| blob | 1f53f911a78b6da0bfbd2ac6d2755d6315d3cc7b |
1 /* hairy bits of Hurd file name lookup
2 Copyright (C) 1992,1993,1994,1995,1996,1997,1999,2001,2002,2003
3 Free Software Foundation, Inc.
4 This file is part of the GNU C Library.
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, write to the Free
18 Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
19 02111-1307 USA. */
21 #include <hurd.h>
22 #include <hurd/lookup.h>
23 #include <hurd/term.h>
24 #include <hurd/paths.h>
25 #include <limits.h>
26 #include <fcntl.h>
27 #include <string.h>
30 /* Translate the error from dir_lookup into the error the user sees. */
33 {
35 {
38 /* These indicate that the server does not understand dir_lookup
39 at all. If it were a directory, it would, by definition. */
43 }
44 }
46 error_t
59 {
60 error_t err;
65 {
67 file_name++;
71 }
73 {
74 error_t err;
77 {
79 MACH_MSG_TYPE_MAKE_SEND,
80 result);
81 }
88 }
95 do
96 {
101 {
105 /* Fall through. */
109 {
112 }
114 /* An empty RETRYNAME indicates we have the final port. */
116 /* If reauth'd, we must do one more retry on "" to give the new
117 translator a chance to make a new port for us. */
119 {
121 {
122 /* In Linux, O_NOFOLLOW means to reject symlinks. If we
123 did an O_NOLINK lookup above and io_stat here to check
124 for S_IFLNK, a translator like firmlink could easily
125 spoof this check by not showing S_IFLNK, but in fact
126 redirecting the lookup to some other name
127 (i.e. opening the very same holes a symlink would).
129 Instead we do an O_NOTRANS lookup above, and stat the
130 underlying node: if it has a translator set, and its
131 owner is not root (st_uid 0) then we reject it.
132 Since the motivation for this feature is security, and
133 that security presumes we trust the containing
134 directory, this check approximates the security of
135 refusing symlinks while accepting mount points.
136 Note that we actually permit something Linux doesn't:
137 we follow root-owned symlinks; if that is deemed
138 undesireable, we can add a final check for that
139 one exception to our general translator-based rule. */
144 {
148 {
159 }
160 }
161 }
163 /* We got a successful translation. Now apply any open-time
164 action flags we were passed. */
172 }
180 {
192 {
199 /* Check for excess text after the number. A slash
200 is valid; it ends the component. Anything else
201 does not name a numeric file descriptor. */
203 {
206 }
209 else
210 {
213 {
214 /* If the name was a proper number, but the file
215 descriptor does not exist, we return EBADF instead
216 of ENOENT. */
219 }
220 }
226 else
227 {
228 /* Do a normal retry on the remaining components. */
232 }
233 }
234 else
243 {
244 error_t err;
248 /* XXX want client's host */
263 }
264 else
271 {
273 {
274 error_t err;
276 {
280 flags,
281 result);
282 }
287 }
298 }
299 else
304 bad_magic:
306 }
311 }
314 {
318 }
319 else
324 }