1/////////////////////////////////////////////////////////////////////////////// 2// 3/// \file file_io.c 4/// \brief File opening, unlinking, and closing 5// 6// Author: Lasse Collin 7// 8// This file has been put into the public domain. 9// You can do whatever you want with this file. 10// 11/////////////////////////////////////////////////////////////////////////////// 12 13#include "private.h" 14 15#include <fcntl.h> 16 17#ifdef TUKLIB_DOSLIKE 18# include <io.h> 19#else 20# include <poll.h> 21static bool warn_fchown; 22#endif 23 24#if defined(HAVE_FUTIMES) || defined(HAVE_FUTIMESAT) || defined(HAVE_UTIMES) 25# include <sys/time.h> 26#elif defined(HAVE__FUTIME) 27# include <sys/utime.h> 28#elif defined(HAVE_UTIME) 29# include <utime.h> 30#endif 31 32#ifdef HAVE_CAPSICUM 33# ifdef HAVE_SYS_CAPSICUM_H 34# include <sys/capsicum.h> 35# else 36# include <sys/capability.h> 37# endif 38#endif 39 40#include "tuklib_open_stdxxx.h" 41 42#ifndef O_BINARY 43# define O_BINARY 0 44#endif 45 46#ifndef O_NOCTTY 47# define O_NOCTTY 0 48#endif 49 50// Using this macro to silence a warning from gcc -Wlogical-op. 51#if EAGAIN == EWOULDBLOCK 52# define IS_EAGAIN_OR_EWOULDBLOCK(e) ((e) == EAGAIN) 53#else 54# define IS_EAGAIN_OR_EWOULDBLOCK(e) \ 55 ((e) == EAGAIN || (e) == EWOULDBLOCK) 56#endif 57 58 59typedef enum { 60 IO_WAIT_MORE, // Reading or writing is possible. 61 IO_WAIT_ERROR, // Error or user_abort 62 IO_WAIT_TIMEOUT, // poll() timed out 63} io_wait_ret; 64 65 66/// If true, try to create sparse files when decompressing. 67static bool try_sparse = true; 68 69#ifdef ENABLE_SANDBOX 70/// True if the conditions for sandboxing (described in main()) have been met. 71static bool sandbox_allowed = false; 72#endif 73 74#ifndef TUKLIB_DOSLIKE 75/// File status flags of standard input. This is used by io_open_src() 76/// and io_close_src(). 77static int stdin_flags; 78static bool restore_stdin_flags = false; 79 80/// Original file status flags of standard output. This is used by 81/// io_open_dest() and io_close_dest() to save and restore the flags. 82static int stdout_flags; 83static bool restore_stdout_flags = false; 84 85/// Self-pipe used together with the user_abort variable to avoid 86/// race conditions with signal handling. 87static int user_abort_pipe[2]; 88#endif 89 90 91static bool io_write_buf(file_pair *pair, const uint8_t *buf, size_t size); 92 93 94extern void 95io_init(void) 96{ 97 // Make sure that stdin, stdout, and stderr are connected to 98 // a valid file descriptor. Exit immediately with exit code ERROR 99 // if we cannot make the file descriptors valid. Maybe we should 100 // print an error message, but our stderr could be screwed anyway. 101 tuklib_open_stdxxx(E_ERROR); 102 103#ifndef TUKLIB_DOSLIKE 104 // If fchown() fails setting the owner, we warn about it only if 105 // we are root. 106 warn_fchown = geteuid() == 0; 107 108 // Create a pipe for the self-pipe trick. 109 if (pipe(user_abort_pipe)) 110 message_fatal(_("Error creating a pipe: %s"), 111 strerror(errno)); 112 113 // Make both ends of the pipe non-blocking. 114 for (unsigned i = 0; i < 2; ++i) { 115 int flags = fcntl(user_abort_pipe[i], F_GETFL); 116 if (flags == -1 || fcntl(user_abort_pipe[i], F_SETFL, 117 flags | O_NONBLOCK) == -1) 118 message_fatal(_("Error creating a pipe: %s"), 119 strerror(errno)); 120 } 121#endif 122 123#ifdef __DJGPP__ 124 // Avoid doing useless things when statting files. 125 // This isn't important but doesn't hurt. 126 _djstat_flags = _STAT_EXEC_EXT | _STAT_EXEC_MAGIC | _STAT_DIRSIZE; 127#endif 128 129 return; 130} 131 132 133#ifndef TUKLIB_DOSLIKE 134extern void 135io_write_to_user_abort_pipe(void) 136{ 137 // If the write() fails, it's probably due to the pipe being full. 138 // Failing in that case is fine. If the reason is something else, 139 // there's not much we can do since this is called in a signal 140 // handler. So ignore the errors and try to avoid warnings with 141 // GCC and glibc when _FORTIFY_SOURCE=2 is used. 142 uint8_t b = '\0'; 143 const int ret = write(user_abort_pipe[1], &b, 1); 144 (void)ret; 145 return; 146} 147#endif 148 149 150extern void 151io_no_sparse(void) 152{ 153 try_sparse = false; 154 return; 155} 156 157 158#ifdef ENABLE_SANDBOX 159extern void 160io_allow_sandbox(void) 161{ 162 sandbox_allowed = true; 163 return; 164} 165 166 167/// Enables operating-system-specific sandbox if it is possible. 168/// src_fd is the file descriptor of the input file. 169static void 170io_sandbox_enter(int src_fd) 171{ 172 if (!sandbox_allowed) { 173 message(V_DEBUG, _("Sandbox is disabled due " 174 "to incompatible command line arguments")); 175 return; 176 } 177 178 const char dummy_str[] = "x"; 179 180 // Try to ensure that both libc and xz locale files have been 181 // loaded when NLS is enabled. 182 snprintf(NULL, 0, "%s%s", _(dummy_str), strerror(EINVAL)); 183 184 // Try to ensure that iconv data files needed for handling multibyte 185 // characters have been loaded. This is needed at least with glibc. 186 tuklib_mbstr_width(dummy_str, NULL); 187 188#ifdef HAVE_CAPSICUM 189 // Capsicum needs FreeBSD 10.0 or later. 190 cap_rights_t rights; 191 192 if (cap_rights_limit(src_fd, cap_rights_init(&rights, 193 CAP_EVENT, CAP_FCNTL, CAP_LOOKUP, CAP_READ, CAP_SEEK))) 194 goto error; 195 196 if (cap_rights_limit(STDOUT_FILENO, cap_rights_init(&rights, 197 CAP_EVENT, CAP_FCNTL, CAP_FSTAT, CAP_LOOKUP, 198 CAP_WRITE, CAP_SEEK))) 199 goto error; 200 201 if (cap_rights_limit(user_abort_pipe[0], cap_rights_init(&rights, 202 CAP_EVENT))) 203 goto error; 204 205 if (cap_rights_limit(user_abort_pipe[1], cap_rights_init(&rights, 206 CAP_WRITE))) 207 goto error; 208 209 if (cap_enter()) 210 goto error; 211 212#else 213# error ENABLE_SANDBOX is defined but no sandboxing method was found. 214#endif 215 216 message(V_DEBUG, _("Sandbox was successfully enabled")); 217 return; 218 219error: 220 message(V_DEBUG, _("Failed to enable the sandbox")); 221} 222#endif // ENABLE_SANDBOX 223 224 225#ifndef TUKLIB_DOSLIKE 226/// \brief Waits for input or output to become available or for a signal 227/// 228/// This uses the self-pipe trick to avoid a race condition that can occur 229/// if a signal is caught after user_abort has been checked but before e.g. 230/// read() has been called. In that situation read() could block unless 231/// non-blocking I/O is used. With non-blocking I/O something like select() 232/// or poll() is needed to avoid a busy-wait loop, and the same race condition 233/// pops up again. There are pselect() (POSIX-1.2001) and ppoll() (not in 234/// POSIX) but neither is portable enough in 2013. The self-pipe trick is 235/// old and very portable. 236static io_wait_ret 237io_wait(file_pair *pair, int timeout, bool is_reading) 238{ 239 struct pollfd pfd[2]; 240 241 if (is_reading) { 242 pfd[0].fd = pair->src_fd; 243 pfd[0].events = POLLIN; 244 } else { 245 pfd[0].fd = pair->dest_fd; 246 pfd[0].events = POLLOUT; 247 } 248 249 pfd[1].fd = user_abort_pipe[0]; 250 pfd[1].events = POLLIN; 251 252 while (true) { 253 const int ret = poll(pfd, 2, timeout); 254 255 if (user_abort) 256 return IO_WAIT_ERROR; 257 258 if (ret == -1) { 259 if (errno == EINTR || errno == EAGAIN) 260 continue; 261 262 message_error(_("%s: poll() failed: %s"), 263 is_reading ? pair->src_name 264 : pair->dest_name, 265 strerror(errno)); 266 return IO_WAIT_ERROR; 267 } 268 269 if (ret == 0) { 270 assert(opt_flush_timeout != 0); 271 flush_needed = true; 272 return IO_WAIT_TIMEOUT; 273 } 274 275 if (pfd[0].revents != 0) 276 return IO_WAIT_MORE; 277 } 278} 279#endif 280 281 282/// \brief Unlink a file 283/// 284/// This tries to verify that the file being unlinked really is the file that 285/// we want to unlink by verifying device and inode numbers. There's still 286/// a small unavoidable race, but this is much better than nothing (the file 287/// could have been moved/replaced even hours earlier). 288static void 289io_unlink(const char *name, const struct stat *known_st) 290{ 291#if defined(TUKLIB_DOSLIKE) 292 // On DOS-like systems, st_ino is meaningless, so don't bother 293 // testing it. Just silence a compiler warning. 294 (void)known_st; 295#else 296 struct stat new_st; 297 298 // If --force was used, use stat() instead of lstat(). This way 299 // (de)compressing symlinks works correctly. However, it also means 300 // that xz cannot detect if a regular file foo is renamed to bar 301 // and then a symlink foo -> bar is created. Because of stat() 302 // instead of lstat(), xz will think that foo hasn't been replaced 303 // with another file. Thus, xz will remove foo even though it no 304 // longer is the same file that xz used when it started compressing. 305 // Probably it's not too bad though, so this doesn't need a more 306 // complex fix. 307 const int stat_ret = opt_force 308 ? stat(name, &new_st) : lstat(name, &new_st); 309 310 if (stat_ret 311# ifdef __VMS 312 // st_ino is an array, and we don't want to 313 // compare st_dev at all. 314 || memcmp(&new_st.st_ino, &known_st->st_ino, 315 sizeof(new_st.st_ino)) != 0 316# else 317 // Typical POSIX-like system 318 || new_st.st_dev != known_st->st_dev 319 || new_st.st_ino != known_st->st_ino 320# endif 321 ) 322 // TRANSLATORS: When compression or decompression finishes, 323 // and xz is going to remove the source file, xz first checks 324 // if the source file still exists, and if it does, does its 325 // device and inode numbers match what xz saw when it opened 326 // the source file. If these checks fail, this message is 327 // shown, %s being the filename, and the file is not deleted. 328 // The check for device and inode numbers is there, because 329 // it is possible that the user has put a new file in place 330 // of the original file, and in that case it obviously 331 // shouldn't be removed. 332 message_error(_("%s: File seems to have been moved, " 333 "not removing"), name); 334 else 335#endif 336 // There's a race condition between lstat() and unlink() 337 // but at least we have tried to avoid removing wrong file. 338 if (unlink(name)) 339 message_error(_("%s: Cannot remove: %s"), 340 name, strerror(errno)); 341 342 return; 343} 344 345 346/// \brief Copies owner/group and permissions 347/// 348/// \todo ACL and EA support 349/// 350static void 351io_copy_attrs(const file_pair *pair) 352{ 353 // Skip chown and chmod on Windows. 354#ifndef TUKLIB_DOSLIKE 355 // This function is more tricky than you may think at first. 356 // Blindly copying permissions may permit users to access the 357 // destination file who didn't have permission to access the 358 // source file. 359 360 // Try changing the owner of the file. If we aren't root or the owner 361 // isn't already us, fchown() probably doesn't succeed. We warn 362 // about failing fchown() only if we are root. 363 if (fchown(pair->dest_fd, pair->src_st.st_uid, -1) && warn_fchown) 364 message_warning(_("%s: Cannot set the file owner: %s"), 365 pair->dest_name, strerror(errno)); 366 367 mode_t mode; 368 369 if (fchown(pair->dest_fd, -1, pair->src_st.st_gid)) { 370 message_warning(_("%s: Cannot set the file group: %s"), 371 pair->dest_name, strerror(errno)); 372 // We can still safely copy some additional permissions: 373 // `group' must be at least as strict as `other' and 374 // also vice versa. 375 // 376 // NOTE: After this, the owner of the source file may 377 // get additional permissions. This shouldn't be too bad, 378 // because the owner would have had permission to chmod 379 // the original file anyway. 380 mode = ((pair->src_st.st_mode & 0070) >> 3) 381 & (pair->src_st.st_mode & 0007); 382 mode = (pair->src_st.st_mode & 0700) | (mode << 3) | mode; 383 } else { 384 // Drop the setuid, setgid, and sticky bits. 385 mode = pair->src_st.st_mode & 0777; 386 } 387 388 if (fchmod(pair->dest_fd, mode)) 389 message_warning(_("%s: Cannot set the file permissions: %s"), 390 pair->dest_name, strerror(errno)); 391#endif 392 393 // Copy the timestamps. We have several possible ways to do this, of 394 // which some are better in both security and precision. 395 // 396 // First, get the nanosecond part of the timestamps. As of writing, 397 // it's not standardized by POSIX, and there are several names for 398 // the same thing in struct stat. 399 long atime_nsec; 400 long mtime_nsec; 401 402# if defined(HAVE_STRUCT_STAT_ST_ATIM_TV_NSEC) 403 // GNU and Solaris 404 atime_nsec = pair->src_st.st_atim.tv_nsec; 405 mtime_nsec = pair->src_st.st_mtim.tv_nsec; 406 407# elif defined(HAVE_STRUCT_STAT_ST_ATIMESPEC_TV_NSEC) 408 // BSD 409 atime_nsec = pair->src_st.st_atimespec.tv_nsec; 410 mtime_nsec = pair->src_st.st_mtimespec.tv_nsec; 411 412# elif defined(HAVE_STRUCT_STAT_ST_ATIMENSEC) 413 // GNU and BSD without extensions 414 atime_nsec = pair->src_st.st_atimensec; 415 mtime_nsec = pair->src_st.st_mtimensec; 416 417# elif defined(HAVE_STRUCT_STAT_ST_UATIME) 418 // Tru64 419 atime_nsec = pair->src_st.st_uatime * 1000; 420 mtime_nsec = pair->src_st.st_umtime * 1000; 421 422# elif defined(HAVE_STRUCT_STAT_ST_ATIM_ST__TIM_TV_NSEC) 423 // UnixWare 424 atime_nsec = pair->src_st.st_atim.st__tim.tv_nsec; 425 mtime_nsec = pair->src_st.st_mtim.st__tim.tv_nsec; 426 427# else 428 // Safe fallback 429 atime_nsec = 0; 430 mtime_nsec = 0; 431# endif 432 433 // Construct a structure to hold the timestamps and call appropriate 434 // function to set the timestamps. 435#if defined(HAVE_FUTIMENS) 436 // Use nanosecond precision. 437 struct timespec tv[2]; 438 tv[0].tv_sec = pair->src_st.st_atime; 439 tv[0].tv_nsec = atime_nsec; 440 tv[1].tv_sec = pair->src_st.st_mtime; 441 tv[1].tv_nsec = mtime_nsec; 442 443 (void)futimens(pair->dest_fd, tv); 444 445#elif defined(HAVE_FUTIMES) || defined(HAVE_FUTIMESAT) || defined(HAVE_UTIMES) 446 // Use microsecond precision. 447 struct timeval tv[2]; 448 tv[0].tv_sec = pair->src_st.st_atime; 449 tv[0].tv_usec = atime_nsec / 1000; 450 tv[1].tv_sec = pair->src_st.st_mtime; 451 tv[1].tv_usec = mtime_nsec / 1000; 452 453# if defined(HAVE_FUTIMES) 454 (void)futimes(pair->dest_fd, tv); 455# elif defined(HAVE_FUTIMESAT) 456 (void)futimesat(pair->dest_fd, NULL, tv); 457# else 458 // Argh, no function to use a file descriptor to set the timestamp. 459 (void)utimes(pair->dest_name, tv); 460# endif 461 462#elif defined(HAVE__FUTIME) 463 // Use one-second precision with Windows-specific _futime(). 464 // We could use utime() too except that for some reason the 465 // timestamp will get reset at close(). With _futime() it works. 466 // This struct cannot be const as _futime() takes a non-const pointer. 467 struct _utimbuf buf = { 468 .actime = pair->src_st.st_atime, 469 .modtime = pair->src_st.st_mtime, 470 }; 471 472 // Avoid warnings. 473 (void)atime_nsec; 474 (void)mtime_nsec; 475 476 (void)_futime(pair->dest_fd, &buf); 477 478#elif defined(HAVE_UTIME) 479 // Use one-second precision. utime() doesn't support using file 480 // descriptor either. Some systems have broken utime() prototype 481 // so don't make this const. 482 struct utimbuf buf = { 483 .actime = pair->src_st.st_atime, 484 .modtime = pair->src_st.st_mtime, 485 }; 486 487 // Avoid warnings. 488 (void)atime_nsec; 489 (void)mtime_nsec; 490 491 (void)utime(pair->dest_name, &buf); 492#endif 493 494 return; 495} 496 497 498/// Opens the source file. Returns false on success, true on error. 499static bool 500io_open_src_real(file_pair *pair) 501{ 502 // There's nothing to open when reading from stdin. 503 if (pair->src_name == stdin_filename) { 504 pair->src_fd = STDIN_FILENO; 505#ifdef TUKLIB_DOSLIKE 506 setmode(STDIN_FILENO, O_BINARY); 507#else 508 // Try to set stdin to non-blocking mode. It won't work 509 // e.g. on OpenBSD if stdout is e.g. /dev/null. In such 510 // case we proceed as if stdin were non-blocking anyway 511 // (in case of /dev/null it will be in practice). The 512 // same applies to stdout in io_open_dest_real(). 513 stdin_flags = fcntl(STDIN_FILENO, F_GETFL); 514 if (stdin_flags == -1) { 515 message_error(_("Error getting the file status flags " 516 "from standard input: %s"), 517 strerror(errno)); 518 return true; 519 } 520 521 if ((stdin_flags & O_NONBLOCK) == 0 522 && fcntl(STDIN_FILENO, F_SETFL, 523 stdin_flags | O_NONBLOCK) != -1) 524 restore_stdin_flags = true; 525#endif 526#ifdef HAVE_POSIX_FADVISE 527 // It will fail if stdin is a pipe and that's fine. 528 (void)posix_fadvise(STDIN_FILENO, 0, 0, POSIX_FADV_SEQUENTIAL); 529#endif 530 return false; 531 } 532 533 // Symlinks are not followed unless writing to stdout or --force 534 // was used. 535 const bool follow_symlinks = opt_stdout || opt_force; 536 537 // We accept only regular files if we are writing the output 538 // to disk too. bzip2 allows overriding this with --force but 539 // gzip and xz don't. 540 const bool reg_files_only = !opt_stdout; 541 542 // Flags for open() 543 int flags = O_RDONLY | O_BINARY | O_NOCTTY; 544 545#ifndef TUKLIB_DOSLIKE 546 // Use non-blocking I/O: 547 // - It prevents blocking when opening FIFOs and some other 548 // special files, which is good if we want to accept only 549 // regular files. 550 // - It can help avoiding some race conditions with signal handling. 551 flags |= O_NONBLOCK; 552#endif 553 554#if defined(O_NOFOLLOW) 555 if (!follow_symlinks) 556 flags |= O_NOFOLLOW; 557#elif !defined(TUKLIB_DOSLIKE) 558 // Some POSIX-like systems lack O_NOFOLLOW (it's not required 559 // by POSIX). Check for symlinks with a separate lstat() on 560 // these systems. 561 if (!follow_symlinks) { 562 struct stat st; 563 if (lstat(pair->src_name, &st)) { 564 message_error("%s: %s", pair->src_name, 565 strerror(errno)); 566 return true; 567 568 } else if (S_ISLNK(st.st_mode)) { 569 message_warning(_("%s: Is a symbolic link, " 570 "skipping"), pair->src_name); 571 return true; 572 } 573 } 574#else 575 // Avoid warnings. 576 (void)follow_symlinks; 577#endif 578 579 // Try to open the file. Signals have been blocked so EINTR shouldn't 580 // be possible. 581 pair->src_fd = open(pair->src_name, flags); 582 583 if (pair->src_fd == -1) { 584 // Signals (that have a signal handler) have been blocked. 585 assert(errno != EINTR); 586 587#ifdef O_NOFOLLOW 588 // Give an understandable error message if the reason 589 // for failing was that the file was a symbolic link. 590 // 591 // Note that at least Linux, OpenBSD, Solaris, and Darwin 592 // use ELOOP to indicate that O_NOFOLLOW was the reason 593 // that open() failed. Because there may be 594 // directories in the pathname, ELOOP may occur also 595 // because of a symlink loop in the directory part. 596 // So ELOOP doesn't tell us what actually went wrong, 597 // and this stupidity went into POSIX-1.2008 too. 598 // 599 // FreeBSD associates EMLINK with O_NOFOLLOW and 600 // Tru64 uses ENOTSUP. We use these directly here 601 // and skip the lstat() call and the associated race. 602 // I want to hear if there are other kernels that 603 // fail with something else than ELOOP with O_NOFOLLOW. 604 bool was_symlink = false; 605 606# if defined(__FreeBSD__) || defined(__DragonFly__) 607 if (errno == EMLINK) 608 was_symlink = true; 609 610# elif defined(__digital__) && defined(__unix__) 611 if (errno == ENOTSUP) 612 was_symlink = true; 613 614# elif defined(__NetBSD__) 615 if (errno == EFTYPE) 616 was_symlink = true; 617 618# else 619 if (errno == ELOOP && !follow_symlinks) { 620 const int saved_errno = errno; 621 struct stat st; 622 if (lstat(pair->src_name, &st) == 0 623 && S_ISLNK(st.st_mode)) 624 was_symlink = true; 625 626 errno = saved_errno; 627 } 628# endif 629 630 if (was_symlink) 631 message_warning(_("%s: Is a symbolic link, " 632 "skipping"), pair->src_name); 633 else 634#endif 635 // Something else than O_NOFOLLOW failing 636 // (assuming that the race conditions didn't 637 // confuse us). 638 message_error("%s: %s", pair->src_name, 639 strerror(errno)); 640 641 return true; 642 } 643 644 // Stat the source file. We need the result also when we copy 645 // the permissions, and when unlinking. 646 // 647 // NOTE: Use stat() instead of fstat() with DJGPP, because 648 // then we have a better chance to get st_ino value that can 649 // be used in io_open_dest_real() to prevent overwriting the 650 // source file. 651#ifdef __DJGPP__ 652 if (stat(pair->src_name, &pair->src_st)) 653 goto error_msg; 654#else 655 if (fstat(pair->src_fd, &pair->src_st)) 656 goto error_msg; 657#endif 658 659 if (S_ISDIR(pair->src_st.st_mode)) { 660 message_warning(_("%s: Is a directory, skipping"), 661 pair->src_name); 662 goto error; 663 } 664 665 if (reg_files_only && !S_ISREG(pair->src_st.st_mode)) { 666 message_warning(_("%s: Not a regular file, skipping"), 667 pair->src_name); 668 goto error; 669 } 670 671#ifndef TUKLIB_DOSLIKE 672 if (reg_files_only && !opt_force) { 673 if (pair->src_st.st_mode & (S_ISUID | S_ISGID)) { 674 // gzip rejects setuid and setgid files even 675 // when --force was used. bzip2 doesn't check 676 // for them, but calls fchown() after fchmod(), 677 // and many systems automatically drop setuid 678 // and setgid bits there. 679 // 680 // We accept setuid and setgid files if 681 // --force was used. We drop these bits 682 // explicitly in io_copy_attr(). 683 message_warning(_("%s: File has setuid or " 684 "setgid bit set, skipping"), 685 pair->src_name); 686 goto error; 687 } 688 689 if (pair->src_st.st_mode & S_ISVTX) { 690 message_warning(_("%s: File has sticky bit " 691 "set, skipping"), 692 pair->src_name); 693 goto error; 694 } 695 696 if (pair->src_st.st_nlink > 1) { 697 message_warning(_("%s: Input file has more " 698 "than one hard link, " 699 "skipping"), pair->src_name); 700 goto error; 701 } 702 } 703 704 // If it is something else than a regular file, wait until 705 // there is input available. This way reading from FIFOs 706 // will work when open() is used with O_NONBLOCK. 707 if (!S_ISREG(pair->src_st.st_mode)) { 708 signals_unblock(); 709 const io_wait_ret ret = io_wait(pair, -1, true); 710 signals_block(); 711 712 if (ret != IO_WAIT_MORE) 713 goto error; 714 } 715#endif 716 717#ifdef HAVE_POSIX_FADVISE 718 // It will fail with some special files like FIFOs but that is fine. 719 (void)posix_fadvise(pair->src_fd, 0, 0, POSIX_FADV_SEQUENTIAL); 720#endif 721 722 return false; 723 724error_msg: 725 message_error("%s: %s", pair->src_name, strerror(errno)); 726error: 727 (void)close(pair->src_fd); 728 return true; 729} 730 731 732extern file_pair * 733io_open_src(const char *src_name) 734{ 735 if (is_empty_filename(src_name)) 736 return NULL; 737 738 // Since we have only one file open at a time, we can use 739 // a statically allocated structure. 740 static file_pair pair; 741 742 pair = (file_pair){ 743 .src_name = src_name, 744 .dest_name = NULL, 745 .src_fd = -1, 746 .dest_fd = -1, 747 .src_eof = false, 748 .dest_try_sparse = false, 749 .dest_pending_sparse = 0, 750 }; 751 752 // Block the signals, for which we have a custom signal handler, so 753 // that we don't need to worry about EINTR. 754 signals_block(); 755 const bool error = io_open_src_real(&pair); 756 signals_unblock(); 757 758#ifdef ENABLE_SANDBOX 759 if (!error) 760 io_sandbox_enter(pair.src_fd); 761#endif 762 763 return error ? NULL : &pair; 764} 765 766 767/// \brief Closes source file of the file_pair structure 768/// 769/// \param pair File whose src_fd should be closed 770/// \param success If true, the file will be removed from the disk if 771/// closing succeeds and --keep hasn't been used. 772static void 773io_close_src(file_pair *pair, bool success) 774{ 775#ifndef TUKLIB_DOSLIKE 776 if (restore_stdin_flags) { 777 assert(pair->src_fd == STDIN_FILENO); 778 779 restore_stdin_flags = false; 780 781 if (fcntl(STDIN_FILENO, F_SETFL, stdin_flags) == -1) 782 message_error(_("Error restoring the status flags " 783 "to standard input: %s"), 784 strerror(errno)); 785 } 786#endif 787 788 if (pair->src_fd != STDIN_FILENO && pair->src_fd != -1) { 789 // Close the file before possibly unlinking it. On DOS-like 790 // systems this is always required since unlinking will fail 791 // if the file is open. On POSIX systems it usually works 792 // to unlink open files, but in some cases it doesn't and 793 // one gets EBUSY in errno. 794 // 795 // xz 5.2.2 and older unlinked the file before closing it 796 // (except on DOS-like systems). The old code didn't handle 797 // EBUSY and could fail e.g. on some CIFS shares. The 798 // advantage of unlinking before closing is negligible 799 // (avoids a race between close() and stat()/lstat() and 800 // unlink()), so let's keep this simple. 801 (void)close(pair->src_fd); 802 803 if (success && !opt_keep_original) 804 io_unlink(pair->src_name, &pair->src_st); 805 } 806 807 return; 808} 809 810 811static bool 812io_open_dest_real(file_pair *pair) 813{ 814 if (opt_stdout || pair->src_fd == STDIN_FILENO) { 815 // We don't modify or free() this. 816 pair->dest_name = (char *)"(stdout)"; 817 pair->dest_fd = STDOUT_FILENO; 818#ifdef TUKLIB_DOSLIKE 819 setmode(STDOUT_FILENO, O_BINARY); 820#else 821 // Try to set O_NONBLOCK if it isn't already set. 822 // If it fails, we assume that stdout is non-blocking 823 // in practice. See the comments in io_open_src_real() 824 // for similar situation with stdin. 825 // 826 // NOTE: O_APPEND may be unset later in this function 827 // and it relies on stdout_flags being set here. 828 stdout_flags = fcntl(STDOUT_FILENO, F_GETFL); 829 if (stdout_flags == -1) { 830 message_error(_("Error getting the file status flags " 831 "from standard output: %s"), 832 strerror(errno)); 833 return true; 834 } 835 836 if ((stdout_flags & O_NONBLOCK) == 0 837 && fcntl(STDOUT_FILENO, F_SETFL, 838 stdout_flags | O_NONBLOCK) != -1) 839 restore_stdout_flags = true; 840#endif 841 } else { 842 pair->dest_name = suffix_get_dest_name(pair->src_name); 843 if (pair->dest_name == NULL) 844 return true; 845 846#ifdef __DJGPP__ 847 struct stat st; 848 if (stat(pair->dest_name, &st) == 0) { 849 // Check that it isn't a special file like "prn". 850 if (st.st_dev == -1) { 851 message_error("%s: Refusing to write to " 852 "a DOS special file", 853 pair->dest_name); 854 free(pair->dest_name); 855 return true; 856 } 857 858 // Check that we aren't overwriting the source file. 859 if (st.st_dev == pair->src_st.st_dev 860 && st.st_ino == pair->src_st.st_ino) { 861 message_error("%s: Output file is the same " 862 "as the input file", 863 pair->dest_name); 864 free(pair->dest_name); 865 return true; 866 } 867 } 868#endif 869 870 // If --force was used, unlink the target file first. 871 if (opt_force && unlink(pair->dest_name) && errno != ENOENT) { 872 message_error(_("%s: Cannot remove: %s"), 873 pair->dest_name, strerror(errno)); 874 free(pair->dest_name); 875 return true; 876 } 877 878 // Open the file. 879 int flags = O_WRONLY | O_BINARY | O_NOCTTY 880 | O_CREAT | O_EXCL; 881#ifndef TUKLIB_DOSLIKE 882 flags |= O_NONBLOCK; 883#endif 884 const mode_t mode = S_IRUSR | S_IWUSR; 885 pair->dest_fd = open(pair->dest_name, flags, mode); 886 887 if (pair->dest_fd == -1) { 888 message_error("%s: %s", pair->dest_name, 889 strerror(errno)); 890 free(pair->dest_name); 891 return true; 892 } 893 } 894 895#ifndef TUKLIB_DOSLIKE 896 // dest_st isn't used on DOS-like systems except as a dummy 897 // argument to io_unlink(), so don't fstat() on such systems. 898 if (fstat(pair->dest_fd, &pair->dest_st)) { 899 // If fstat() really fails, we have a safe fallback here. 900# if defined(__VMS) 901 pair->dest_st.st_ino[0] = 0; 902 pair->dest_st.st_ino[1] = 0; 903 pair->dest_st.st_ino[2] = 0; 904# else 905 pair->dest_st.st_dev = 0; 906 pair->dest_st.st_ino = 0; 907# endif 908 } else if (try_sparse && opt_mode == MODE_DECOMPRESS) { 909 // When writing to standard output, we need to be extra 910 // careful: 911 // - It may be connected to something else than 912 // a regular file. 913 // - We aren't necessarily writing to a new empty file 914 // or to the end of an existing file. 915 // - O_APPEND may be active. 916 // 917 // TODO: I'm keeping this disabled for DOS-like systems 918 // for now. FAT doesn't support sparse files, but NTFS 919 // does, so maybe this should be enabled on Windows after 920 // some testing. 921 if (pair->dest_fd == STDOUT_FILENO) { 922 if (!S_ISREG(pair->dest_st.st_mode)) 923 return false; 924 925 if (stdout_flags & O_APPEND) { 926 // Creating a sparse file is not possible 927 // when O_APPEND is active (it's used by 928 // shell's >> redirection). As I understand 929 // it, it is safe to temporarily disable 930 // O_APPEND in xz, because if someone 931 // happened to write to the same file at the 932 // same time, results would be bad anyway 933 // (users shouldn't assume that xz uses any 934 // specific block size when writing data). 935 // 936 // The write position may be something else 937 // than the end of the file, so we must fix 938 // it to start writing at the end of the file 939 // to imitate O_APPEND. 940 if (lseek(STDOUT_FILENO, 0, SEEK_END) == -1) 941 return false; 942 943 // Construct the new file status flags. 944 // If O_NONBLOCK was set earlier in this 945 // function, it must be kept here too. 946 int flags = stdout_flags & ~O_APPEND; 947 if (restore_stdout_flags) 948 flags |= O_NONBLOCK; 949 950 // If this fcntl() fails, we continue but won't 951 // try to create sparse output. The original 952 // flags will still be restored if needed (to 953 // unset O_NONBLOCK) when the file is finished. 954 if (fcntl(STDOUT_FILENO, F_SETFL, flags) == -1) 955 return false; 956 957 // Disabling O_APPEND succeeded. Mark 958 // that the flags should be restored 959 // in io_close_dest(). (This may have already 960 // been set when enabling O_NONBLOCK.) 961 restore_stdout_flags = true; 962 963 } else if (lseek(STDOUT_FILENO, 0, SEEK_CUR) 964 != pair->dest_st.st_size) { 965 // Writing won't start exactly at the end 966 // of the file. We cannot use sparse output, 967 // because it would probably corrupt the file. 968 return false; 969 } 970 } 971 972 pair->dest_try_sparse = true; 973 } 974#endif 975 976 return false; 977} 978 979 980extern bool 981io_open_dest(file_pair *pair) 982{ 983 signals_block(); 984 const bool ret = io_open_dest_real(pair); 985 signals_unblock(); 986 return ret; 987} 988 989 990/// \brief Closes destination file of the file_pair structure 991/// 992/// \param pair File whose dest_fd should be closed 993/// \param success If false, the file will be removed from the disk. 994/// 995/// \return Zero if closing succeeds. On error, -1 is returned and 996/// error message printed. 997static bool 998io_close_dest(file_pair *pair, bool success) 999{ 1000#ifndef TUKLIB_DOSLIKE 1001 // If io_open_dest() has disabled O_APPEND, restore it here. 1002 if (restore_stdout_flags) { 1003 assert(pair->dest_fd == STDOUT_FILENO); 1004 1005 restore_stdout_flags = false; 1006 1007 if (fcntl(STDOUT_FILENO, F_SETFL, stdout_flags) == -1) { 1008 message_error(_("Error restoring the O_APPEND flag " 1009 "to standard output: %s"), 1010 strerror(errno)); 1011 return true; 1012 } 1013 } 1014#endif 1015 1016 if (pair->dest_fd == -1 || pair->dest_fd == STDOUT_FILENO) 1017 return false; 1018 1019 if (close(pair->dest_fd)) { 1020 message_error(_("%s: Closing the file failed: %s"), 1021 pair->dest_name, strerror(errno)); 1022 1023 // Closing destination file failed, so we cannot trust its 1024 // contents. Get rid of junk: 1025 io_unlink(pair->dest_name, &pair->dest_st); 1026 free(pair->dest_name); 1027 return true; 1028 } 1029 1030 // If the operation using this file wasn't successful, we git rid 1031 // of the junk file. 1032 if (!success) 1033 io_unlink(pair->dest_name, &pair->dest_st); 1034 1035 free(pair->dest_name); 1036 1037 return false; 1038} 1039 1040 1041extern void 1042io_close(file_pair *pair, bool success) 1043{ 1044 // Take care of sparseness at the end of the output file. 1045 if (success && pair->dest_try_sparse 1046 && pair->dest_pending_sparse > 0) { 1047 // Seek forward one byte less than the size of the pending 1048 // hole, then write one zero-byte. This way the file grows 1049 // to its correct size. An alternative would be to use 1050 // ftruncate() but that isn't portable enough (e.g. it 1051 // doesn't work with FAT on Linux; FAT isn't that important 1052 // since it doesn't support sparse files anyway, but we don't 1053 // want to create corrupt files on it). 1054 if (lseek(pair->dest_fd, pair->dest_pending_sparse - 1, 1055 SEEK_CUR) == -1) { 1056 message_error(_("%s: Seeking failed when trying " 1057 "to create a sparse file: %s"), 1058 pair->dest_name, strerror(errno)); 1059 success = false; 1060 } else { 1061 const uint8_t zero[1] = { '\0' }; 1062 if (io_write_buf(pair, zero, 1)) 1063 success = false; 1064 } 1065 } 1066 1067 signals_block(); 1068 1069 // Copy the file attributes. We need to skip this if destination 1070 // file isn't open or it is standard output. 1071 if (success && pair->dest_fd != -1 && pair->dest_fd != STDOUT_FILENO) 1072 io_copy_attrs(pair); 1073 1074 // Close the destination first. If it fails, we must not remove 1075 // the source file! 1076 if (io_close_dest(pair, success)) 1077 success = false; 1078 1079 // Close the source file, and unlink it if the operation using this 1080 // file pair was successful and we haven't requested to keep the 1081 // source file. 1082 io_close_src(pair, success); 1083 1084 signals_unblock(); 1085 1086 return; 1087} 1088 1089 1090extern void 1091io_fix_src_pos(file_pair *pair, size_t rewind_size) 1092{ 1093 assert(rewind_size <= IO_BUFFER_SIZE); 1094 1095 if (rewind_size > 0) { 1096 // This doesn't need to work on unseekable file descriptors, 1097 // so just ignore possible errors. 1098 (void)lseek(pair->src_fd, -(off_t)(rewind_size), SEEK_CUR); 1099 } 1100 1101 return; 1102} 1103 1104 1105extern size_t 1106io_read(file_pair *pair, io_buf *buf_union, size_t size) 1107{ 1108 // We use small buffers here. 1109 assert(size < SSIZE_MAX); 1110 1111 uint8_t *buf = buf_union->u8; 1112 size_t left = size; 1113 1114 while (left > 0) { 1115 const ssize_t amount = read(pair->src_fd, buf, left); 1116 1117 if (amount == 0) { 1118 pair->src_eof = true; 1119 break; 1120 } 1121 1122 if (amount == -1) { 1123 if (errno == EINTR) { 1124 if (user_abort) 1125 return SIZE_MAX; 1126 1127 continue; 1128 } 1129 1130#ifndef TUKLIB_DOSLIKE 1131 if (IS_EAGAIN_OR_EWOULDBLOCK(errno)) { 1132 const io_wait_ret ret = io_wait(pair, 1133 mytime_get_flush_timeout(), 1134 true); 1135 switch (ret) { 1136 case IO_WAIT_MORE: 1137 continue; 1138 1139 case IO_WAIT_ERROR: 1140 return SIZE_MAX; 1141 1142 case IO_WAIT_TIMEOUT: 1143 return size - left; 1144 1145 default: 1146 message_bug(); 1147 } 1148 } 1149#endif 1150 1151 message_error(_("%s: Read error: %s"), 1152 pair->src_name, strerror(errno)); 1153 1154 return SIZE_MAX; 1155 } 1156 1157 buf += (size_t)(amount); 1158 left -= (size_t)(amount); 1159 } 1160 1161 return size - left; 1162} 1163 1164 1165extern bool 1166io_pread(file_pair *pair, io_buf *buf, size_t size, off_t pos) 1167{ 1168 // Using lseek() and read() is more portable than pread() and 1169 // for us it is as good as real pread(). 1170 if (lseek(pair->src_fd, pos, SEEK_SET) != pos) { 1171 message_error(_("%s: Error seeking the file: %s"), 1172 pair->src_name, strerror(errno)); 1173 return true; 1174 } 1175 1176 const size_t amount = io_read(pair, buf, size); 1177 if (amount == SIZE_MAX) 1178 return true; 1179 1180 if (amount != size) { 1181 message_error(_("%s: Unexpected end of file"), 1182 pair->src_name); 1183 return true; 1184 } 1185 1186 return false; 1187} 1188 1189 1190static bool 1191is_sparse(const io_buf *buf) 1192{ 1193 assert(IO_BUFFER_SIZE % sizeof(uint64_t) == 0); 1194 1195 for (size_t i = 0; i < ARRAY_SIZE(buf->u64); ++i) 1196 if (buf->u64[i] != 0) 1197 return false; 1198 1199 return true; 1200} 1201 1202 1203static bool 1204io_write_buf(file_pair *pair, const uint8_t *buf, size_t size) 1205{ 1206 assert(size < SSIZE_MAX); 1207 1208 while (size > 0) { 1209 const ssize_t amount = write(pair->dest_fd, buf, size); 1210 if (amount == -1) { 1211 if (errno == EINTR) { 1212 if (user_abort) 1213 return true; 1214 1215 continue; 1216 } 1217 1218#ifndef TUKLIB_DOSLIKE 1219 if (IS_EAGAIN_OR_EWOULDBLOCK(errno)) { 1220 if (io_wait(pair, -1, false) == IO_WAIT_MORE) 1221 continue; 1222 1223 return true; 1224 } 1225#endif 1226 1227 // Handle broken pipe specially. gzip and bzip2 1228 // don't print anything on SIGPIPE. In addition, 1229 // gzip --quiet uses exit status 2 (warning) on 1230 // broken pipe instead of whatever raise(SIGPIPE) 1231 // would make it return. It is there to hide "Broken 1232 // pipe" message on some old shells (probably old 1233 // GNU bash). 1234 // 1235 // We don't do anything special with --quiet, which 1236 // is what bzip2 does too. If we get SIGPIPE, we 1237 // will handle it like other signals by setting 1238 // user_abort, and get EPIPE here. 1239 if (errno != EPIPE) 1240 message_error(_("%s: Write error: %s"), 1241 pair->dest_name, strerror(errno)); 1242 1243 return true; 1244 } 1245 1246 buf += (size_t)(amount); 1247 size -= (size_t)(amount); 1248 } 1249 1250 return false; 1251} 1252 1253 1254extern bool 1255io_write(file_pair *pair, const io_buf *buf, size_t size) 1256{ 1257 assert(size <= IO_BUFFER_SIZE); 1258 1259 if (pair->dest_try_sparse) { 1260 // Check if the block is sparse (contains only zeros). If it 1261 // sparse, we just store the amount and return. We will take 1262 // care of actually skipping over the hole when we hit the 1263 // next data block or close the file. 1264 // 1265 // Since io_close() requires that dest_pending_sparse > 0 1266 // if the file ends with sparse block, we must also return 1267 // if size == 0 to avoid doing the lseek(). 1268 if (size == IO_BUFFER_SIZE) { 1269 if (is_sparse(buf)) { 1270 pair->dest_pending_sparse += size; 1271 return false; 1272 } 1273 } else if (size == 0) { 1274 return false; 1275 } 1276 1277 // This is not a sparse block. If we have a pending hole, 1278 // skip it now. 1279 if (pair->dest_pending_sparse > 0) { 1280 if (lseek(pair->dest_fd, pair->dest_pending_sparse, 1281 SEEK_CUR) == -1) { 1282 message_error(_("%s: Seeking failed when " 1283 "trying to create a sparse " 1284 "file: %s"), pair->dest_name, 1285 strerror(errno)); 1286 return true; 1287 } 1288 1289 pair->dest_pending_sparse = 0; 1290 } 1291 } 1292 1293 return io_write_buf(pair, buf->u8, size); 1294} 1295