/* Change the owner and/or group of the file specified by FTS and ENT to UID and/or GID as appropriate. If REQUIRED_UID is not -1, then skip files with any other user ID. If REQUIRED_GID is not -1, then skip files with any other group ID. CHOPT specifies additional options. Return true if successful. */ static bool change_file_owner (FTS *fts, FTSENT *ent, uid_t uid, gid_t gid, uid_t required_uid, gid_t required_gid, struct Chown_option const *chopt) { char const *file_full_name = ent->fts_path; char const *file = ent->fts_accpath; struct stat const *file_stats; struct stat stat_buf; bool ok = true; bool do_chown; bool symlink_changed = true; switch (ent->fts_info) { case FTS_D: if (chopt->recurse) { if (ROOT_DEV_INO_CHECK (chopt->root_dev_ino, ent->fts_statp)) { /* This happens e.g., with "chown -R --preserve-root 0 /" and with "chown -RH --preserve-root 0 symlink-to-root". */ ROOT_DEV_INO_WARN (file_full_name); /* Tell fts not to traverse into this hierarchy. */ fts_set (fts, ent, FTS_SKIP); /* Ensure that we do not process "/" on the second visit. */ ignore_value (fts_read (fts)); return false; } return true; } break; case FTS_DP: if (! chopt->recurse) return true; break; case FTS_NS: /* For a top-level file or directory, this FTS_NS (stat failed) indicator is determined at the time of the initial fts_open call. With programs like chmod, chown, and chgrp, that modify permissions, it is possible that the file in question is accessible when control reaches this point. So, if this is the first time we've seen the FTS_NS for this file, tell fts_read to stat it "again". */ if (ent->fts_level == 0 && ent->fts_number == 0) { ent->fts_number = 1; fts_set (fts, ent, FTS_AGAIN); return true; } if (! chopt->force_silent) error (0, ent->fts_errno, _("cannot access %s"), quote (file_full_name)); ok = false; break; case FTS_ERR: if (! chopt->force_silent) error (0, ent->fts_errno, "%s", quote (file_full_name)); ok = false; break; case FTS_DNR: if (! chopt->force_silent) error (0, ent->fts_errno, _("cannot read directory %s"), quote (file_full_name)); ok = false; break; case FTS_DC: /* directory that causes cycles */ if (cycle_warning_required (fts, ent)) { emit_cycle_warning (file_full_name); return false; } break; default: break; } if (!ok) { do_chown = false; file_stats = NULL; } else if (required_uid == (uid_t) -1 && required_gid == (gid_t) -1 && chopt->verbosity == V_off && ! chopt->root_dev_ino && ! chopt->affect_symlink_referent) { do_chown = true; file_stats = ent->fts_statp; } else { file_stats = ent->fts_statp; /* If this is a symlink and we're dereferencing them, stat it to get info on the referent. */ if (chopt->affect_symlink_referent && S_ISLNK (file_stats->st_mode)) { if (fstatat (fts->fts_cwd_fd, file, &stat_buf, 0) != 0) { if (! chopt->force_silent) error (0, errno, _("cannot dereference %s"), quote (file_full_name)); ok = false; } file_stats = &stat_buf; } do_chown = (ok && (required_uid == (uid_t) -1 || required_uid == file_stats->st_uid) && (required_gid == (gid_t) -1 || required_gid == file_stats->st_gid)); } /* This happens when chown -LR --preserve-root encounters a symlink-to-/. */ if (ok && FTSENT_IS_DIRECTORY (ent) && ROOT_DEV_INO_CHECK (chopt->root_dev_ino, file_stats)) { ROOT_DEV_INO_WARN (file_full_name); return false; } if (do_chown) { if ( ! chopt->affect_symlink_referent) { ok = (lchownat (fts->fts_cwd_fd, file, uid, gid) == 0); /* Ignore any error due to lack of support; POSIX requires this behavior for top-level symbolic links with -h, and implies that it's required for all symbolic links. */ if (!ok && errno == EOPNOTSUPP) { ok = true; symlink_changed = false; } } else { /* If possible, avoid a race condition with --from=O:G and without the (-h) --no-dereference option. If fts's stat call determined that the uid/gid of FILE matched the --from=O:G-selected owner and group IDs, blindly using chown(2) here could lead chown(1) or chgrp(1) mistakenly to dereference a *symlink* to an arbitrary file that an attacker had moved into the place of FILE during the window between the stat and chown(2) calls. If FILE is a regular file or a directory that can be opened, this race condition can be avoided safely. */ enum RCH_status err = restricted_chown (fts->fts_cwd_fd, file, file_stats, uid, gid, required_uid, required_gid); switch (err) { case RC_ok: break; case RC_do_ordinary_chown: ok = (chownat (fts->fts_cwd_fd, file, uid, gid) == 0); break; case RC_error: ok = false; break; case RC_inode_changed: /* FIXME: give a diagnostic in this case? */ case RC_excluded: do_chown = false; ok = false; break; default: abort (); } } /* On some systems (e.g., GNU/Linux 2.4.x), the chown function resets the `special' permission bits. Do *not* restore those bits; doing so would open a window in which a malicious user, M, could subvert a chown command run by some other user and operating on files in a directory where M has write access. */ if (do_chown && !ok && ! chopt->force_silent) error (0, errno, (uid != (uid_t) -1 ? _("changing ownership of %s") : _("changing group of %s")), quote (file_full_name)); } if (chopt->verbosity != V_off) { bool changed = ((do_chown && ok && symlink_changed) && ! ((uid == (uid_t) -1 || uid == file_stats->st_uid) && (gid == (gid_t) -1 || gid == file_stats->st_gid))); if (changed || chopt->verbosity == V_high) { enum Change_status ch_status = (!ok ? CH_FAILED : !symlink_changed ? CH_NOT_APPLIED : !changed ? CH_NO_CHANGE_REQUESTED : CH_SUCCEEDED); char *old_usr = file_stats ? uid_to_name (file_stats->st_uid) : NULL; char *old_grp = file_stats ? gid_to_name (file_stats->st_gid) : NULL; describe_change (file_full_name, ch_status, old_usr, old_grp, chopt->user_name, chopt->group_name); free (old_usr); free (old_grp); } } if ( ! chopt->recurse) fts_set (fts, ent, FTS_SKIP); return ok; }
/* Wrapper around fchownat to test chown behavior. */ static int do_chown (char const *name, uid_t user, gid_t group) { return chownat (dfd, name, user, group); }