| blob | 9768652a206b97a018b24ff5c00eda75ae20f27d |
1 /* chown-core.c -- core functions for changing ownership.
2 Copyright (C) 2000, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>. */
17 /* Extracted from chown.c/chgrp.c and librarified by Jim Meyering. */
19 #include <config.h>
20 #include <stdio.h>
21 #include <sys/types.h>
22 #include <pwd.h>
23 #include <grp.h>
34 #define FTSENT_IS_DIRECTORY(E) \
35 ((E)->fts_info == FTS_D \
36 || (E)->fts_info == FTS_DC \
37 || (E)->fts_info == FTS_DP \
38 || (E)->fts_info == FTS_DNR)
40 enum RCH_status
41 {
42 /* we called fchown and close, and both succeeded */
45 /* required_uid and/or required_gid are specified, but don't match */
46 RC_excluded,
48 /* SAME_INODE check failed */
49 RC_inode_changed,
51 /* open/fchown isn't needed, isn't safe, or doesn't work due to
52 permissions problems; fall back on chown */
53 RC_do_ordinary_chown,
55 /* open, fstat, fchown, or close failed */
56 RC_error
57 };
61 {
69 }
73 {
74 /* Deliberately do not free chopt->user_name or ->group_name.
75 They're not always allocated. */
76 }
78 /* Convert the numeric group-id, GID, to a string stored in xmalloc'd memory,
79 and return it. If there's no corresponding group name, use the decimal
80 representation of the ID. */
84 {
90 }
92 /* Convert the numeric user-id, UID, to a string stored in xmalloc'd memory,
93 and return it. If there's no corresponding user name, use the decimal
94 representation of the ID. */
98 {
104 }
106 /* Tell the user how/if the user and group of FILE have been changed.
107 If USER is NULL, give the group-oriented messages.
108 CHANGED describes what (if anything) has happened. */
110 static void
113 {
119 {
123 }
126 {
128 {
132 }
133 else
134 {
136 }
137 }
138 else
139 {
141 }
144 {
162 }
167 }
169 /* Change the owner and/or group of the FILE to UID and/or GID (safely)
170 only if REQUIRED_UID and REQUIRED_GID match the owner and group IDs
171 of FILE. ORIG_ST must be the result of `stat'ing FILE.
173 The `safely' part above means that we can't simply use chown(2),
174 since FILE might be replaced with some other file between the time
175 of the preceding stat/lstat and this chown call. So here we open
176 FILE and do everything else via the resulting file descriptor.
177 We first call fstat and verify that the dev/inode match those from
178 the preceding stat call, and only then, if appropriate (given the
179 required_uid and required_gid constraints) do we call fchown.
181 Return RC_do_ordinary_chown if we can't open FILE, or if FILE is a
182 special file that might have undesirable side effects when opening.
183 In this case the caller can use the less-safe ordinary chown.
185 Return one of the RCH_status values. */
187 static enum RCH_status
192 {
202 {
205 else
207 }
221 {
223 {
227 }
228 else
229 {
231 }
232 }
239 }
240 }
242 /* Change the owner and/or group of the file specified by FTS and ENT
243 to UID and/or GID as appropriate.
244 If REQUIRED_UID is not -1, then skip files with any other user ID.
245 If REQUIRED_GID is not -1, then skip files with any other group ID.
246 CHOPT specifies additional options.
247 Return true if successful. */
248 static bool
253 {
263 {
266 {
268 {
269 /* This happens e.g., with "chown -R --preserve-root 0 /"
270 and with "chown -RH --preserve-root 0 symlink-to-root". */
272 /* Tell fts not to traverse into this hierarchy. */
274 /* Ensure that we do not process "/" on the second visit. */
277 }
279 }
288 /* For a top-level file or directory, this FTS_NS (stat failed)
289 indicator is determined at the time of the initial fts_open call.
290 With programs like chmod, chown, and chgrp, that modify
291 permissions, it is possible that the file in question is
292 accessible when control reaches this point. So, if this is
293 the first time we've seen the FTS_NS for this file, tell
294 fts_read to stat it "again". */
296 {
300 }
318 }
321 {
324 }
329 {
332 }
333 else
334 {
337 /* If this is a symlink and we're dereferencing them,
338 stat it to get info on the referent. */
340 {
342 {
346 }
349 }
351 do_chown = (ok
356 }
358 /* This happens when chown -LR --preserve-root encounters a symlink-to-/. */
362 {
365 }
368 {
370 {
373 /* Ignore any error due to lack of support; POSIX requires
374 this behavior for top-level symbolic links with -h, and
375 implies that it's required for all symbolic links. */
377 {
380 }
381 }
382 else
383 {
384 /* If possible, avoid a race condition with --from=O:G and without the
385 (-h) --no-dereference option. If fts's stat call determined
386 that the uid/gid of FILE matched the --from=O:G-selected
387 owner and group IDs, blindly using chown(2) here could lead
388 chown(1) or chgrp(1) mistakenly to dereference a *symlink*
389 to an arbitrary file that an attacker had moved into the
390 place of FILE during the window between the stat and
391 chown(2) calls. If FILE is a regular file or a directory
392 that can be opened, this race condition can be avoided safely. */
394 enum RCH_status err
398 {
411 /* FIXME: give a diagnostic in this case? */
419 }
420 }
422 /* On some systems (e.g., Linux-2.4.x),
423 the chown function resets the `special' permission bits.
424 Do *not* restore those bits; doing so would open a window in
425 which a malicious user, M, could subvert a chown command run
426 by some other user and operating on files in a directory
427 where M has write access. */
434 }
437 {
444 {
452 }
453 }
459 }
461 /* Change the owner and/or group of the specified FILES.
462 BIT_FLAGS specifies how to treat each symlink-to-directory
463 that is encountered during a recursive traversal.
464 CHOPT specifies additional options.
465 If UID is not -1, then change the owner id of each file to UID.
466 If GID is not -1, then change the group id of each file to GID.
467 If REQUIRED_UID and/or REQUIRED_GID is not -1, then change only
468 files with user ID and group ID that match the non-(-1) value(s).
469 Return true if successful. */
475 {
478 /* Use lstat and stat only if they're needed. */
488 {
493 {
495 {
496 /* FIXME: try to give a better message */
499 }
501 }
505 }
507 /* Ignore failure, since the only way it can do so is in failing to
508 return to the original directory, and since we're about to exit,
509 that doesn't matter. */
513 }