search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
(BWDIC!) Rewrite variable handling..
[s-mailx.git] / dotlock.c
blob7f300982676a729907eeb83672e682307bdaac43
1 /*@ S-nail - a mail user agent derived from Berkeley Mail.
2 *@ n_dotlock(): creation of an exclusive "dotlock" file.
3 *
4 * Copyright (c) 2015 Steffen (Daode) Nurpmeso <sdaoden@users.sf.net>.
5 */
6 #undef n_FILE
7 #define n_FILE dotlock
8
9 #ifndef HAVE_AMALGAMATION
10 # include "nail.h"
11 #endif
12
13 #include <sys/wait.h>
14
15 #ifdef HAVE_DOTLOCK
16 # include "dotlock.h"
17 #endif
18
19 /* XXX Our Popen() main() takes void, temporary global data store */
20 #ifdef HAVE_DOTLOCK
21 static enum n_file_lock_type a_dotlock_flt;
22 static int a_dotlock_fd;
23 struct n_dotlock_info *a_dotlock_dip;
24 #endif
25
26 /* main() of fork(2)ed dot file locker */
27 #ifdef HAVE_DOTLOCK
28 static int a_dotlock_main(void);
29 #endif
30
31 #ifdef HAVE_DOTLOCK
32 static int
33 a_dotlock_main(void){
34 /* Use PATH_MAX not NAME_MAX to catch those "we proclaim the minimum value"
35 * problems (SunOS), since the pathconf(3) value comes too late! */
36 char name[PATH_MAX +1];
37 struct n_dotlock_info di;
38 struct stat stb, fdstb;
39 enum n_dotlock_state dls;
40 char const *cp;
41 int fd;
42 enum n_file_lock_type flt;
43 NYD_ENTER;
44
45 /* Ignore SIGPIPE, we'll see EPIPE and "fall through" */
46 safe_signal(SIGPIPE, SIG_IGN);
47
48 /* Get the arguments "passed to us" */
49 flt = a_dotlock_flt;
50 fd = a_dotlock_fd;
51 UNUSED(fd);
52 di = *a_dotlock_dip;
53
54 /* chdir(2)? */
55 jislink:
56 dls = n_DLS_CANT_CHDIR | n_DLS_ABANDON;
57
58 if((cp = strrchr(di.di_file_name, '/')) != NULL){
59 char const *fname = cp + 1;
60
61 while(PTRCMP(cp - 1, >, di.di_file_name) && cp[-1] == '/')
62 --cp;
63 cp = savestrbuf(di.di_file_name, PTR2SIZE(cp - di.di_file_name));
64 if(chdir(cp))
65 goto jmsg;
66
67 di.di_file_name = fname;
68 }
69
70 /* So we're here, but then again the file can be a symbolic link!
71 * This is however only true if we do not have realpath(3) available since
72 * that'll have resolved the path already otherwise; nonetheless, let
73 * readlink(2) be a precondition for dotlocking and keep this code */
74 if(lstat(cp = di.di_file_name, &stb) == -1)
75 goto jmsg;
76 if(S_ISLNK(stb.st_mode)){
77 /* Use salloc() and hope we stay in builtin buffer.. */
78 char *x;
79 size_t i;
80 ssize_t sr;
81
82 for(x = NULL, i = PATH_MAX;; i += PATH_MAX){
83 x = salloc(i +1);
84 sr = readlink(cp, x, i);
85 if(sr <= 0){
86 dls = n_DLS_FISHY | n_DLS_ABANDON;
87 goto jmsg;
88 }
89 if(UICMP(z, sr, <, i)){
90 x[sr] = '\0';
91 i = (size_t)sr;
92 break;
93 }
94 }
95 di.di_file_name = x;
96 goto jislink;
97 }
98
99 dls = n_DLS_FISHY | n_DLS_ABANDON;
100
101 /* Bail out if the file has changed its identity in the meanwhile */
102 if(fstat(fd, &fdstb) == -1 ||
103 fdstb.st_dev != stb.st_dev || fdstb.st_ino != stb.st_ino ||
104 fdstb.st_uid != stb.st_uid || fdstb.st_gid != stb.st_gid ||
105 fdstb.st_mode != stb.st_mode)
106 goto jmsg;
107
108 /* Be aware, even if the error is false! Note the shared code in dotlock.h
109 * *requires* that it is possible to create a filename at least one byte
110 * longer than di_lock_name! */
111 do/* while(0) breaker */{
112 # ifdef HAVE_PATHCONF
113 long pc;
114 # endif
115 int i = snprintf(name, sizeof name, "%s.lock", di.di_file_name);
116
117 /* fd is a file, not portable to use for _PC_NAME_MAX */
118 if(i < 0){
119 jenametool:
120 dls = n_DLS_NAMETOOLONG | n_DLS_ABANDON;
121 goto jmsg;
122 }
123 # ifdef HAVE_PATHCONF
124 errno = 0;
125 if((pc = pathconf(".", _PC_NAME_MAX)) == -1){
126 /* errno unchanged: no limit */
127 if(errno == 0)
128 break;
129 }else if(pc - 1 >= (long)i)
130 break;
131 else
132 goto jenametool;
133 # endif
134 if(UICMP(z, NAME_MAX - 1, <, (uiz_t)i))
135 goto jenametool;
136 }while(0);
137
138 di.di_lock_name = name;
139
140 /* We are in the directory of the mailbox for which we have to create
141 * a dotlock file for. We don't know wether we have realpath(3) available,
142 * and manually resolving the path is due especially given that S-nail
143 * supports the special "%:" syntax to warp any file into a "system
144 * mailbox"; there may also be multiple system mailbox directories...
145 * So what we do is that we fstat(2) the mailbox and check its UID and
146 * GID against that of our own process: if any of those mismatch we must
147 * either assume a directory we are not allowed to write in, or that we run
148 * via -u/$USER/%USER as someone else, in which case we favour our
149 * privilege-separated dotlock process */
150 assert(cp != NULL); /* Ugly: avoid a useless var and reuse that one */
151 if(access(".", W_OK)){
152 /* This may however also indicate a read-only filesystem, which is not
153 * really an error from our point of view since the mailbox will degrade
154 * to a readonly one for which no dotlock is needed, then, and errors
155 * may arise only due to actions which require box modifications */
156 if(errno == EROFS){
157 dls = n_DLS_ROFS | n_DLS_ABANDON;
158 goto jmsg;
159 }
160 cp = NULL;
161 }
162 if(cp == NULL || stb.st_uid != user_id || stb.st_gid != group_id){
163 char itoabuf[64];
164 char const *args[13];
165
166 snprintf(itoabuf, sizeof itoabuf, "%" PRIuZ, di.di_pollmsecs);
167 args[ 0] = PRIVSEP;
168 args[ 1] = (flt == FLT_READ ? "rdotlock" : "wdotlock");
169 args[ 2] = "mailbox"; args[ 3] = di.di_file_name;
170 args[ 4] = "name"; args[ 5] = di.di_lock_name;
171 args[ 6] = "hostname"; args[ 7] = di.di_hostname;
172 args[ 8] = "randstr"; args[ 9] = di.di_randstr;
173 args[10] = "pollmsecs"; args[11] = itoabuf;
174 args[12] = NULL;
175 execv(LIBEXECDIR "/" UAGENT "-privsep", UNCONST(args));
176
177 dls = n_DLS_NOEXEC;
178 write(STDOUT_FILENO, &dls, sizeof dls);
179 /* But fall through and try it with normal privileges! */
180 }
181
182 /* So let's try and call it ourselfs! Note that we don't block signals just
183 * like our privsep child does, the user will anyway be able to remove his
184 * file again, and if we're in -u/$USER mode then we are allowed to access
185 * the user's box: shall we leave behind a stale dotlock then at least we
186 * start a friendly human conversation. Since we cannot handle SIGKILL and
187 * SIGSTOP malicious things could happen whatever we do */
188 safe_signal(SIGHUP, SIG_IGN);
189 safe_signal(SIGINT, SIG_IGN);
190 safe_signal(SIGQUIT, SIG_IGN);
191 safe_signal(SIGTERM, SIG_IGN);
192
193 NYD;
194 dls = a_dotlock_create(&di);
195 NYD;
196
197 /* Finally: notify our parent about the actual lock state.. */
198 jmsg:
199 write(STDOUT_FILENO, &dls, sizeof dls);
200 close(STDOUT_FILENO);
201
202 /* ..then eventually wait until we shall remove the lock again, which will
203 * be notified via the read returning */
204 if(dls == n_DLS_NONE){
205 read(STDIN_FILENO, &dls, sizeof dls);
206
207 unlink(name);
208 }
209 NYD_LEAVE;
210 return EXIT_OK;
211 }
212 #endif /* HAVE_DOTLOCK */
213
214 FL FILE *
215 n_dotlock(char const *fname, int fd, enum n_file_lock_type flt,
216 off_t off, off_t len, size_t pollmsecs){
217 #undef _DOMSG
218 #ifdef HAVE_DOTLOCK
219 # define _DOMSG() n_err(_("Creating dotlock for \"%s\" "), fname)
220 #else
221 # define _DOMSG() n_err(_("Trying to lock file \"%s\" "), fname)
222 #endif
223
224 #ifdef HAVE_DOTLOCK
225 int cpipe[2];
226 struct n_dotlock_info di;
227 enum n_dotlock_state dls;
228 char const *emsg;
229 #endif
230 int serrno;
231 union {size_t tries; int (*ptf)(void); char const *sh; ssize_t r;} u;
232 bool_t flocked, didmsg;
233 FILE *rv;
234 NYD_ENTER;
235
236 rv = NULL;
237 didmsg = FAL0;
238 UNINIT(serrno, 0);
239 #ifdef HAVE_DOTLOCK
240 emsg = NULL;
241 #endif
242
243 if(options & OPT_D_VV){
244 _DOMSG();
245 didmsg = TRUM1;
246 }
247
248 flocked = FAL0;
249 for(u.tries = 0; !n_file_lock(fd, flt, off, len, 0);)
250 switch((serrno = errno)){
251 case EACCES:
252 case EAGAIN:
253 case ENOLCK:
254 if(pollmsecs > 0 && ++u.tries < FILE_LOCK_TRIES){
255 if(!didmsg)
256 _DOMSG();
257 n_err(".");
258 didmsg = TRUM1;
259 n_msleep(pollmsecs, FAL0);
260 continue;
261 }
262 /* FALLTHRU */
263 default:
264 goto jleave;
265 }
266 flocked = TRU1;
267
268 #ifndef HAVE_DOTLOCK
269 jleave:
270 if(didmsg == TRUM1)
271 n_err("\n");
272 if(flocked)
273 rv = (FILE*)-1;
274 else
275 errno = serrno;
276 NYD_LEAVE;
277 return rv;
278
279 #else
280 /* Create control-pipe for our dot file locker process, which will remove
281 * the lock and terminate once the pipe is closed, for whatever reason */
282 if(pipe_cloexec(cpipe) == -1){
283 serrno = errno;
284 emsg = N_(" Can't create file lock control pipe\n");
285 goto jemsg;
286 }
287
288 /* And the locker process itself; it'll be a (rather cheap) thread only
289 * unless the lock has to be placed in the system spool and we have our
290 * privilege-separated dotlock program available, in which case that will be
291 * executed and do "it" with changed group-id */
292 di.di_file_name = fname;
293 di.di_pollmsecs = pollmsecs;
294 /* Initialize some more stuff; query the two strings in the parent in order
295 * to cache the result of the former and anyway minimalize child page-ins.
296 * Especially uname(3) may hang for multiple seconds when it is called the
297 * first time! */
298 di.di_hostname = nodename(FAL0);
299 di.di_randstr = getrandstring(16);
300 a_dotlock_flt = flt;
301 a_dotlock_fd = fd;
302 a_dotlock_dip = &di;
303
304 u.ptf = &a_dotlock_main;
305 rv = Popen((char*)-1, "W", u.sh, NULL, cpipe[1]);
306 serrno = errno;
307
308 close(cpipe[1]);
309 if(rv == NULL){
310 close(cpipe[0]);
311 emsg = N_(" Can't create file lock process\n");
312 goto jemsg;
313 }
314
315 /* Let's check wether we were able to create the dotlock file */
316 for(;;){
317 u.r = read(cpipe[0], &dls, sizeof dls);
318 if(UICMP(z, u.r, !=, sizeof dls)){
319 serrno = (u.r != -1) ? EAGAIN : errno;
320 dls = n_DLS_DUNNO | n_DLS_ABANDON;
321 }else
322 serrno = 0;
323
324 if(dls == n_DLS_NONE || (dls & n_DLS_ABANDON))
325 close(cpipe[0]);
326
327 switch(dls & ~n_DLS_ABANDON){
328 case n_DLS_NONE:
329 goto jleave;
330 case n_DLS_CANT_CHDIR:
331 if(options & OPT_D_V)
332 emsg = N_(" Can't change directory! Please check permissions\n");
333 serrno = EACCES;
334 break;
335 case n_DLS_NAMETOOLONG:
336 emsg = N_("Resulting dotlock filename would be too long\n");
337 serrno = EACCES;
338 break;
339 case n_DLS_ROFS:
340 assert(dls & n_DLS_ABANDON);
341 if(options & OPT_D_V)
342 emsg = N_(" Read-only filesystem, not creating lock file\n");
343 serrno = EROFS;
344 break;
345 case n_DLS_NOPERM:
346 if(options & OPT_D_V)
347 emsg = N_(" Can't create a lock file! Please check permissions\n"
348 " (Maybe setting *dotlock-ignore-error* variable helps.)\n");
349 serrno = EACCES;
350 break;
351 case n_DLS_NOEXEC:
352 if(options & OPT_D_V)
353 emsg = N_(" Can't find privilege-separated file lock program\n");
354 serrno = ENOENT;
355 break;
356 case n_DLS_PRIVFAILED:
357 emsg = N_(" Privilege-separated file lock program can't change "
358 "privileges\n");
359 serrno = EPERM;
360 break;
361 case n_DLS_EXIST:
362 emsg = N_(" It seems there is a stale dotlock file?\n"
363 " Please remove the lock file manually, then retry\n");
364 serrno = EEXIST;
365 break;
366 case n_DLS_FISHY:
367 emsg = N_(" Fishy! Is someone trying to \"steal\" foreign files?\n"
368 " Please check the mailbox file etc. manually, then retry\n");
369 serrno = EAGAIN; /* ? Hack to ignore *dotlock-ignore-error* xxx */
370 break;
371 default:
372 case n_DLS_DUNNO:
373 emsg = N_(" Unspecified dotlock file control process error.\n"
374 " Like broken I/O pipe; this one is unlikely to happen\n");
375 if(serrno != EAGAIN)
376 serrno = EINVAL;
377 break;
378 case n_DLS_PING:
379 if(!didmsg)
380 _DOMSG();
381 n_err(".");
382 didmsg = TRUM1;
383 continue;
384 }
385
386 if(emsg != NULL){
387 if(!didmsg){
388 _DOMSG();
389 didmsg = TRUM1;
390 }
391 if(didmsg == TRUM1)
392 n_err("\n");
393 didmsg = TRU1;
394 n_err(V_(emsg));
395 emsg = NULL;
396 }
397
398 if(dls & n_DLS_ABANDON){
399 Pclose(rv, FAL0);
400 rv = NULL;
401 break;
402 }
403 }
404
405 jleave:
406 if(didmsg == TRUM1)
407 n_err("\n");
408 if(rv == NULL) {
409 if(flocked && (serrno == EROFS ||
410 (serrno != EAGAIN && serrno != EEXIST &&
411 ok_blook(dotlock_ignore_error))))
412 rv = (FILE*)-1;
413 else
414 errno = serrno;
415 }
416 NYD_LEAVE;
417 return rv;
418 jemsg:
419 if(!didmsg)
420 _DOMSG();
421 n_err("\n");
422 didmsg = TRU1;
423 n_err(V_(emsg));
424 goto jleave;
425 #endif /* HAVE_DOTLOCK */
426 #undef _DOMSG
427 }
428
429 /* s-it-mode */
A mail processing system intended to provide the functionality of the POSIX mailx(1) command