static void
describe_change (const char *file, enum Change_status changed,
char const *old_user, char const *old_group,
char const *user, char const *group)
{
const char *fmt;
char *old_spec;
char *spec;
if (changed == CH_NOT_APPLIED)
{
printf (_("neither symbolic link %s nor referent has been changed\n"),
quoteaf (file));
return;
}
spec = user_group_str (user, group);
old_spec = user_group_str (user ? old_user : NULL, group ? old_group : NULL);
switch (changed)
{
case CH_SUCCEEDED:
fmt = (user ? _("changed ownership of %s from %s to %s\n")
: group ? _("changed group of %s from %s to %s\n")
: _("no change to ownership of %s\n"));
break;
case CH_FAILED:
if (old_spec)
{
fmt = (user ? _("failed to change ownership of %s from %s to %s\n")
: group ? _("failed to change group of %s from %s to %s\n")
: _("failed to change ownership of %s\n"));
}
else
{
fmt = (user ? _("failed to change ownership of %s to %s\n")
: group ? _("failed to change group of %s to %s\n")
: _("failed to change ownership of %s\n"));
free (old_spec);
old_spec = spec;
spec = NULL;
}
break;
case CH_NO_CHANGE_REQUESTED:
fmt = (user ? _("ownership of %s retained as %s\n")
: group ? _("group of %s retained as %s\n")
: _("ownership of %s retained\n"));
break;
default:
abort ();
}
printf (fmt, quoteaf (file), old_spec, spec);
free (old_spec);
free (spec);
}
/*
This function takes a path and a mode, it calls computecon to get the
label of the path object if the current process created it, then it calls
matchpathcon to get the default type for the object. It substitutes the
default type into label. It tells the SELinux Kernel to label all new file
system objects created by the current process with this label.
Returns -1 on failure. errno will be set appropriately.
*/
int
defaultcon (char const *path, mode_t mode)
{
int rc = -1;
char *scon = NULL;
char *tcon = NULL;
context_t scontext = 0, tcontext = 0;
const char *contype;
char *constr;
char *newpath = NULL;
if (! IS_ABSOLUTE_FILE_NAME (path))
{
/* Generate absolute path as required by subsequent matchpathcon(),
with libselinux < 2.1.5 2011-0826. */
newpath = canonicalize_filename_mode (path, CAN_MISSING);
if (! newpath)
die (EXIT_FAILURE, errno, _("error canonicalizing %s"),
quoteaf (path));
path = newpath;
}
if (matchpathcon (path, mode, &scon) < 0)
{
/* "No such file or directory" is a confusing error,
when processing files, when in fact it was the
associated default context that was not found.
Therefore map the error to something more appropriate
to the context in which we're using matchpathcon(). */
if (errno == ENOENT)
errno = ENODATA;
goto quit;
}
if (computecon (path, mode, &tcon) < 0)
goto quit;
if (!(scontext = context_new (scon)))
goto quit;
if (!(tcontext = context_new (tcon)))
goto quit;
if (!(contype = context_type_get (scontext)))
goto quit;
if (context_type_set (tcontext, contype))
goto quit;
if (!(constr = context_str (tcontext)))
goto quit;
rc = setfscreatecon (constr);
quit:
context_free (scontext);
context_free (tcontext);
freecon (scon);
freecon (tcon);
free (newpath);
return rc;
}
/* Remove the file system object specified by ENT. IS_DIR specifies
whether it is expected to be a directory or non-directory.
Return RM_OK upon success, else RM_ERROR. */
static enum RM_status
excise (FTS *fts, FTSENT *ent, struct rm_options const *x, bool is_dir)
{
int flag = is_dir ? AT_REMOVEDIR : 0;
if (unlinkat (fts->fts_cwd_fd, ent->fts_accpath, flag) == 0)
{
if (x->verbose)
{
printf ((is_dir
? _("removed directory %s\n")
: _("removed %s\n")), quoteaf (ent->fts_path));
}
return RM_OK;
}
/* The unlinkat from kernels like linux-2.6.32 reports EROFS even for
nonexistent files. When the file is indeed missing, map that to ENOENT,
so that rm -f ignores it, as required. Even without -f, this is useful
because it makes rm print the more precise diagnostic. */
if (errno == EROFS)
{
struct stat st;
if ( ! (lstatat (fts->fts_cwd_fd, ent->fts_accpath, &st)
&& errno == ENOENT))
errno = EROFS;
}
if (ignorable_missing (x, errno))
return RM_OK;
/* When failing to rmdir an unreadable directory, we see errno values
like EISDIR or ENOTDIR (or, on Solaris 10, EEXIST), but they would be
meaningless in a diagnostic. When that happens and the errno value
from the failed open is EPERM or EACCES, use the earlier, more
descriptive errno value. */
if (ent->fts_info == FTS_DNR
&& (errno == ENOTEMPTY || errno == EISDIR || errno == ENOTDIR
|| errno == EEXIST)
&& (ent->fts_errno == EPERM || ent->fts_errno == EACCES))
errno = ent->fts_errno;
error (0, errno, _("cannot remove %s"), quoteaf (ent->fts_path));
mark_ancestor_dirs (ent);
return RM_ERROR;
}
/*
This function takes three parameters:
PATH of an existing file system object.
A RECURSE boolean which if the file system object is a directory, will
call restorecon_private on every file system object in the directory.
A LOCAL boolean that indicates whether the function should set object labels
to the default for the local process, or use system wide settings.
Returns false on failure. errno will be set appropriately.
*/
bool
restorecon (char const *path, bool recurse, bool local)
{
char *newpath = NULL;
FTS *fts;
bool ok = true;
if (! IS_ABSOLUTE_FILE_NAME (path) && ! local)
{
/* Generate absolute path as required by subsequent matchpathcon(),
with libselinux < 2.1.5 2011-0826. Also generating the absolute
path before the fts walk, will generate absolute paths in the
fts entries, which may be quicker to process in any case. */
newpath = canonicalize_filename_mode (path, CAN_MISSING);
if (! newpath)
die (EXIT_FAILURE, errno, _("error canonicalizing %s"),
quoteaf (path));
}
const char *ftspath[2] = { newpath ? newpath : path, NULL };
if (! recurse)
{
ok = restorecon_private (*ftspath, local) != -1;
free (newpath);
return ok;
}
fts = xfts_open ((char *const *) ftspath, FTS_PHYSICAL, NULL);
while (1)
{
FTSENT *ent;
ent = fts_read (fts);
if (ent == NULL)
{
if (errno != 0)
{
error (0, errno, _("fts_read failed"));
ok = false;
}
break;
}
ok &= restorecon_private (fts->fts_path, local) != -1;
}
if (fts_close (fts) != 0)
{
error (0, errno, _("fts_close failed"));
ok = false;
}
free (newpath);
return ok;
}
/* This function is called once for every file system object that fts
encounters. fts performs a depth-first traversal.
A directory is usually processed twice, first with fts_info == FTS_D,
and later, after all of its entries have been processed, with FTS_DP.
Return RM_ERROR upon error, RM_USER_DECLINED for a negative response
to an interactive prompt, and otherwise, RM_OK. */
static enum RM_status
rm_fts (FTS *fts, FTSENT *ent, struct rm_options const *x)
{
switch (ent->fts_info)
{
case FTS_D: /* preorder directory */
if (! x->recursive
&& !(x->remove_empty_directories
&& is_empty_dir (fts->fts_cwd_fd, ent->fts_accpath)))
{
/* This is the first (pre-order) encounter with a directory
that we cannot delete.
Not recursive, and it's not an empty directory (if we're removing
them) so arrange to skip contents. */
int err = x->remove_empty_directories ? ENOTEMPTY : EISDIR;
error (0, err, _("cannot remove %s"), quoteaf (ent->fts_path));
mark_ancestor_dirs (ent);
fts_skip_tree (fts, ent);
return RM_ERROR;
}
/* Perform checks that can apply only for command-line arguments. */
if (ent->fts_level == FTS_ROOTLEVEL)
{
/* POSIX says:
If the basename of a command line argument is "." or "..",
diagnose it and do nothing more with that argument. */
if (dot_or_dotdot (last_component (ent->fts_accpath)))
{
error (0, 0,
_("refusing to remove %s or %s directory: skipping %s"),
quoteaf_n (0, "."), quoteaf_n (1, ".."),
quoteaf_n (2, ent->fts_path));
fts_skip_tree (fts, ent);
return RM_ERROR;
}
/* POSIX also says:
If a command line argument resolves to "/" (and --preserve-root
is in effect -- default) diagnose and skip it. */
if (ROOT_DEV_INO_CHECK (x->root_dev_ino, ent->fts_statp))
{
ROOT_DEV_INO_WARN (ent->fts_path);
fts_skip_tree (fts, ent);
return RM_ERROR;
}
}
{
Ternary is_empty_directory;
enum RM_status s = prompt (fts, ent, true /*is_dir*/, x,
PA_DESCEND_INTO_DIR, &is_empty_directory);
if (s == RM_OK && is_empty_directory == T_YES)
{
/* When we know (from prompt when in interactive mode)
that this is an empty directory, don't prompt twice. */
s = excise (fts, ent, x, true);
fts_skip_tree (fts, ent);
}
if (s != RM_OK)
{
mark_ancestor_dirs (ent);
fts_skip_tree (fts, ent);
}
return s;
}
case FTS_F: /* regular file */
case FTS_NS: /* stat(2) failed */
case FTS_SL: /* symbolic link */
case FTS_SLNONE: /* symbolic link without target */
case FTS_DP: /* postorder directory */
case FTS_DNR: /* unreadable directory */
case FTS_NSOK: /* e.g., dangling symlink */
case FTS_DEFAULT: /* none of the above */
{
/* With --one-file-system, do not attempt to remove a mount point.
fts' FTS_XDEV ensures that we don't process any entries under
the mount point. */
if (ent->fts_info == FTS_DP
&& x->one_file_system
&& FTS_ROOTLEVEL < ent->fts_level
&& ent->fts_statp->st_dev != fts->fts_dev)
{
mark_ancestor_dirs (ent);
error (0, 0, _("skipping %s, since it's on a different device"),
quoteaf (ent->fts_path));
return RM_ERROR;
}
bool is_dir = ent->fts_info == FTS_DP || ent->fts_info == FTS_DNR;
enum RM_status s = prompt (fts, ent, is_dir, x, PA_REMOVE_DIR, NULL);
if (s != RM_OK)
return s;
return excise (fts, ent, x, is_dir);
}
case FTS_DC: /* directory that causes cycles */
emit_cycle_warning (ent->fts_path);
fts_skip_tree (fts, ent);
return RM_ERROR;
case FTS_ERR:
/* Various failures, from opendir to ENOMEM, to failure to "return"
to preceding directory, can provoke this. */
error (0, ent->fts_errno, _("traversal failed: %s"),
quotef (ent->fts_path));
fts_skip_tree (fts, ent);
return RM_ERROR;
default:
error (0, 0, _("unexpected failure: fts_info=%d: %s\n"
"please report to %s"),
ent->fts_info,
quotef (ent->fts_path),
PACKAGE_BUGREPORT);
abort ();
}
}
/* Prompt whether to remove FILENAME (ent->, if required via a combination of
the options specified by X and/or file attributes. If the file may
be removed, return RM_OK. If the user declines to remove the file,
return RM_USER_DECLINED. If not ignoring missing files and we
cannot lstat FILENAME, then return RM_ERROR.
IS_DIR is true if ENT designates a directory, false otherwise.
Depending on MODE, ask whether to 'descend into' or to 'remove' the
directory FILENAME. MODE is ignored when FILENAME is not a directory.
Set *IS_EMPTY_P to T_YES if FILENAME is an empty directory, and it is
appropriate to try to remove it with rmdir (e.g. recursive mode).
Don't even try to set *IS_EMPTY_P when MODE == PA_REMOVE_DIR. */
static enum RM_status
prompt (FTS const *fts, FTSENT const *ent, bool is_dir,
struct rm_options const *x, enum Prompt_action mode,
Ternary *is_empty_p)
{
int fd_cwd = fts->fts_cwd_fd;
char const *full_name = ent->fts_path;
char const *filename = ent->fts_accpath;
if (is_empty_p)
*is_empty_p = T_UNKNOWN;
struct stat st;
struct stat *sbuf = &st;
cache_stat_init (sbuf);
int dirent_type = is_dir ? DT_DIR : DT_UNKNOWN;
int write_protected = 0;
bool is_empty = false;
if (is_empty_p)
{
is_empty = is_empty_dir (fd_cwd, filename);
*is_empty_p = is_empty ? T_YES : T_NO;
}
/* When nonzero, this indicates that we failed to remove a child entry,
either because the user declined an interactive prompt, or due to
some other failure, like permissions. */
if (ent->fts_number)
return RM_USER_DECLINED;
if (x->interactive == RMI_NEVER)
return RM_OK;
int wp_errno = 0;
if (!x->ignore_missing_files
&& ((x->interactive == RMI_ALWAYS) || x->stdin_tty)
&& dirent_type != DT_LNK)
{
write_protected = write_protected_non_symlink (fd_cwd, filename, sbuf);
wp_errno = errno;
}
if (write_protected || x->interactive == RMI_ALWAYS)
{
if (0 <= write_protected && dirent_type == DT_UNKNOWN)
{
if (cache_fstatat (fd_cwd, filename, sbuf, AT_SYMLINK_NOFOLLOW) == 0)
{
if (S_ISLNK (sbuf->st_mode))
dirent_type = DT_LNK;
else if (S_ISDIR (sbuf->st_mode))
dirent_type = DT_DIR;
/* Otherwise it doesn't matter, so leave it DT_UNKNOWN. */
}
else
{
/* This happens, e.g., with 'rm '''. */
write_protected = -1;
wp_errno = errno;
}
}
if (0 <= write_protected)
switch (dirent_type)
{
case DT_LNK:
/* Using permissions doesn't make sense for symlinks. */
if (x->interactive != RMI_ALWAYS)
return RM_OK;
break;
case DT_DIR:
/* Unless we're either deleting directories or deleting
recursively, we want to raise an EISDIR error rather than
prompting the user */
if ( ! (x->recursive || (x->remove_empty_directories && is_empty)))
{
write_protected = -1;
wp_errno = EISDIR;
}
break;
}
char const *quoted_name = quoteaf (full_name);
if (write_protected < 0)
{
error (0, wp_errno, _("cannot remove %s"), quoted_name);
return RM_ERROR;
}
/* Issue the prompt. */
if (dirent_type == DT_DIR
&& mode == PA_DESCEND_INTO_DIR
&& !is_empty)
fprintf (stderr,
(write_protected
? _("%s: descend into write-protected directory %s? ")
: _("%s: descend into directory %s? ")),
program_name, quoted_name);
else
{
if (cache_fstatat (fd_cwd, filename, sbuf, AT_SYMLINK_NOFOLLOW) != 0)
{
error (0, errno, _("cannot remove %s"), quoted_name);
return RM_ERROR;
}
fprintf (stderr,
(write_protected
/* TRANSLATORS: In the next two strings the second %s is
replaced by the type of the file. To avoid grammatical
problems, it may be more convenient to translate these
strings instead as: "%1$s: %3$s is write-protected and
is of type '%2$s' -- remove it? ". */
? _("%s: remove write-protected %s %s? ")
: _("%s: remove %s %s? ")),
program_name, file_type (sbuf), quoted_name);
}
if (!yesno ())
return RM_USER_DECLINED;
}
return RM_OK;
}
/* Return the root mountpoint of the file system on which FILE exists, in
malloced storage. FILE_STAT should be the result of stating FILE.
Give a diagnostic and return NULL if unable to determine the mount point.
Exit if unable to restore current working directory. */
extern char *
find_mount_point (char const *file, struct stat const *file_stat)
{
struct saved_cwd cwd;
struct stat last_stat;
char *mp = NULL; /* The malloc'd mount point. */
if (save_cwd (&cwd) != 0)
{
error (0, errno, _("cannot get current directory"));
return NULL;
}
if (S_ISDIR (file_stat->st_mode))
/* FILE is a directory, so just chdir there directly. */
{
last_stat = *file_stat;
if (chdir (file) < 0)
{
error (0, errno, _("cannot change to directory %s"), quoteaf (file));
return NULL;
}
}
else
/* FILE is some other kind of file; use its directory. */
{
char *xdir = dir_name (file);
char *dir;
ASSIGN_STRDUPA (dir, xdir);
free (xdir);
if (chdir (dir) < 0)
{
error (0, errno, _("cannot change to directory %s"), quoteaf (dir));
return NULL;
}
if (stat (".", &last_stat) < 0)
{
error (0, errno, _("cannot stat current directory (now %s)"),
quoteaf (dir));
goto done;
}
}
/* Now walk up FILE's parents until we find another file system or /,
chdiring as we go. LAST_STAT holds stat information for the last place
we visited. */
while (true)
{
struct stat st;
if (stat ("..", &st) < 0)
{
error (0, errno, _("cannot stat %s"), quoteaf (".."));
goto done;
}
if (st.st_dev != last_stat.st_dev || st.st_ino == last_stat.st_ino)
/* cwd is the mount point. */
break;
if (chdir ("..") < 0)
{
error (0, errno, _("cannot change to directory %s"), quoteaf (".."));
goto done;
}
last_stat = st;
}
/* Finally reached a mount point, see what it's called. */
mp = xgetcwd ();
done:
/* Restore the original cwd. */
{
int save_errno = errno;
if (restore_cwd (&cwd) != 0)
error (EXIT_FAILURE, errno,
_("failed to return to initial working directory"));
free_cwd (&cwd);
errno = save_errno;
}
return mp;
}
/* Change the owner and/or group of the file specified by FTS and ENT
to UID and/or GID as appropriate.
If REQUIRED_UID is not -1, then skip files with any other user ID.
If REQUIRED_GID is not -1, then skip files with any other group ID.
CHOPT specifies additional options.
Return true if successful. */
static bool
change_file_owner (FTS *fts, FTSENT *ent,
uid_t uid, gid_t gid,
uid_t required_uid, gid_t required_gid,
struct Chown_option const *chopt)
{
char const *file_full_name = ent->fts_path;
char const *file = ent->fts_accpath;
struct stat const *file_stats;
struct stat stat_buf;
bool ok = true;
bool do_chown;
bool symlink_changed = true;
switch (ent->fts_info)
{
case FTS_D:
if (chopt->recurse)
{
if (ROOT_DEV_INO_CHECK (chopt->root_dev_ino, ent->fts_statp))
{
/* This happens e.g., with "chown -R --preserve-root 0 /"
and with "chown -RH --preserve-root 0 symlink-to-root". */
ROOT_DEV_INO_WARN (file_full_name);
/* Tell fts not to traverse into this hierarchy. */
fts_set (fts, ent, FTS_SKIP);
/* Ensure that we do not process "/" on the second visit. */
ignore_value (fts_read (fts));
return false;
}
return true;
}
break;
case FTS_DP:
if (! chopt->recurse)
return true;
break;
case FTS_NS:
/* For a top-level file or directory, this FTS_NS (stat failed)
indicator is determined at the time of the initial fts_open call.
With programs like chmod, chown, and chgrp, that modify
permissions, it is possible that the file in question is
accessible when control reaches this point. So, if this is
the first time we've seen the FTS_NS for this file, tell
fts_read to stat it "again". */
if (ent->fts_level == 0 && ent->fts_number == 0)
{
ent->fts_number = 1;
fts_set (fts, ent, FTS_AGAIN);
return true;
}
if (! chopt->force_silent)
error (0, ent->fts_errno, _("cannot access %s"),
quoteaf (file_full_name));
ok = false;
break;
case FTS_ERR:
if (! chopt->force_silent)
error (0, ent->fts_errno, "%s", quotef (file_full_name));
ok = false;
break;
case FTS_DNR:
if (! chopt->force_silent)
error (0, ent->fts_errno, _("cannot read directory %s"),
quoteaf (file_full_name));
ok = false;
break;
case FTS_DC: /* directory that causes cycles */
if (cycle_warning_required (fts, ent))
{
emit_cycle_warning (file_full_name);
return false;
}
break;
default:
break;
}
if (!ok)
{
do_chown = false;
file_stats = NULL;
}
else if (required_uid == (uid_t) -1 && required_gid == (gid_t) -1
&& chopt->verbosity == V_off
&& ! chopt->root_dev_ino
&& ! chopt->affect_symlink_referent)
{
do_chown = true;
file_stats = ent->fts_statp;
}
else
{
file_stats = ent->fts_statp;
/* If this is a symlink and we're dereferencing them,
stat it to get info on the referent. */
if (chopt->affect_symlink_referent && S_ISLNK (file_stats->st_mode))
{
if (fstatat (fts->fts_cwd_fd, file, &stat_buf, 0) != 0)
{
if (! chopt->force_silent)
error (0, errno, _("cannot dereference %s"),
quoteaf (file_full_name));
ok = false;
}
file_stats = &stat_buf;
}
do_chown = (ok
&& (required_uid == (uid_t) -1
|| required_uid == file_stats->st_uid)
&& (required_gid == (gid_t) -1
|| required_gid == file_stats->st_gid));
}
/* This happens when chown -LR --preserve-root encounters a symlink-to-/. */
if (ok
&& FTSENT_IS_DIRECTORY (ent)
&& ROOT_DEV_INO_CHECK (chopt->root_dev_ino, file_stats))
{
ROOT_DEV_INO_WARN (file_full_name);
return false;
}
if (do_chown)
{
if ( ! chopt->affect_symlink_referent)
{
ok = (lchownat (fts->fts_cwd_fd, file, uid, gid) == 0);
/* Ignore any error due to lack of support; POSIX requires
this behavior for top-level symbolic links with -h, and
implies that it's required for all symbolic links. */
if (!ok && errno == EOPNOTSUPP)
{
ok = true;
symlink_changed = false;
}
}
else
{
/* If possible, avoid a race condition with --from=O:G and without the
(-h) --no-dereference option. If fts's stat call determined
that the uid/gid of FILE matched the --from=O:G-selected
owner and group IDs, blindly using chown(2) here could lead
chown(1) or chgrp(1) mistakenly to dereference a *symlink*
to an arbitrary file that an attacker had moved into the
place of FILE during the window between the stat and
chown(2) calls. If FILE is a regular file or a directory
that can be opened, this race condition can be avoided safely. */
enum RCH_status err
= restricted_chown (fts->fts_cwd_fd, file, file_stats, uid, gid,
required_uid, required_gid);
switch (err)
{
case RC_ok:
break;
case RC_do_ordinary_chown:
ok = (chownat (fts->fts_cwd_fd, file, uid, gid) == 0);
break;
case RC_error:
ok = false;
break;
case RC_inode_changed:
/* FIXME: give a diagnostic in this case? */
case RC_excluded:
do_chown = false;
ok = false;
break;
default:
abort ();
}
}
/* On some systems (e.g., GNU/Linux 2.4.x),
the chown function resets the 'special' permission bits.
Do *not* restore those bits; doing so would open a window in
which a malicious user, M, could subvert a chown command run
by some other user and operating on files in a directory
where M has write access. */
if (do_chown && !ok && ! chopt->force_silent)
error (0, errno, (uid != (uid_t) -1
? _("changing ownership of %s")
: _("changing group of %s")),
quoteaf (file_full_name));
}
if (chopt->verbosity != V_off)
{
bool changed =
((do_chown && ok && symlink_changed)
&& ! ((uid == (uid_t) -1 || uid == file_stats->st_uid)
&& (gid == (gid_t) -1 || gid == file_stats->st_gid)));
if (changed || chopt->verbosity == V_high)
{
enum Change_status ch_status =
(!ok ? CH_FAILED
: !symlink_changed ? CH_NOT_APPLIED
: !changed ? CH_NO_CHANGE_REQUESTED
: CH_SUCCEEDED);
char *old_usr = file_stats ? uid_to_name (file_stats->st_uid) : NULL;
char *old_grp = file_stats ? gid_to_name (file_stats->st_gid) : NULL;
describe_change (file_full_name, ch_status,
old_usr, old_grp,
chopt->user_name, chopt->group_name);
free (old_usr);
free (old_grp);
}
}
if ( ! chopt->recurse)
fts_set (fts, ent, FTS_SKIP);
return ok;
}
