search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove tm.h and xm.h handling, as it wasn't used. Use nm.h only when needed.
[dragonfly.git] / contrib / sendmail-8.14 / libsmutil / safefile.c
blob8488534280e3ba039ed73d6497ed42786e52ffd7
1 /*
2 * Copyright (c) 1998-2004 Sendmail, Inc. and its suppliers.
3 * All rights reserved.
4 * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
5 * Copyright (c) 1988, 1993
6 * The Regents of the University of California. All rights reserved.
7 *
8 * By using this file, you agree to the terms and conditions set
9 * forth in the LICENSE file which can be found at the top level of
10 * the sendmail distribution.
11 *
12 */
13
14 #include <sendmail.h>
15 #include <sm/io.h>
16 #include <sm/errstring.h>
17
18 SM_RCSID("@(#)$Id: safefile.c,v 8.128 2004/09/30 18:15:49 ca Exp $")
19
20
21 /*
22 ** SAFEFILE -- return 0 if a file exists and is safe for a user.
23 **
24 ** Parameters:
25 ** fn -- filename to check.
26 ** uid -- user id to compare against.
27 ** gid -- group id to compare against.
28 ** user -- user name to compare against (used for group
29 ** sets).
30 ** flags -- modifiers:
31 ** SFF_MUSTOWN -- "uid" must own this file.
32 ** SFF_NOSLINK -- file cannot be a symbolic link.
33 ** mode -- mode bits that must match.
34 ** st -- if set, points to a stat structure that will
35 ** get the stat info for the file.
36 **
37 ** Returns:
38 ** 0 if fn exists, is owned by uid, and matches mode.
39 ** An errno otherwise. The actual errno is cleared.
40 **
41 ** Side Effects:
42 ** none.
43 */
44
45 int
46 safefile(fn, uid, gid, user, flags, mode, st)
47 char *fn;
48 UID_T uid;
49 GID_T gid;
50 char *user;
51 long flags;
52 int mode;
53 struct stat *st;
54 {
55 register char *p;
56 register struct group *gr = NULL;
57 int file_errno = 0;
58 bool checkpath;
59 struct stat stbuf;
60 struct stat fstbuf;
61 char fbuf[MAXPATHLEN];
62
63 if (tTd(44, 4))
64 sm_dprintf("safefile(%s, uid=%d, gid=%d, flags=%lx, mode=%o):\n",
65 fn, (int) uid, (int) gid, flags, mode);
66 errno = 0;
67 if (sm_strlcpy(fbuf, fn, sizeof fbuf) >= sizeof fbuf)
68 {
69 if (tTd(44, 4))
70 sm_dprintf("\tpathname too long\n");
71 return ENAMETOOLONG;
72 }
73 fn = fbuf;
74 if (st == NULL)
75 st = &fstbuf;
76
77 /* ignore SFF_SAFEDIRPATH if we are debugging */
78 if (RealUid != 0 && RunAsUid == RealUid)
79 flags &= ~SFF_SAFEDIRPATH;
80
81 /* first check to see if the file exists at all */
82 # if HASLSTAT
83 if ((bitset(SFF_NOSLINK, flags) ? lstat(fn, st)
84 : stat(fn, st)) < 0)
85 # else /* HASLSTAT */
86 if (stat(fn, st) < 0)
87 # endif /* HASLSTAT */
88 {
89 file_errno = errno;
90 }
91 else if (bitset(SFF_SETUIDOK, flags) &&
92 !bitset(S_IXUSR|S_IXGRP|S_IXOTH, st->st_mode) &&
93 S_ISREG(st->st_mode))
94 {
95 /*
96 ** If final file is set-user-ID, run as the owner of that
97 ** file. Gotta be careful not to reveal anything too
98 ** soon here!
99 */
100
101 # ifdef SUID_ROOT_FILES_OK
102 if (bitset(S_ISUID, st->st_mode))
103 # else /* SUID_ROOT_FILES_OK */
104 if (bitset(S_ISUID, st->st_mode) && st->st_uid != 0 &&
105 st->st_uid != TrustedUid)
106 # endif /* SUID_ROOT_FILES_OK */
107 {
108 uid = st->st_uid;
109 user = NULL;
110 }
111 # ifdef SUID_ROOT_FILES_OK
112 if (bitset(S_ISGID, st->st_mode))
113 # else /* SUID_ROOT_FILES_OK */
114 if (bitset(S_ISGID, st->st_mode) && st->st_gid != 0)
115 # endif /* SUID_ROOT_FILES_OK */
116 gid = st->st_gid;
117 }
118
119 checkpath = !bitset(SFF_NOPATHCHECK, flags) ||
120 (uid == 0 && !bitset(SFF_ROOTOK|SFF_OPENASROOT, flags));
121 if (bitset(SFF_NOWLINK, flags) && !bitset(SFF_SAFEDIRPATH, flags))
122 {
123 int ret;
124
125 /* check the directory */
126 p = strrchr(fn, '/');
127 if (p == NULL)
128 {
129 ret = safedirpath(".", uid, gid, user,
130 flags|SFF_SAFEDIRPATH, 0, 0);
131 }
132 else
133 {
134 *p = '\0';
135 ret = safedirpath(fn, uid, gid, user,
136 flags|SFF_SAFEDIRPATH, 0, 0);
137 *p = '/';
138 }
139 if (ret == 0)
140 {
141 /* directory is safe */
142 checkpath = false;
143 }
144 else
145 {
146 # if HASLSTAT
147 /* Need lstat() information if called stat() before */
148 if (!bitset(SFF_NOSLINK, flags) && lstat(fn, st) < 0)
149 {
150 ret = errno;
151 if (tTd(44, 4))
152 sm_dprintf("\t%s\n", sm_errstring(ret));
153 return ret;
154 }
155 # endif /* HASLSTAT */
156 /* directory is writable: disallow links */
157 flags |= SFF_NOLINK;
158 }
159 }
160
161 if (checkpath)
162 {
163 int ret;
164
165 p = strrchr(fn, '/');
166 if (p == NULL)
167 {
168 ret = safedirpath(".", uid, gid, user, flags, 0, 0);
169 }
170 else
171 {
172 *p = '\0';
173 ret = safedirpath(fn, uid, gid, user, flags, 0, 0);
174 *p = '/';
175 }
176 if (ret != 0)
177 return ret;
178 }
179
180 /*
181 ** If the target file doesn't exist, check the directory to
182 ** ensure that it is writable by this user.
183 */
184
185 if (file_errno != 0)
186 {
187 int ret = file_errno;
188 char *dir = fn;
189
190 if (tTd(44, 4))
191 sm_dprintf("\t%s\n", sm_errstring(ret));
192
193 errno = 0;
194 if (!bitset(SFF_CREAT, flags) || file_errno != ENOENT)
195 return ret;
196
197 /* check to see if legal to create the file */
198 p = strrchr(dir, '/');
199 if (p == NULL)
200 dir = ".";
201 else if (p == dir)
202 dir = "/";
203 else
204 *p = '\0';
205 if (stat(dir, &stbuf) >= 0)
206 {
207 int md = S_IWRITE|S_IEXEC;
208
209 ret = 0;
210 if (stbuf.st_uid == uid)
211 /* EMPTY */
212 ;
213 else if (uid == 0 && stbuf.st_uid == TrustedUid)
214 /* EMPTY */
215 ;
216 else
217 {
218 md >>= 3;
219 if (stbuf.st_gid == gid)
220 /* EMPTY */
221 ;
222 # ifndef NO_GROUP_SET
223 else if (user != NULL && !DontInitGroups &&
224 ((gr != NULL &&
225 gr->gr_gid == stbuf.st_gid) ||
226 (gr = getgrgid(stbuf.st_gid)) != NULL))
227 {
228 register char **gp;
229
230 for (gp = gr->gr_mem; *gp != NULL; gp++)
231 if (strcmp(*gp, user) == 0)
232 break;
233 if (*gp == NULL)
234 md >>= 3;
235 }
236 # endif /* ! NO_GROUP_SET */
237 else
238 md >>= 3;
239 }
240 if ((stbuf.st_mode & md) != md)
241 ret = errno = EACCES;
242 }
243 else
244 ret = errno;
245 if (tTd(44, 4))
246 sm_dprintf("\t[final dir %s uid %d mode %lo] %s\n",
247 dir, (int) stbuf.st_uid,
248 (unsigned long) stbuf.st_mode,
249 sm_errstring(ret));
250 if (p != NULL)
251 *p = '/';
252 st->st_mode = ST_MODE_NOFILE;
253 return ret;
254 }
255
256 # ifdef S_ISLNK
257 if (bitset(SFF_NOSLINK, flags) && S_ISLNK(st->st_mode))
258 {
259 if (tTd(44, 4))
260 sm_dprintf("\t[slink mode %lo]\tE_SM_NOSLINK\n",
261 (unsigned long) st->st_mode);
262 return E_SM_NOSLINK;
263 }
264 # endif /* S_ISLNK */
265 if (bitset(SFF_REGONLY, flags) && !S_ISREG(st->st_mode))
266 {
267 if (tTd(44, 4))
268 sm_dprintf("\t[non-reg mode %lo]\tE_SM_REGONLY\n",
269 (unsigned long) st->st_mode);
270 return E_SM_REGONLY;
271 }
272 if (bitset(SFF_NOGWFILES, flags) &&
273 bitset(S_IWGRP, st->st_mode))
274 {
275 if (tTd(44, 4))
276 sm_dprintf("\t[write bits %lo]\tE_SM_GWFILE\n",
277 (unsigned long) st->st_mode);
278 return E_SM_GWFILE;
279 }
280 if (bitset(SFF_NOWWFILES, flags) &&
281 bitset(S_IWOTH, st->st_mode))
282 {
283 if (tTd(44, 4))
284 sm_dprintf("\t[write bits %lo]\tE_SM_WWFILE\n",
285 (unsigned long) st->st_mode);
286 return E_SM_WWFILE;
287 }
288 if (bitset(SFF_NOGRFILES, flags) && bitset(S_IRGRP, st->st_mode))
289 {
290 if (tTd(44, 4))
291 sm_dprintf("\t[read bits %lo]\tE_SM_GRFILE\n",
292 (unsigned long) st->st_mode);
293 return E_SM_GRFILE;
294 }
295 if (bitset(SFF_NOWRFILES, flags) && bitset(S_IROTH, st->st_mode))
296 {
297 if (tTd(44, 4))
298 sm_dprintf("\t[read bits %lo]\tE_SM_WRFILE\n",
299 (unsigned long) st->st_mode);
300 return E_SM_WRFILE;
301 }
302 if (!bitset(SFF_EXECOK, flags) &&
303 bitset(S_IWUSR|S_IWGRP|S_IWOTH, mode) &&
304 bitset(S_IXUSR|S_IXGRP|S_IXOTH, st->st_mode))
305 {
306 if (tTd(44, 4))
307 sm_dprintf("\t[exec bits %lo]\tE_SM_ISEXEC\n",
308 (unsigned long) st->st_mode);
309 return E_SM_ISEXEC;
310 }
311 if (bitset(SFF_NOHLINK, flags) && st->st_nlink != 1)
312 {
313 if (tTd(44, 4))
314 sm_dprintf("\t[link count %d]\tE_SM_NOHLINK\n",
315 (int) st->st_nlink);
316 return E_SM_NOHLINK;
317 }
318
319 if (uid == 0 && bitset(SFF_OPENASROOT, flags))
320 /* EMPTY */
321 ;
322 else if (uid == 0 && !bitset(SFF_ROOTOK, flags))
323 mode >>= 6;
324 else if (st->st_uid == uid)
325 /* EMPTY */
326 ;
327 else if (uid == 0 && st->st_uid == TrustedUid)
328 /* EMPTY */
329 ;
330 else
331 {
332 mode >>= 3;
333 if (st->st_gid == gid)
334 /* EMPTY */
335 ;
336 # ifndef NO_GROUP_SET
337 else if (user != NULL && !DontInitGroups &&
338 ((gr != NULL && gr->gr_gid == st->st_gid) ||
339 (gr = getgrgid(st->st_gid)) != NULL))
340 {
341 register char **gp;
342
343 for (gp = gr->gr_mem; *gp != NULL; gp++)
344 if (strcmp(*gp, user) == 0)
345 break;
346 if (*gp == NULL)
347 mode >>= 3;
348 }
349 # endif /* ! NO_GROUP_SET */
350 else
351 mode >>= 3;
352 }
353 if (tTd(44, 4))
354 sm_dprintf("\t[uid %d, nlink %d, stat %lo, mode %lo] ",
355 (int) st->st_uid, (int) st->st_nlink,
356 (unsigned long) st->st_mode, (unsigned long) mode);
357 if ((st->st_uid == uid || st->st_uid == 0 ||
358 st->st_uid == TrustedUid ||
359 !bitset(SFF_MUSTOWN, flags)) &&
360 (st->st_mode & mode) == mode)
361 {
362 if (tTd(44, 4))
363 sm_dprintf("\tOK\n");
364 return 0;
365 }
366 if (tTd(44, 4))
367 sm_dprintf("\tEACCES\n");
368 return EACCES;
369 }
370 /*
371 ** SAFEDIRPATH -- check to make sure a path to a directory is safe
372 **
373 ** Safe means not writable and owned by the right folks.
374 **
375 ** Parameters:
376 ** fn -- filename to check.
377 ** uid -- user id to compare against.
378 ** gid -- group id to compare against.
379 ** user -- user name to compare against (used for group
380 ** sets).
381 ** flags -- modifiers:
382 ** SFF_ROOTOK -- ok to use root permissions to open.
383 ** SFF_SAFEDIRPATH -- writable directories are considered
384 ** to be fatal errors.
385 ** level -- symlink recursive level.
386 ** offset -- offset into fn to start checking from.
387 **
388 ** Returns:
389 ** 0 -- if the directory path is "safe".
390 ** else -- an error number associated with the path.
391 */
392
393 int
394 safedirpath(fn, uid, gid, user, flags, level, offset)
395 char *fn;
396 UID_T uid;
397 GID_T gid;
398 char *user;
399 long flags;
400 int level;
401 int offset;
402 {
403 int ret = 0;
404 int mode = S_IWOTH;
405 char save = '\0';
406 char *saveptr = NULL;
407 char *p, *enddir;
408 register struct group *gr = NULL;
409 char s[MAXLINKPATHLEN];
410 struct stat stbuf;
411
412 /* make sure we aren't in a symlink loop */
413 if (level > MAXSYMLINKS)
414 return ELOOP;
415
416 if (level < 0 || offset < 0 || offset > strlen(fn))
417 return EINVAL;
418
419 /* special case root directory */
420 if (*fn == '\0')
421 fn = "/";
422
423 if (tTd(44, 4))
424 sm_dprintf("safedirpath(%s, uid=%ld, gid=%ld, flags=%lx, level=%d, offset=%d):\n",
425 fn, (long) uid, (long) gid, flags, level, offset);
426
427 if (!bitnset(DBS_GROUPWRITABLEDIRPATHSAFE, DontBlameSendmail))
428 mode |= S_IWGRP;
429
430 /* Make a modifiable copy of the filename */
431 if (sm_strlcpy(s, fn, sizeof s) >= sizeof s)
432 return EINVAL;
433
434 p = s + offset;
435 while (p != NULL)
436 {
437 /* put back character */
438 if (saveptr != NULL)
439 {
440 *saveptr = save;
441 saveptr = NULL;
442 p++;
443 }
444
445 if (*p == '\0')
446 break;
447
448 p = strchr(p, '/');
449
450 /* Special case for root directory */
451 if (p == s)
452 {
453 save = *(p + 1);
454 saveptr = p + 1;
455 *(p + 1) = '\0';
456 }
457 else if (p != NULL)
458 {
459 save = *p;
460 saveptr = p;
461 *p = '\0';
462 }
463
464 /* Heuristic: . and .. have already been checked */
465 enddir = strrchr(s, '/');
466 if (enddir != NULL &&
467 (strcmp(enddir, "/..") == 0 ||
468 strcmp(enddir, "/.") == 0))
469 continue;
470
471 if (tTd(44, 20))
472 sm_dprintf("\t[dir %s]\n", s);
473
474 # if HASLSTAT
475 ret = lstat(s, &stbuf);
476 # else /* HASLSTAT */
477 ret = stat(s, &stbuf);
478 # endif /* HASLSTAT */
479 if (ret < 0)
480 {
481 ret = errno;
482 break;
483 }
484
485 # ifdef S_ISLNK
486 /* Follow symlinks */
487 if (S_ISLNK(stbuf.st_mode))
488 {
489 int linklen;
490 char *target;
491 char buf[MAXPATHLEN];
492 char fullbuf[MAXLINKPATHLEN];
493
494 memset(buf, '\0', sizeof buf);
495 linklen = readlink(s, buf, sizeof buf);
496 if (linklen < 0)
497 {
498 ret = errno;
499 break;
500 }
501 if (linklen >= sizeof buf)
502 {
503 /* file name too long for buffer */
504 ret = errno = EINVAL;
505 break;
506 }
507
508 offset = 0;
509 if (*buf == '/')
510 {
511 target = buf;
512
513 /* If path is the same, avoid rechecks */
514 while (s[offset] == buf[offset] &&
515 s[offset] != '\0')
516 offset++;
517
518 if (s[offset] == '\0' && buf[offset] == '\0')
519 {
520 /* strings match, symlink loop */
521 return ELOOP;
522 }
523
524 /* back off from the mismatch */
525 if (offset > 0)
526 offset--;
527
528 /* Make sure we are at a directory break */
529 if (offset > 0 &&
530 s[offset] != '/' &&
531 s[offset] != '\0')
532 {
533 while (buf[offset] != '/' &&
534 offset > 0)
535 offset--;
536 }
537 if (offset > 0 &&
538 s[offset] == '/' &&
539 buf[offset] == '/')
540 {
541 /* Include the trailing slash */
542 offset++;
543 }
544 }
545 else
546 {
547 char *sptr;
548
549 sptr = strrchr(s, '/');
550 if (sptr != NULL)
551 {
552 *sptr = '\0';
553 offset = sptr + 1 - s;
554 if (sm_strlcpyn(fullbuf,
555 sizeof fullbuf, 2,
556 s, "/") >=
557 sizeof fullbuf ||
558 sm_strlcat(fullbuf, buf,
559 sizeof fullbuf) >=
560 sizeof fullbuf)
561 {
562 ret = EINVAL;
563 break;
564 }
565 *sptr = '/';
566 }
567 else
568 {
569 if (sm_strlcpy(fullbuf, buf,
570 sizeof fullbuf) >=
571 sizeof fullbuf)
572 {
573 ret = EINVAL;
574 break;
575 }
576 }
577 target = fullbuf;
578 }
579 ret = safedirpath(target, uid, gid, user, flags,
580 level + 1, offset);
581 if (ret != 0)
582 break;
583
584 /* Don't check permissions on the link file itself */
585 continue;
586 }
587 #endif /* S_ISLNK */
588
589 if ((uid == 0 || bitset(SFF_SAFEDIRPATH, flags)) &&
590 #ifdef S_ISVTX
591 !(bitnset(DBS_TRUSTSTICKYBIT, DontBlameSendmail) &&
592 bitset(S_ISVTX, stbuf.st_mode)) &&
593 #endif /* S_ISVTX */
594 bitset(mode, stbuf.st_mode))
595 {
596 if (tTd(44, 4))
597 sm_dprintf("\t[dir %s] mode %lo ",
598 s, (unsigned long) stbuf.st_mode);
599 if (bitset(SFF_SAFEDIRPATH, flags))
600 {
601 if (bitset(S_IWOTH, stbuf.st_mode))
602 ret = E_SM_WWDIR;
603 else
604 ret = E_SM_GWDIR;
605 if (tTd(44, 4))
606 sm_dprintf("FATAL\n");
607 break;
608 }
609 if (tTd(44, 4))
610 sm_dprintf("WARNING\n");
611 if (Verbose > 1)
612 message("051 WARNING: %s writable directory %s",
613 bitset(S_IWOTH, stbuf.st_mode)
614 ? "World"
615 : "Group",
616 s);
617 }
618 if (uid == 0 && !bitset(SFF_ROOTOK|SFF_OPENASROOT, flags))
619 {
620 if (bitset(S_IXOTH, stbuf.st_mode))
621 continue;
622 ret = EACCES;
623 break;
624 }
625
626 /*
627 ** Let OS determine access to file if we are not
628 ** running as a privileged user. This allows ACLs
629 ** to work. Also, if opening as root, assume we can
630 ** scan the directory.
631 */
632 if (geteuid() != 0 || bitset(SFF_OPENASROOT, flags))
633 continue;
634
635 if (stbuf.st_uid == uid &&
636 bitset(S_IXUSR, stbuf.st_mode))
637 continue;
638 if (stbuf.st_gid == gid &&
639 bitset(S_IXGRP, stbuf.st_mode))
640 continue;
641 # ifndef NO_GROUP_SET
642 if (user != NULL && !DontInitGroups &&
643 ((gr != NULL && gr->gr_gid == stbuf.st_gid) ||
644 (gr = getgrgid(stbuf.st_gid)) != NULL))
645 {
646 register char **gp;
647
648 for (gp = gr->gr_mem; gp != NULL && *gp != NULL; gp++)
649 if (strcmp(*gp, user) == 0)
650 break;
651 if (gp != NULL && *gp != NULL &&
652 bitset(S_IXGRP, stbuf.st_mode))
653 continue;
654 }
655 # endif /* ! NO_GROUP_SET */
656 if (!bitset(S_IXOTH, stbuf.st_mode))
657 {
658 ret = EACCES;
659 break;
660 }
661 }
662 if (tTd(44, 4))
663 sm_dprintf("\t[dir %s] %s\n", fn,
664 ret == 0 ? "OK" : sm_errstring(ret));
665 return ret;
666 }
667 /*
668 ** SAFEOPEN -- do a file open with extra checking
669 **
670 ** Parameters:
671 ** fn -- the file name to open.
672 ** omode -- the open-style mode flags.
673 ** cmode -- the create-style mode flags.
674 ** sff -- safefile flags.
675 **
676 ** Returns:
677 ** Same as open.
678 */
679
680 int
681 safeopen(fn, omode, cmode, sff)
682 char *fn;
683 int omode;
684 int cmode;
685 long sff;
686 {
687 #if !NOFTRUNCATE
688 bool truncate;
689 #endif /* !NOFTRUNCATE */
690 int rval;
691 int fd;
692 int smode;
693 struct stat stb;
694
695 if (tTd(44, 10))
696 sm_dprintf("safeopen: fn=%s, omode=%x, cmode=%x, sff=%lx\n",
697 fn, omode, cmode, sff);
698
699 if (bitset(O_CREAT, omode))
700 sff |= SFF_CREAT;
701 omode &= ~O_CREAT;
702 smode = 0;
703 switch (omode & O_ACCMODE)
704 {
705 case O_RDONLY:
706 smode = S_IREAD;
707 break;
708
709 case O_WRONLY:
710 smode = S_IWRITE;
711 break;
712
713 case O_RDWR:
714 smode = S_IREAD|S_IWRITE;
715 break;
716
717 default:
718 smode = 0;
719 break;
720 }
721 if (bitset(SFF_OPENASROOT, sff))
722 rval = safefile(fn, RunAsUid, RunAsGid, RunAsUserName,
723 sff, smode, &stb);
724 else
725 rval = safefile(fn, RealUid, RealGid, RealUserName,
726 sff, smode, &stb);
727 if (rval != 0)
728 {
729 errno = rval;
730 return -1;
731 }
732 if (stb.st_mode == ST_MODE_NOFILE && bitset(SFF_CREAT, sff))
733 omode |= O_CREAT | (bitset(SFF_NOTEXCL, sff) ? 0 : O_EXCL);
734 else if (bitset(SFF_CREAT, sff) && bitset(O_EXCL, omode))
735 {
736 /* The file exists so an exclusive create would fail */
737 errno = EEXIST;
738 return -1;
739 }
740
741 #if !NOFTRUNCATE
742 truncate = bitset(O_TRUNC, omode);
743 if (truncate)
744 omode &= ~O_TRUNC;
745 #endif /* !NOFTRUNCATE */
746
747 fd = dfopen(fn, omode, cmode, sff);
748 if (fd < 0)
749 return fd;
750 if (filechanged(fn, fd, &stb))
751 {
752 syserr("554 5.3.0 cannot open: file %s changed after open", fn);
753 (void) close(fd);
754 errno = E_SM_FILECHANGE;
755 return -1;
756 }
757
758 #if !NOFTRUNCATE
759 if (truncate &&
760 ftruncate(fd, (off_t) 0) < 0)
761 {
762 int save_errno;
763
764 save_errno = errno;
765 syserr("554 5.3.0 cannot open: file %s could not be truncated",
766 fn);
767 (void) close(fd);
768 errno = save_errno;
769 return -1;
770 }
771 #endif /* !NOFTRUNCATE */
772
773 return fd;
774 }
775 /*
776 ** SAFEFOPEN -- do a file open with extra checking
777 **
778 ** Parameters:
779 ** fn -- the file name to open.
780 ** omode -- the open-style mode flags.
781 ** cmode -- the create-style mode flags.
782 ** sff -- safefile flags.
783 **
784 ** Returns:
785 ** Same as fopen.
786 */
787
788 SM_FILE_T *
789 safefopen(fn, omode, cmode, sff)
790 char *fn;
791 int omode;
792 int cmode;
793 long sff;
794 {
795 int fd;
796 int save_errno;
797 SM_FILE_T *fp;
798 int fmode;
799
800 switch (omode & O_ACCMODE)
801 {
802 case O_RDONLY:
803 fmode = SM_IO_RDONLY;
804 break;
805
806 case O_WRONLY:
807 if (bitset(O_APPEND, omode))
808 fmode = SM_IO_APPEND;
809 else
810 fmode = SM_IO_WRONLY;
811 break;
812
813 case O_RDWR:
814 if (bitset(O_TRUNC, omode))
815 fmode = SM_IO_RDWRTR;
816 else if (bitset(O_APPEND, omode))
817 fmode = SM_IO_APPENDRW;
818 else
819 fmode = SM_IO_RDWR;
820 break;
821
822 default:
823 syserr("554 5.3.5 safefopen: unknown omode %o", omode);
824 fmode = 0;
825 }
826 fd = safeopen(fn, omode, cmode, sff);
827 if (fd < 0)
828 {
829 save_errno = errno;
830 if (tTd(44, 10))
831 sm_dprintf("safefopen: safeopen failed: %s\n",
832 sm_errstring(errno));
833 errno = save_errno;
834 return NULL;
835 }
836 fp = sm_io_open(SmFtStdiofd, SM_TIME_DEFAULT,
837 (void *) &fd, fmode, NULL);
838 if (fp != NULL)
839 return fp;
840
841 save_errno = errno;
842 if (tTd(44, 10))
843 {
844 sm_dprintf("safefopen: fdopen(%s, %d) failed: omode=%x, sff=%lx, err=%s\n",
845 fn, fmode, omode, sff, sm_errstring(errno));
846 }
847 (void) close(fd);
848 errno = save_errno;
849 return NULL;
850 }
851 /*
852 ** FILECHANGED -- check to see if file changed after being opened
853 **
854 ** Parameters:
855 ** fn -- pathname of file to check.
856 ** fd -- file descriptor to check.
857 ** stb -- stat structure from before open.
858 **
859 ** Returns:
860 ** true -- if a problem was detected.
861 ** false -- if this file is still the same.
862 */
863
864 bool
865 filechanged(fn, fd, stb)
866 char *fn;
867 int fd;
868 struct stat *stb;
869 {
870 struct stat sta;
871
872 if (stb->st_mode == ST_MODE_NOFILE)
873 {
874 # if HASLSTAT && BOGUS_O_EXCL
875 /* only necessary if exclusive open follows symbolic links */
876 if (lstat(fn, stb) < 0 || stb->st_nlink != 1)
877 return true;
878 # else /* HASLSTAT && BOGUS_O_EXCL */
879 return false;
880 # endif /* HASLSTAT && BOGUS_O_EXCL */
881 }
882 if (fstat(fd, &sta) < 0)
883 return true;
884
885 if (sta.st_nlink != stb->st_nlink ||
886 sta.st_dev != stb->st_dev ||
887 sta.st_ino != stb->st_ino ||
888 # if HAS_ST_GEN && 0 /* AFS returns garbage in st_gen */
889 sta.st_gen != stb->st_gen ||
890 # endif /* HAS_ST_GEN && 0 */
891 sta.st_uid != stb->st_uid ||
892 sta.st_gid != stb->st_gid)
893 {
894 if (tTd(44, 8))
895 {
896 sm_dprintf("File changed after opening:\n");
897 sm_dprintf(" nlink = %ld/%ld\n",
898 (long) stb->st_nlink, (long) sta.st_nlink);
899 sm_dprintf(" dev = %ld/%ld\n",
900 (long) stb->st_dev, (long) sta.st_dev);
901 sm_dprintf(" ino = %llu/%llu\n",
902 (ULONGLONG_T) stb->st_ino,
903 (ULONGLONG_T) sta.st_ino);
904 # if HAS_ST_GEN
905 sm_dprintf(" gen = %ld/%ld\n",
906 (long) stb->st_gen, (long) sta.st_gen);
907 # endif /* HAS_ST_GEN */
908 sm_dprintf(" uid = %ld/%ld\n",
909 (long) stb->st_uid, (long) sta.st_uid);
910 sm_dprintf(" gid = %ld/%ld\n",
911 (long) stb->st_gid, (long) sta.st_gid);
912 }
913 return true;
914 }
915
916 return false;
917 }
918 /*
919 ** DFOPEN -- determined file open
920 **
921 ** This routine has the semantics of open, except that it will
922 ** keep trying a few times to make this happen. The idea is that
923 ** on very loaded systems, we may run out of resources (inodes,
924 ** whatever), so this tries to get around it.
925 */
926
927 int
928 dfopen(filename, omode, cmode, sff)
929 char *filename;
930 int omode;
931 int cmode;
932 long sff;
933 {
934 register int tries;
935 int fd = -1;
936 struct stat st;
937
938 for (tries = 0; tries < 10; tries++)
939 {
940 (void) sleep((unsigned) (10 * tries));
941 errno = 0;
942 fd = open(filename, omode, cmode);
943 if (fd >= 0)
944 break;
945 switch (errno)
946 {
947 case ENFILE: /* system file table full */
948 case EINTR: /* interrupted syscall */
949 #ifdef ETXTBSY
950 case ETXTBSY: /* Apollo: net file locked */
951 #endif /* ETXTBSY */
952 continue;
953 }
954 break;
955 }
956 if (!bitset(SFF_NOLOCK, sff) &&
957 fd >= 0 &&
958 fstat(fd, &st) >= 0 &&
959 S_ISREG(st.st_mode))
960 {
961 int locktype;
962
963 /* lock the file to avoid accidental conflicts */
964 if ((omode & O_ACCMODE) != O_RDONLY)
965 locktype = LOCK_EX;
966 else
967 locktype = LOCK_SH;
968 if (bitset(SFF_NBLOCK, sff))
969 locktype |= LOCK_NB;
970
971 if (!lockfile(fd, filename, NULL, locktype))
972 {
973 int save_errno = errno;
974
975 (void) close(fd);
976 fd = -1;
977 errno = save_errno;
978 }
979 else
980 errno = 0;
981 }
982 return fd;
983 }
DragonFly BSD