| blob | 4fa2a2199c402219473af5a5ccfe1f19ef20b365 |
1 /* hairy bits of Hurd file name lookup
2 Copyright (C) 1992-2012 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
5 The GNU C Library is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public
7 License as published by the Free Software Foundation; either
8 version 2.1 of the License, or (at your option) any later version.
10 The GNU C Library is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Lesser General Public License for more details.
15 You should have received a copy of the GNU Lesser General Public
16 License along with the GNU C Library; if not, see
17 <http://www.gnu.org/licenses/>. */
19 #include <hurd.h>
20 #include <hurd/lookup.h>
21 #include <hurd/term.h>
22 #include <hurd/paths.h>
23 #include <limits.h>
24 #include <fcntl.h>
25 #include <string.h>
26 #include <_itoa.h>
28 /* Translate the error from dir_lookup into the error the user sees. */
31 {
33 {
36 /* These indicate that the server does not understand dir_lookup
37 at all. If it were a directory, it would, by definition. */
41 }
42 }
44 error_t
57 {
58 error_t err;
63 {
65 file_name++;
69 }
71 {
72 error_t err;
75 {
77 MACH_MSG_TYPE_MAKE_SEND,
78 result);
79 }
86 }
93 do
94 {
99 {
103 /* Fall through. */
107 {
110 }
112 /* An empty RETRYNAME indicates we have the final port. */
114 /* If reauth'd, we must do one more retry on "" to give the new
115 translator a chance to make a new port for us. */
117 {
119 {
120 /* In Linux, O_NOFOLLOW means to reject symlinks. If we
121 did an O_NOLINK lookup above and io_stat here to check
122 for S_IFLNK, a translator like firmlink could easily
123 spoof this check by not showing S_IFLNK, but in fact
124 redirecting the lookup to some other name
125 (i.e. opening the very same holes a symlink would).
127 Instead we do an O_NOTRANS lookup above, and stat the
128 underlying node: if it has a translator set, and its
129 owner is not root (st_uid 0) then we reject it.
130 Since the motivation for this feature is security, and
131 that security presumes we trust the containing
132 directory, this check approximates the security of
133 refusing symlinks while accepting mount points.
134 Note that we actually permit something Linux doesn't:
135 we follow root-owned symlinks; if that is deemed
136 undesireable, we can add a final check for that
137 one exception to our general translator-based rule. */
142 {
146 {
157 }
158 }
159 }
161 /* We got a successful translation. Now apply any open-time
162 action flags we were passed. */
170 }
178 {
190 {
197 /* Check for excess text after the number. A slash
198 is valid; it ends the component. Anything else
199 does not name a numeric file descriptor. */
201 {
204 }
207 else
208 {
211 {
212 /* If the name was a proper number, but the file
213 descriptor does not exist, we return EBADF instead
214 of ENOENT. */
217 }
218 }
224 else
225 {
226 /* Do a normal retry on the remaining components. */
230 }
231 }
232 else
241 {
242 error_t err;
246 /* XXX want client's host */
261 }
262 else
269 {
271 {
272 error_t err;
274 {
278 flags,
279 result);
280 }
285 }
296 }
297 else
302 bad_magic:
304 }
309 }
312 {
316 }
317 else
322 }