be involved. DEST_DESC must
580 refer to the same file as DEST_NAME if defined.
581 Upon failure to set both UID and GID, try to set only the GID.
582 NEW_DST is true if the file was newly created; otherwise,
583 DST_SB is the status of the destination.
584 Return 1 if the initial syscall succeeds, 0 if it fails but it's OK
585 not to preserve ownership, -1 otherwise. */
587 static int
591 {
595 /* Naively changing the ownership of an already-existing file before
596 changing its permissions would create a window of vulnerability if
597 the file's old permissions are too generous for the new owner and
598 group. Avoid the window by first changing to a restrictive
599 temporary mode if necessary. */
602 {
604 mode_t new_mode =
612 {
617 }
618 }
621 {
625 {
626 /* We've failed to set *both*. Now, try to set just the group
627 ID, but ignore any failure here, and don't change errno. */
631 }
632 }
633 else
634 {
638 {
639 /* We've failed to set *both*. Now, try to set just the group
640 ID, but ignore any failure here, and don't change errno. */
644 }
645 }
648 {
653 }
656 }
658 /* Set the st_author field of DEST_DESC to the st_author field of
659 SRC_SB. If DEST_DESC is undefined (-1), set the st_author field
660 of DST_NAME instead. DEST_DESC must refer to the same file as
661 DEST_NAME if defined. */
663 static void
665 {
666 #if HAVE_STRUCT_STAT_ST_AUTHOR
667 /* FIXME: Modify the following code so that it does not
668 follow symbolic links. */
670 /* Preserve the st_author field. */
676 else
677 {
683 }
684 #else
688 #endif
689 }
691 /* Change the file mode bits of the file identified by DESC or NAME to MODE.
692 Use DESC if DESC is valid and fchmod is available, NAME otherwise. */
694 static int
696 {
697 #if HAVE_FCHMOD
700 #endif
702 }
704 /* Copy a regular file from SRC_NAME to DST_NAME.
705 If the source file contains holes, copies holes and blocks of zeros
706 in the source file as holes in the destination file.
707 (Holes are read as zeroes by the `read' system call.)
708 When creating the destination, use DST_MODE & ~OMITTED_PERMISSIONS
709 as the third argument in the call to open, adding
710 OMITTED_PERMISSIONS after copying as needed.
711 X provides many option settings.
712 Return true if successful.
713 *NEW_DST is as in copy_internal.
714 SRC_SB is the result of calling XSTAT (aka stat) on SRC_NAME. */
716 static bool
721 {
738 {
741 }
744 {
748 }
750 /* Compare the source dev/ino from the open file to the incoming,
751 saved ones obtained via a previous call to stat. */
753 {
759 }
761 /* The semantics of the following open calls are mandated
762 by the specs for both cp and mv. */
764 {
768 /* When using cp --preserve=context to copy to an existing destination,
769 use the default context rather than that of the source. Why?
770 1) the src context may prohibit writing, and
771 2) because it's more consistent to use the same context
772 that is used when the destination file doesn't already exist. */
774 {
781 {
785 {
788 }
789 }
792 {
794 {
800 {
804 }
805 }
807 }
808 }
811 {
813 {
817 }
821 /* Tell caller that the destination file was unlinked. */
823 }
824 }
827 {
833 /* When trying to copy through a dangling destination symlink,
834 the above open fails with EEXIST. If that happens, and
835 lstat'ing the DST_NAME shows that it is a symlink, then we
836 have a problem: trying to resolve this dangling symlink to
837 a directory/destination-entry pair is fundamentally racy,
838 so punt. If x->open_dangling_dest_symlink is set (cp sets
839 that when POSIXLY_CORRECT is set in the environment), simply
840 call open again, but without O_EXCL (potentially dangerous).
841 If not, fail with a diagnostic. These shenanigans are necessary
842 only when copying, i.e., not in move_mode. */
844 {
848 {
850 {
854 }
855 else
856 {
861 }
862 }
863 }
865 /* Improve quality of diagnostic when a nonexistent dst_name
866 ends in a slash and open fails with errno == EISDIR. */
870 }
871 else
875 {
880 }
883 {
887 }
889 /* --attributes-only overrides --reflink. */
891 {
894 {
896 {
900 }
902 }
903 }
906 {
909 /* Choose a suitable buffer size; it may be adjusted later. */
914 /* Deal with sparse files. */
918 {
919 /* Even with --sparse=always, try to create holes only
920 if the destination is a regular file. */
924 #if HAVE_STRUCT_STAT_ST_BLOCKS
925 /* Use a heuristic to determine whether SRC_NAME contains any sparse
926 blocks. If the file has fewer blocks than would normally be
927 needed for a file of its size, then at least one of the blocks in
928 the file is a hole. */
932 #endif
933 }
935 /* If not making a sparse file, try to use a more-efficient
936 buffer size. */
938 {
939 /* Compute the least common multiple of the input and output
940 buffer sizes, adjusting for outlandish values. */
943 blcm_max);
945 /* Do not bother with a buffer larger than the input file, plus one
946 byte to make sure the file has not grown while reading it. */
950 /* However, stick with a block size that is a positive multiple of
951 blcm, overriding the above adjustments. Watch out for
952 overflow. */
957 }
959 /* Make a buffer with space for a sentinel at the end. */
964 /* Perform an efficient extent-based copy, falling back to the
965 standard copy only if the initial extent scan fails. If the
966 '--sparse=never' option is specified, write all data but use
967 any extents to read more efficiently. */
975 {
978 }
980 off_t n_read;
988 {
992 }
993 }
995 preserve_metadata:
997 {
1003 {
1006 {
1009 }
1010 }
1011 }
1013 /* Set ownership before xattrs as changing owners will
1014 clear capabilities. */
1016 {
1018 {
1026 }
1027 }
1029 /* To allow copying xattrs on read-only files, temporarily chmod u+rw.
1030 This workaround is required as an inode permission check is done
1031 by xattr_permission() in fs/xattr.c of the GNU/Linux kernel tree. */
1033 {
1045 }
1050 {
1054 }
1056 {
1059 }
1061 {
1065 {
1070 }
1071 }
1073 close_src_and_dst_desc:
1075 {
1078 }
1079 close_src_desc:
1081 {
1084 }
1089 }
1091 /* Return true if it's ok that the source and destination
1092 files are the `same' by some measure. The goal is to avoid
1093 making the `copy' operation remove both copies of the file
1094 in that case, while still allowing the user to e.g., move or
1095 copy a regular file onto a symlink that points to it.
1096 Try to minimize the cost of this function in the common case.
1097 Set *RETURN_NOW if we've determined that the caller has no more
1098 work to do and should return successfully, right away.
1100 Set *UNLINK_SRC if we've determined that the caller wants to do
1101 `rename (a, b)' where `a' and `b' are distinct hard links to the same
1102 file. In that case, the caller should try to unlink `a' and then return
1103 successfully. Ideally, we wouldn't have to do that, and we'd be
1104 able to rely on rename to remove the source file. However, POSIX
1105 mistakenly requires that such a rename call do *nothing* and return
1106 successfully. */
1108 static bool
1112 {
1124 /* FIXME: this should (at the very least) be moved into the following
1125 if-block. More likely, it should be removed, because it inhibits
1126 making backups. But removing it will result in a change in behavior
1127 that will probably have to be documented -- and tests will have to
1128 be updated. */
1130 {
1133 }
1136 {
1139 /* If both the source and destination files are symlinks (and we'll
1140 know this here IFF preserving symlinks), then it's ok -- as long
1141 as they are distinct. */
1147 }
1148 else
1149 {
1162 /* If both are symlinks, then it's ok, but only if the destination
1163 will be unlinked before being opened. This is like the test
1164 above, but with the addition of the unlink_dest_before_opening
1165 conjunct because otherwise, with two symlinks to the same target,
1166 we'd end up truncating the source file. */
1170 }
1172 /* The backup code ensures there's a copy, so it's usually ok to
1173 remove any destination file. One exception is when both
1174 source and destination are the same directory entry. In that
1175 case, moving the destination file aside (in making the backup)
1176 would also rename the source file and result in an error. */
1178 {
1180 {
1181 /* In copy mode when dereferencing symlinks, if the source is a
1182 symlink and the dest is not, then backing up the destination
1183 (moving it aside) would make it a dangling symlink, and the
1184 subsequent attempt to open it in copy_reg would fail with
1185 a misleading diagnostic. Avoid that by returning zero in
1186 that case so the caller can make cp (or mv when it has to
1187 resort to reading the source file) fail now. */
1189 /* FIXME-note: even with the following kludge, we can still provoke
1190 the offending diagnostic. It's just a little harder to do :-)
1191 $ rm -f a b c; touch c; ln -s c b; ln -s b a; cp -b a b
1192 cp: cannot open `a' for reading: No such file or directory
1193 That's misleading, since a subsequent `ls' shows that `a'
1194 is still there.
1195 One solution would be to open the source file *before* moving
1196 aside the destination, but that'd involve a big rewrite. */
1204 }
1207 }
1209 #if 0
1210 /* FIXME: use or remove */
1212 /* If we're making a backup, we'll detect the problem case in
1213 copy_reg because SRC_NAME will no longer exist. Allowing
1214 the test to be deferred lets cp do some useful things.
1215 But when creating hardlinks and SRC_NAME is a symlink
1216 but DST_NAME is not we must test anyway. */
1224 #endif
1226 /* They may refer to the same file if we're in move mode and the
1227 target is a symlink. That is ok, since we remove any existing
1228 destination file before opening it -- via `rename' if they're on
1229 the same file system, via `unlink (DST_NAME)' otherwise.
1230 It's also ok if they're distinct hard links to the same file. */
1232 {
1239 {
1241 {
1244 }
1246 }
1247 }
1249 /* If neither is a symlink, then it's ok as long as they aren't
1250 hard links to the same file. */
1252 {
1256 /* If they are the same file, it's ok if we're making hard links. */
1258 {
1261 }
1262 }
1264 /* It's ok to remove a destination symlink. But that works only when we
1265 unlink before opening the destination and when the source and destination
1266 files are on the same partition. */
1272 {
1286 /* FIXME: shouldn't this be testing whether we're making symlinks? */
1288 {
1291 }
1292 }
1295 }
1297 /* Return true if FILE, with mode MODE, is writable in the sense of 'mv'.
1298 Always consider a symbolic link to be writable. */
1299 static bool
1301 {
1305 }
1307 static void
1309 {
1311 {
1320 }
1321 else
1322 {
1325 }
1326 }
1328 /* Initialize the hash table implementing a set of F_triple entries
1329 corresponding to destination files. */
1332 {
1333 x->dest_info
1335 NULL,
1336 triple_hash,
1337 triple_compare,
1338 triple_free);
1339 }
1341 /* Initialize the hash table implementing a set of F_triple entries
1342 corresponding to source files listed on the command line. */
1345 {
1347 /* Note that we use triple_hash_no_name here.
1348 Contrast with the use of triple_hash above.
1349 That is necessary because a source file may be specified
1350 in many different ways. We want to warn about this
1351 cp a a d/
1352 as well as this:
1353 cp a ./a d/
1354 */
1355 x->src_info
1357 NULL,
1358 triple_hash_no_name,
1359 triple_compare,
1360 triple_free);
1361 }
1363 /* When effecting a move (e.g., for mv(1)), and given the name DST_NAME
1364 of the destination and a corresponding stat buffer, DST_SB, return
1365 true if the logical `move' operation should _not_ proceed.
1366 Otherwise, return false.
1367 Depending on options specified in X, this code may issue an
1368 interactive prompt asking whether it's ok to overwrite DST_NAME. */
1369 static bool
1373 {
1382 }
1384 /* Print --verbose output on standard output, e.g. `new' -> `old'.
1385 If BACKUP_DST_NAME is non-NULL, then also indicate that it is
1386 the name of a backup file. */
1387 static void
1389 {
1394 }
1396 /* A wrapper around "setfscreatecon (NULL)" that exits upon failure. */
1397 static void
1399 {
1403 }
1405 /* Copy the file SRC_NAME to the file DST_NAME. The files may be of
1406 any type. NEW_DST should be true if the file DST_NAME cannot
1407 exist because its parent directory was just created; NEW_DST should
1408 be false if DST_NAME might already exist. DEVICE is the device
1409 number of the parent directory, or 0 if the parent of this file is
1410 not known. ANCESTORS points to a linked, null terminated list of
1411 devices and inodes of parent directories of SRC_NAME. COMMAND_LINE_ARG
1412 is true iff SRC_NAME was specified on the command line.
1413 FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG is both input and output.
1414 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
1415 same as) DST_NAME; otherwise, clear it.
1416 Return true if successful. */
1417 static bool
1420 dev_t device,
1427 {
1430 mode_t src_mode;
1432 mode_t dst_mode_bits;
1433 mode_t omitted_permissions;
1449 {
1452 }
1457 {
1460 }
1462 /* Detect the case in which the same source file appears more than
1463 once on the command line and no backup option has been selected.
1464 If so, simply warn and don't copy it the second time.
1465 This check is enabled only if x->src_info is non-NULL. */
1467 {
1471 {
1475 }
1478 }
1481 {
1482 /* Regular files can be created by writing through symbolic
1483 links, but other files cannot. So use stat on the
1484 destination when copying a regular file, and lstat otherwise.
1485 However, if we intend to unlink or remove the destination
1486 first, use lstat, since a copy won't actually be made to the
1487 destination in that case. */
1499 {
1501 {
1504 }
1505 else
1506 {
1508 }
1509 }
1510 else
1512 that it is stat'able or lstat'able. */
1519 {
1523 }
1526 {
1527 /* When preserving time stamps (but not moving within a file
1528 system), don't worry if the destination time stamp is
1529 less than the source merely because of time stamp
1530 truncation. */
1534 ? UTIMECMP_TRUNCATE_SOURCE
1538 {
1539 /* We're using --update and the destination is not older
1540 than the source, so do not copy or move. Pretend the
1541 rename succeeded, so the caller (if it's mv) doesn't
1542 end up removing the source file. */
1546 }
1547 }
1549 /* When there is an existing destination file, we may end up
1550 returning early, and hence not copying/moving the file.
1551 This may be due to an interactive `negative' reply to the
1552 prompt about the existing file. It may also be due to the
1553 use of the --reply=no option.
1555 cp and mv treat -i and -f differently. */
1557 {
1560 {
1561 /* Pretend the rename succeeded, so the caller (mv)
1562 doesn't end up removing the source file. */
1568 }
1570 {
1573 }
1574 }
1575 else
1576 {
1583 }
1589 {
1591 {
1593 {
1594 /* Moving a directory onto an existing
1595 non-directory is ok only with --backup. */
1596 }
1597 else
1598 {
1603 }
1604 }
1606 /* Don't let the user destroy their data, even if they try hard:
1607 This mv command must fail (likewise for cp):
1608 rm -rf a b c; mkdir a b c; touch a/f b/f; mv a/f b/f c
1609 Otherwise, the contents of b/f would be lost.
1610 In the case of `cp', b/f would be lost if the user simulated
1611 a move using cp and rm.
1612 Note that it works fine if you use --backup=numbered. */
1616 {
1621 }
1622 }
1625 {
1627 {
1629 {
1630 /* Moving a non-directory onto an existing
1631 directory is ok only with --backup. */
1632 }
1633 else
1634 {
1639 }
1640 }
1641 }
1644 {
1645 /* Don't allow user to move a directory onto a non-directory. */
1648 {
1653 }
1654 }
1657 /* Don't try to back up a destination if the last
1658 component of src_name is "." or "..". */
1660 /* Create a backup of each destination directory in move mode,
1661 but not in copy mode. FIXME: it might make sense to add an
1662 option to suppress backup creation also for move mode.
1663 That would let one use mv to merge new content into an
1664 existing hierarchy. */
1666 {
1670 /* Detect (and fail) when creating the backup file would
1671 destroy the source file. Before, running the commands
1672 cd /tmp; rm -f a a~; : > a; echo A > a~; cp --b=simple a~ a
1673 would leave two zero-length files: a and a~. */
1674 /* FIXME: but simply change e.g., the final a~ to `./a~'
1675 and the source will still be destroyed. */
1677 {
1687 }
1689 /* FIXME: use fts:
1690 Using alloca for a file name that may be arbitrarily
1691 long is not recommended. In fact, even forming such a name
1692 should be discouraged. Eventually, this code will be rewritten
1693 to use fts, so using alloca here will be less of a problem. */
1697 {
1699 {
1702 }
1703 else
1704 {
1706 }
1707 }
1708 else
1709 {
1711 }
1713 }
1715 /* Never unlink dst_name when in move mode. */
1721 ))
1722 {
1724 {
1727 }
1731 }
1732 }
1733 }
1735 /* Ensure we don't try to copy through a symlink that was
1736 created by a prior call to this function. */
1741 {
1746 /* If we called lstat above, good: use that data.
1747 Otherwise, call lstat here, in case dst_name is a symlink. */
1750 else
1751 {
1754 else
1756 }
1758 /* Never copy through a symlink we've just created. */
1762 {
1767 }
1768 }
1770 /* If the source is a directory, we don't always create the destination
1771 directory. So --verbose should not announce anything until we're
1772 sure we'll create a directory. */
1776 /* Associate the destination file name with the source device and inode
1777 so that if we encounter a matching dev/ino pair in the source tree
1778 we can arrange to create a hard link between the corresponding names
1779 in the destination tree.
1781 When using the --link (-l) option, there is no need to take special
1782 measures, because (barring race conditions) files that are hard-linked
1783 in the source tree will also be hard-linked in the destination tree.
1785 Sometimes, when preserving links, we have to record dev/ino even
1786 though st_nlink == 1:
1787 - when in move_mode, since we may be moving a group of N hard-linked
1788 files (via two or more command line arguments) to a different
1789 partition; the links may be distributed among the command line
1790 arguments (possibly hierarchies) so that the link count of
1791 the final, once-linked source file is reduced to 1 when it is
1792 considered below. But in this case (for mv) we don't need to
1793 incur the expense of recording the dev/ino => name mapping; all we
1794 really need is a lookup, to see if the dev/ino pair has already
1795 been copied.
1796 - when using -H and processing a command line argument;
1797 that command line argument could be a symlink pointing to another
1798 command line argument. With `cp -H --preserve=link', we hard-link
1799 those two destination files.
1800 - likewise for -L except that it applies to all files, not just
1801 command line arguments.
1803 Also, with --recursive, record dev/ino of each command-line directory.
1804 We'll use that info to detect this problem: cp -R dir dir. */
1807 {
1809 }
1813 || (command_line_arg
1816 {
1818 }
1820 {
1823 else
1825 }
1827 /* Did we copy this inode somewhere else (in this command line argument)
1828 and therefore this is a second hard link to the inode? */
1831 {
1832 /* Avoid damaging the destination file system by refusing to preserve
1833 hard-linked directories (which are found at least in Netapp snapshot
1834 directories). */
1836 {
1837 /* If src_name and earlier_file refer to the same directory entry,
1838 then warn about copying a directory into itself. */
1840 {
1846 }
1848 {
1849 /* This happens when e.g., encountering a directory for the
1850 second or subsequent time via symlinks when cp is invoked
1851 with -R and -L. E.g.,
1852 rm -rf a b c d; mkdir a b c d; ln -s ../c a; ln -s ../c b;
1853 cp -RL a b d
1854 */
1855 }
1856 else
1857 {
1861 }
1862 }
1863 else
1864 {
1865 /* We want to guarantee that symlinks are not followed. */
1869 /* If the link failed because of an existing destination,
1870 remove that file and then call link again. */
1872 {
1874 {
1877 }
1882 }
1885 {
1889 }
1892 }
1893 }
1896 {
1898 {
1907 {
1908 /* Record destination dev/ino/name, so that if we are asked
1909 to overwrite that file again, we can detect it and fail. */
1910 /* It's fine to use the _source_ stat buffer (src_sb) to get the
1911 _destination_ dev/ino, since the rename above can't have
1912 changed those, and `mv' always uses lstat.
1913 We could limit it further by operating
1914 only on non-directories. */
1916 }
1919 }
1921 /* FIXME: someday, consider what to do when moving a directory into
1922 itself but when source and destination are on different devices. */
1924 /* This happens when attempting to rename a directory to a
1925 subdirectory of itself. */
1927 {
1928 /* FIXME: this is a little fragile in that it relies on rename(2)
1929 failing with a specific errno value. Expect problems on
1930 non-POSIX systems. */
1935 /* Note that there is no need to call forget_created here,
1936 (compare with the other calls in this file) since the
1937 destination directory didn't exist before. */
1940 /* FIXME-cleanup: Don't return true here; adjust mv.c accordingly.
1941 The only caller that uses this code (mv.c) ends up setting its
1942 exit status to nonzero when copy_into_self is nonzero. */
1944 }
1946 /* WARNING: there probably exist systems for which an inter-device
1947 rename fails with a value of errno not handled here.
1948 If/as those are reported, add them to the condition below.
1949 If this happens to you, please do the following and send the output
1950 to the bug-reporting address (e.g., in the output of cp --help):
1951 touch k; perl -e 'rename "k","/tmp/k" or print "$!(",$!+0,")\n"'
1952 where your current directory is on one partion and /tmp is the other.
1953 Also, please try to find the E* errno macro name corresponding to
1954 the diagnostic and parenthesized integer, and include that in your
1955 e-mail. One way to do that is to run a command like this
1956 find /usr/include/. -type f \
1957 | xargs grep 'define.*\<E[A-Z]*\>.*\<18\>' /dev/null
1958 where you'd replace `18' with the integer in parentheses that
1959 was output from the perl one-liner above.
1960 If necessary, of course, change `/tmp' to some other directory. */
1962 {
1963 /* There are many ways this can happen due to a race condition.
1964 When something happens between the initial XSTAT and the
1965 subsequent rename, we can get many different types of errors.
1966 For example, if the destination is initially a non-directory
1967 or non-existent, but it is created as a directory, the rename
1968 fails. If two `mv' commands try to rename the same file at
1969 about the same time, one will succeed and the other will fail.
1970 If the permissions on the directory containing the source or
1971 destination file are made too restrictive, the rename will
1972 fail. Etc. */
1978 }
1980 /* The rename attempt has failed. Remove any existing destination
1981 file so that a cross-device `mv' acts as if it were really using
1982 the rename syscall. */
1984 {
1990 }
1993 }
1995 /* If the ownership might change, or if it is a directory (whose
1996 special mode bits may change after the directory is created),
1997 omit some permissions at first, so unauthorized users cannot nip
1998 in before the file is ready. */
2000 omitted_permissions =
2001 (dst_mode_bits
2009 {
2012 security_context_t con;
2015 {
2017 {
2023 {
2026 }
2027 }
2029 }
2030 else
2031 {
2033 {
2037 }
2040 }
2041 }
2044 {
2047 /* If this directory has been copied before during the
2048 recursion, there is a symbolic link to an ancestor
2049 directory of the symbolic link. It is impossible to
2050 continue to copy this, unless we've got an infinite disk. */
2053 {
2057 }
2059 /* Insert the current directory in the list of parents. */
2067 {
2068 /* POSIX says mkdir's behavior is implementation-defined when
2069 (src_mode & ~S_IRWXUGO) != 0. However, common practice is
2070 to ask mkdir to copy all the CHMOD_MODE_BITS, letting mkdir
2071 decide what to do with S_ISUID | S_ISGID | S_ISVTX. */
2073 {
2077 }
2079 /* We need search and write permissions to the new directory
2080 for writing the directory's contents. Check if these
2081 permissions are there. */
2084 {
2087 }
2089 {
2090 /* Make the new directory searchable and writable. */
2096 {
2100 }
2101 }
2103 /* Record the created directory's inode and device numbers into
2104 the search structure, so that we can avoid copying it again.
2105 Do this only for the first directory that is created for each
2106 source command line argument. */
2108 {
2111 }
2115 }
2117 /* Decide whether to copy the contents of the directory. */
2119 {
2120 /* Here, we are crossing a file system boundary and cp's -x option
2121 is in effect: so don't copy the contents of this directory. */
2122 }
2123 else
2124 {
2125 /* Copy the contents of the directory. Don't just return if
2126 this fails -- otherwise, the failure to read a single file
2127 in a source directory would cause the containing destination
2128 directory not to have owner/perms set properly. */
2130 first_dir_created_per_command_line_arg,
2131 copy_into_self);
2132 }
2133 }
2135 {
2138 {
2139 /* Check that DST_NAME denotes a file in the current directory. */
2148 /* If either stat call fails, it's ok not to report
2149 the failure and say dst_name is in the current
2150 directory. Other things will fail later. */
2157 {
2162 }
2163 }
2165 {
2169 }
2170 }
2172 /* cp, invoked with `--link --no-dereference', should not follow the
2173 link; we guarantee this with gnulib's linkat module (on systems
2174 where link(2) follows the link, gnulib creates a symlink with
2175 identical contents, which is good enough for our purposes). */
2179 {
2181 {
2184 }
2185 }
2188 {
2190 /* POSIX says the permission bits of the source file must be
2191 used as the 3rd argument in the open call. Historical
2192 practice passed all the source mode bits to 'open', but the extra
2193 bits were ignored, so it should be the same either way. */
2197 }
2199 {
2200 /* Use mknod, rather than mkfifo, because the former preserves
2201 the special mode bits of a fifo on Solaris 10, while mkfifo
2202 does not. But fall back on mkfifo, because on some BSD systems,
2203 mknod always fails when asked to create a FIFO. */
2206 {
2209 }
2210 }
2212 {
2215 {
2219 }
2220 }
2222 {
2226 {
2229 }
2233 else
2234 {
2239 {
2240 /* See if the destination is already the desired symlink.
2241 FIXME: This behavior isn't documented, and seems wrong
2242 in some cases, e.g., if the destination symlink has the
2243 wrong ownership, permissions, or time stamps. */
2249 }
2253 {
2257 }
2258 }
2264 {
2265 /* Preserve the owner and group of the just-`copied'
2266 symbolic link, if possible. */
2270 {
2272 dst_name);
2274 }
2275 else
2276 {
2277 /* Can't preserve ownership of symlinks.
2278 FIXME: maybe give a warning or even error for symlinks
2279 in directories with the sticky bit set -- there, not
2280 preserving owner/group is a potential security problem. */
2281 }
2282 }
2283 }
2284 else
2285 {
2288 }
2291 {
2292 /* Now that the destination file is very likely to exist,
2293 add its info to the set. */
2297 }
2299 /* If we've just created a hard-link due to cp's --link option,
2300 we're done. */
2307 /* POSIX says that `cp -p' must restore the following:
2308 - permission bits
2309 - setuid, setgid bits
2310 - owner and group
2311 If it fails to restore any of those, we may give a warning but
2312 the destination must not be removed.
2313 FIXME: implement the above. */
2315 /* Adjust the times (and if possible, ownership) for the copy.
2316 chown turns off set[ug]id bits for non-root,
2317 so do the chmod last. */
2320 {
2329 {
2333 }
2334 }
2336 /* The operations beyond this point may dereference a symlink. */
2340 /* Avoid calling chown if we know it's not necessary. */
2343 {
2345 {
2352 }
2353 }
2362 {
2366 }
2368 {
2371 }
2372 else
2373 {
2375 {
2379 {
2380 /* Permissions were deliberately omitted when the file
2381 was created due to security concerns. See whether
2382 they need to be re-added now. It'd be faster to omit
2383 the lstat, but deducing the current destination mode
2384 is tricky in the presence of implementation-defined
2385 rules for special mode bits. */
2387 {
2390 }
2394 }
2395 }
2398 {
2400 {
2405 }
2406 }
2407 }
2411 un_backup:
2416 /* We have failed to create the destination file.
2417 If we've just added a dev/ino entry via the remember_copied
2418 call above (i.e., unless we've just failed to create a hard link),
2419 remove the entry associating the source dev/ino with the
2420 destination file name, so we don't try to `preserve' a link
2421 to a file we didn't create. */
2426 {
2429 else
2430 {
2434 }
2435 }
2437 }
2439 static bool
2441 {
2451 }
2453 /* Copy the file SRC_NAME to the file DST_NAME. The files may be of
2454 any type. NONEXISTENT_DST should be true if the file DST_NAME
2455 is known not to exist (e.g., because its parent directory was just
2456 created); NONEXISTENT_DST should be false if DST_NAME might already
2457 exist. OPTIONS is ... FIXME-describe
2458 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
2459 same as) DST_NAME; otherwise, set clear it.
2460 Return true if successful. */
2466 {
2469 /* Record the file names: they're used in case of error, when copying
2470 a directory into itself. I don't like to make these tools do *any*
2471 extra work in the common case when that work is solely to handle
2472 exceptional cases, but in this case, I don't see a way to derive the
2473 top level source and destination directory names where they're used.
2474 An alternative is to use COPY_INTO_SELF and print the diagnostic
2475 from every caller -- but I don't want to do that. */
2484 }
2486 /* Set *X to the default options for a value of type struct cp_options. */
2490 {
2492 #ifdef PRIV_FILE_CHOWN
2493 {
2498 {
2501 }
2503 }
2504 #else
2506 #endif
2507 }
2509 /* Return true if it's OK for chown to fail, where errno is
2510 the error number that chown failed with and X is the copying
2511 option set. */
2515 {
2516 /* If non-root uses -p, it's ok if we can't preserve ownership.
2517 But root probably wants to know, e.g. if NFS disallows it,
2518 or if the target system doesn't support file ownership. */
2521 }
2523 /* Similarly, return true if it's OK for chmod and similar operations
2524 to fail, where errno is the error number that chmod failed with and
2525 X is the copying option set. */
2527 static bool
2529 {
2531 }
2533 /* Return the user's umask, caching the result. */
2535 extern mode_t
2537 {
2540 {
2543 }
2545 }