1/* chown-core.c -- core functions for changing ownership. 2 Copyright (C) 2000, 2002-2010 Free Software Foundation, Inc. 3 4 This program is free software: you can redistribute it and/or modify 5 it under the terms of the GNU General Public License as published by 6 the Free Software Foundation, either version 3 of the License, or 7 (at your option) any later version. 8 9 This program is distributed in the hope that it will be useful, 10 but WITHOUT ANY WARRANTY; without even the implied warranty of 11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 GNU General Public License for more details. 13 14 You should have received a copy of the GNU General Public License 15 along with this program. If not, see <http://www.gnu.org/licenses/>. */ 16 17/* Extracted from chown.c/chgrp.c and librarified by Jim Meyering. */ 18 19#include <config.h> 20#include <stdio.h> 21#include <sys/types.h> 22#include <pwd.h> 23#include <grp.h> 24 25#include "system.h" 26#include "chown-core.h" 27#include "error.h" 28#include "ignore-value.h" 29#include "quote.h" 30#include "root-dev-ino.h" 31#include "xfts.h" 32 33#define FTSENT_IS_DIRECTORY(E) \ 34 ((E)->fts_info == FTS_D \ 35 || (E)->fts_info == FTS_DC \ 36 || (E)->fts_info == FTS_DP \ 37 || (E)->fts_info == FTS_DNR) 38 39enum RCH_status 40 { 41 /* we called fchown and close, and both succeeded */ 42 RC_ok = 2, 43 44 /* required_uid and/or required_gid are specified, but don't match */ 45 RC_excluded, 46 47 /* SAME_INODE check failed */ 48 RC_inode_changed, 49 50 /* open/fchown isn't needed, isn't safe, or doesn't work due to 51 permissions problems; fall back on chown */ 52 RC_do_ordinary_chown, 53 54 /* open, fstat, fchown, or close failed */ 55 RC_error 56 }; 57 58extern void 59chopt_init (struct Chown_option *chopt) 60{ 61 chopt->verbosity = V_off; 62 chopt->root_dev_ino = NULL; 63 chopt->affect_symlink_referent = true; 64 chopt->recurse = false; 65 chopt->force_silent = false; 66 chopt->user_name = NULL; 67 chopt->group_name = NULL; 68} 69 70extern void 71chopt_free (struct Chown_option *chopt ATTRIBUTE_UNUSED) 72{ 73 /* Deliberately do not free chopt->user_name or ->group_name. 74 They're not always allocated. */ 75} 76 77/* Convert the numeric group-id, GID, to a string stored in xmalloc'd memory, 78 and return it. If there's no corresponding group name, use the decimal 79 representation of the ID. */ 80 81extern char * 82gid_to_name (gid_t gid) 83{ 84 char buf[INT_BUFSIZE_BOUND (intmax_t)]; 85 struct group *grp = getgrgid (gid); 86 return xstrdup (grp ? grp->gr_name 87 : TYPE_SIGNED (gid_t) ? imaxtostr (gid, buf) 88 : umaxtostr (gid, buf)); 89} 90 91/* Convert the numeric user-id, UID, to a string stored in xmalloc'd memory, 92 and return it. If there's no corresponding user name, use the decimal 93 representation of the ID. */ 94 95extern char * 96uid_to_name (uid_t uid) 97{ 98 char buf[INT_BUFSIZE_BOUND (intmax_t)]; 99 struct passwd *pwd = getpwuid (uid); 100 return xstrdup (pwd ? pwd->pw_name 101 : TYPE_SIGNED (uid_t) ? imaxtostr (uid, buf) 102 : umaxtostr (uid, buf)); 103} 104 105/* Tell the user how/if the user and group of FILE have been changed. 106 If USER is NULL, give the group-oriented messages. 107 CHANGED describes what (if anything) has happened. */ 108 109static void 110describe_change (const char *file, enum Change_status changed, 111 char const *user, char const *group) 112{ 113 const char *fmt; 114 char const *spec; 115 char *spec_allocated = NULL; 116 117 if (changed == CH_NOT_APPLIED) 118 { 119 printf (_("neither symbolic link %s nor referent has been changed\n"), 120 quote (file)); 121 return; 122 } 123 124 if (user) 125 { 126 if (group) 127 { 128 spec_allocated = xmalloc (strlen (user) + 1 + strlen (group) + 1); 129 stpcpy (stpcpy (stpcpy (spec_allocated, user), ":"), group); 130 spec = spec_allocated; 131 } 132 else 133 { 134 spec = user; 135 } 136 } 137 else 138 { 139 spec = group; 140 } 141 142 switch (changed) 143 { 144 case CH_SUCCEEDED: 145 fmt = (user ? _("changed ownership of %s to %s\n") 146 : group ? _("changed group of %s to %s\n") 147 : _("no change to ownership of %s\n")); 148 break; 149 case CH_FAILED: 150 fmt = (user ? _("failed to change ownership of %s to %s\n") 151 : group ? _("failed to change group of %s to %s\n") 152 : _("failed to change ownership of %s\n")); 153 break; 154 case CH_NO_CHANGE_REQUESTED: 155 fmt = (user ? _("ownership of %s retained as %s\n") 156 : group ? _("group of %s retained as %s\n") 157 : _("ownership of %s retained\n")); 158 break; 159 default: 160 abort (); 161 } 162 163 printf (fmt, quote (file), spec); 164 165 free (spec_allocated); 166} 167 168/* Change the owner and/or group of the FILE to UID and/or GID (safely) 169 only if REQUIRED_UID and REQUIRED_GID match the owner and group IDs 170 of FILE. ORIG_ST must be the result of `stat'ing FILE. 171 172 The `safely' part above means that we can't simply use chown(2), 173 since FILE might be replaced with some other file between the time 174 of the preceding stat/lstat and this chown call. So here we open 175 FILE and do everything else via the resulting file descriptor. 176 We first call fstat and verify that the dev/inode match those from 177 the preceding stat call, and only then, if appropriate (given the 178 required_uid and required_gid constraints) do we call fchown. 179 180 Return RC_do_ordinary_chown if we can't open FILE, or if FILE is a 181 special file that might have undesirable side effects when opening. 182 In this case the caller can use the less-safe ordinary chown. 183 184 Return one of the RCH_status values. */ 185 186static enum RCH_status 187restricted_chown (int cwd_fd, char const *file, 188 struct stat const *orig_st, 189 uid_t uid, gid_t gid, 190 uid_t required_uid, gid_t required_gid) 191{ 192 enum RCH_status status = RC_ok; 193 struct stat st; 194 int open_flags = O_NONBLOCK | O_NOCTTY; 195 int fd; 196 197 if (required_uid == (uid_t) -1 && required_gid == (gid_t) -1) 198 return RC_do_ordinary_chown; 199 200 if (! S_ISREG (orig_st->st_mode)) 201 { 202 if (S_ISDIR (orig_st->st_mode)) 203 open_flags |= O_DIRECTORY; 204 else 205 return RC_do_ordinary_chown; 206 } 207 208 fd = openat (cwd_fd, file, O_RDONLY | open_flags); 209 if (! (0 <= fd 210 || (errno == EACCES && S_ISREG (orig_st->st_mode) 211 && 0 <= (fd = openat (cwd_fd, file, O_WRONLY | open_flags))))) 212 return (errno == EACCES ? RC_do_ordinary_chown : RC_error); 213 214 if (fstat (fd, &st) != 0) 215 status = RC_error; 216 else if (! SAME_INODE (*orig_st, st)) 217 status = RC_inode_changed; 218 else if ((required_uid == (uid_t) -1 || required_uid == st.st_uid) 219 && (required_gid == (gid_t) -1 || required_gid == st.st_gid)) 220 { 221 if (fchown (fd, uid, gid) == 0) 222 { 223 status = (close (fd) == 0 224 ? RC_ok : RC_error); 225 return status; 226 } 227 else 228 { 229 status = RC_error; 230 } 231 } 232 233 { /* FIXME: remove these curly braces when we assume C99. */ 234 int saved_errno = errno; 235 close (fd); 236 errno = saved_errno; 237 return status; 238 } 239} 240 241/* Change the owner and/or group of the file specified by FTS and ENT 242 to UID and/or GID as appropriate. 243 If REQUIRED_UID is not -1, then skip files with any other user ID. 244 If REQUIRED_GID is not -1, then skip files with any other group ID. 245 CHOPT specifies additional options. 246 Return true if successful. */ 247static bool 248change_file_owner (FTS *fts, FTSENT *ent, 249 uid_t uid, gid_t gid, 250 uid_t required_uid, gid_t required_gid, 251 struct Chown_option const *chopt) 252{ 253 char const *file_full_name = ent->fts_path; 254 char const *file = ent->fts_accpath; 255 struct stat const *file_stats; 256 struct stat stat_buf; 257 bool ok = true; 258 bool do_chown; 259 bool symlink_changed = true; 260 261 switch (ent->fts_info) 262 { 263 case FTS_D: 264 if (chopt->recurse) 265 { 266 if (ROOT_DEV_INO_CHECK (chopt->root_dev_ino, ent->fts_statp)) 267 { 268 /* This happens e.g., with "chown -R --preserve-root 0 /" 269 and with "chown -RH --preserve-root 0 symlink-to-root". */ 270 ROOT_DEV_INO_WARN (file_full_name); 271 /* Tell fts not to traverse into this hierarchy. */ 272 fts_set (fts, ent, FTS_SKIP); 273 /* Ensure that we do not process "/" on the second visit. */ 274 ignore_ptr (fts_read (fts)); 275 return false; 276 } 277 return true; 278 } 279 break; 280 281 case FTS_DP: 282 if (! chopt->recurse) 283 return true; 284 break; 285 286 case FTS_NS: 287 /* For a top-level file or directory, this FTS_NS (stat failed) 288 indicator is determined at the time of the initial fts_open call. 289 With programs like chmod, chown, and chgrp, that modify 290 permissions, it is possible that the file in question is 291 accessible when control reaches this point. So, if this is 292 the first time we've seen the FTS_NS for this file, tell 293 fts_read to stat it "again". */ 294 if (ent->fts_level == 0 && ent->fts_number == 0) 295 { 296 ent->fts_number = 1; 297 fts_set (fts, ent, FTS_AGAIN); 298 return true; 299 } 300 if (! chopt->force_silent) 301 error (0, ent->fts_errno, _("cannot access %s"), 302 quote (file_full_name)); 303 ok = false; 304 break; 305 306 case FTS_ERR: 307 if (! chopt->force_silent) 308 error (0, ent->fts_errno, _("%s"), quote (file_full_name)); 309 ok = false; 310 break; 311 312 case FTS_DNR: 313 if (! chopt->force_silent) 314 error (0, ent->fts_errno, _("cannot read directory %s"), 315 quote (file_full_name)); 316 ok = false; 317 break; 318 319 case FTS_DC: /* directory that causes cycles */ 320 if (cycle_warning_required (fts, ent)) 321 { 322 emit_cycle_warning (file_full_name); 323 return false; 324 } 325 break; 326 327 default: 328 break; 329 } 330 331 if (!ok) 332 { 333 do_chown = false; 334 file_stats = NULL; 335 } 336 else if (required_uid == (uid_t) -1 && required_gid == (gid_t) -1 337 && chopt->verbosity == V_off 338 && ! chopt->root_dev_ino 339 && ! chopt->affect_symlink_referent) 340 { 341 do_chown = true; 342 file_stats = ent->fts_statp; 343 } 344 else 345 { 346 file_stats = ent->fts_statp; 347 348 /* If this is a symlink and we're dereferencing them, 349 stat it to get info on the referent. */ 350 if (chopt->affect_symlink_referent && S_ISLNK (file_stats->st_mode)) 351 { 352 if (fstatat (fts->fts_cwd_fd, file, &stat_buf, 0) != 0) 353 { 354 if (! chopt->force_silent) 355 error (0, errno, _("cannot dereference %s"), 356 quote (file_full_name)); 357 ok = false; 358 } 359 360 file_stats = &stat_buf; 361 } 362 363 do_chown = (ok 364 && (required_uid == (uid_t) -1 365 || required_uid == file_stats->st_uid) 366 && (required_gid == (gid_t) -1 367 || required_gid == file_stats->st_gid)); 368 } 369 370 /* This happens when chown -LR --preserve-root encounters a symlink-to-/. */ 371 if (ok 372 && FTSENT_IS_DIRECTORY (ent) 373 && ROOT_DEV_INO_CHECK (chopt->root_dev_ino, file_stats)) 374 { 375 ROOT_DEV_INO_WARN (file_full_name); 376 return false; 377 } 378 379 if (do_chown) 380 { 381 if ( ! chopt->affect_symlink_referent) 382 { 383 ok = (lchownat (fts->fts_cwd_fd, file, uid, gid) == 0); 384 385 /* Ignore any error due to lack of support; POSIX requires 386 this behavior for top-level symbolic links with -h, and 387 implies that it's required for all symbolic links. */ 388 if (!ok && errno == EOPNOTSUPP) 389 { 390 ok = true; 391 symlink_changed = false; 392 } 393 } 394 else 395 { 396 /* If possible, avoid a race condition with --from=O:G and without the 397 (-h) --no-dereference option. If fts's stat call determined 398 that the uid/gid of FILE matched the --from=O:G-selected 399 owner and group IDs, blindly using chown(2) here could lead 400 chown(1) or chgrp(1) mistakenly to dereference a *symlink* 401 to an arbitrary file that an attacker had moved into the 402 place of FILE during the window between the stat and 403 chown(2) calls. If FILE is a regular file or a directory 404 that can be opened, this race condition can be avoided safely. */ 405 406 enum RCH_status err 407 = restricted_chown (fts->fts_cwd_fd, file, file_stats, uid, gid, 408 required_uid, required_gid); 409 switch (err) 410 { 411 case RC_ok: 412 break; 413 414 case RC_do_ordinary_chown: 415 ok = (chownat (fts->fts_cwd_fd, file, uid, gid) == 0); 416 break; 417 418 case RC_error: 419 ok = false; 420 break; 421 422 case RC_inode_changed: 423 /* FIXME: give a diagnostic in this case? */ 424 case RC_excluded: 425 do_chown = false; 426 ok = false; 427 break; 428 429 default: 430 abort (); 431 } 432 } 433 434 /* On some systems (e.g., GNU/Linux 2.4.x), 435 the chown function resets the `special' permission bits. 436 Do *not* restore those bits; doing so would open a window in 437 which a malicious user, M, could subvert a chown command run 438 by some other user and operating on files in a directory 439 where M has write access. */ 440 441 if (do_chown && !ok && ! chopt->force_silent) 442 error (0, errno, (uid != (uid_t) -1 443 ? _("changing ownership of %s") 444 : _("changing group of %s")), 445 quote (file_full_name)); 446 } 447 448 if (chopt->verbosity != V_off) 449 { 450 bool changed = 451 ((do_chown && ok && symlink_changed) 452 && ! ((uid == (uid_t) -1 || uid == file_stats->st_uid) 453 && (gid == (gid_t) -1 || gid == file_stats->st_gid))); 454 455 if (changed || chopt->verbosity == V_high) 456 { 457 enum Change_status ch_status = 458 (!ok ? CH_FAILED 459 : !symlink_changed ? CH_NOT_APPLIED 460 : !changed ? CH_NO_CHANGE_REQUESTED 461 : CH_SUCCEEDED); 462 describe_change (file_full_name, ch_status, 463 chopt->user_name, chopt->group_name); 464 } 465 } 466 467 if ( ! chopt->recurse) 468 fts_set (fts, ent, FTS_SKIP); 469 470 return ok; 471} 472 473/* Change the owner and/or group of the specified FILES. 474 BIT_FLAGS specifies how to treat each symlink-to-directory 475 that is encountered during a recursive traversal. 476 CHOPT specifies additional options. 477 If UID is not -1, then change the owner id of each file to UID. 478 If GID is not -1, then change the group id of each file to GID. 479 If REQUIRED_UID and/or REQUIRED_GID is not -1, then change only 480 files with user ID and group ID that match the non-(-1) value(s). 481 Return true if successful. */ 482extern bool 483chown_files (char **files, int bit_flags, 484 uid_t uid, gid_t gid, 485 uid_t required_uid, gid_t required_gid, 486 struct Chown_option const *chopt) 487{ 488 bool ok = true; 489 490 /* Use lstat and stat only if they're needed. */ 491 int stat_flags = ((required_uid != (uid_t) -1 || required_gid != (gid_t) -1 492 || chopt->affect_symlink_referent 493 || chopt->verbosity != V_off) 494 ? 0 495 : FTS_NOSTAT); 496 497 FTS *fts = xfts_open (files, bit_flags | stat_flags, NULL); 498 499 while (1) 500 { 501 FTSENT *ent; 502 503 ent = fts_read (fts); 504 if (ent == NULL) 505 { 506 if (errno != 0) 507 { 508 /* FIXME: try to give a better message */ 509 if (! chopt->force_silent) 510 error (0, errno, _("fts_read failed")); 511 ok = false; 512 } 513 break; 514 } 515 516 ok &= change_file_owner (fts, ent, uid, gid, 517 required_uid, required_gid, chopt); 518 } 519 520 if (fts_close (fts) != 0) 521 { 522 error (0, errno, _("fts_close failed")); 523 ok = false; 524 } 525 526 return ok; 527} 528