summaryrefslogtreecommitdiff
path: root/libbb
diff options
context:
space:
mode:
authorDenis Vlasenko <vda.linux@googlemail.com>2007-03-15 13:33:37 +0000
committerDenis Vlasenko <vda.linux@googlemail.com>2007-03-15 13:33:37 +0000
commit54d14ca1a2aa965d13055719e233032193a4daf2 (patch)
tree2cdc64053f17f626502f9b1066b5bb24c18d8935 /libbb
parent24af7201e98a9692e1dfa9976c1a6ba97013ca23 (diff)
downloadbusybox-w32-54d14ca1a2aa965d13055719e233032193a4daf2.tar.gz
busybox-w32-54d14ca1a2aa965d13055719e233032193a4daf2.tar.bz2
busybox-w32-54d14ca1a2aa965d13055719e233032193a4daf2.zip
copy_file: comment out one condition which is always false.
Add comment explaining POSIX rules for cp - and why these rules are dangerous. Provide conditionally compiled code for both POSIX and safe behaviors, select safe for now. Code shrunk by ~80 bytes.
Diffstat (limited to 'libbb')
-rw-r--r--libbb/copy_file.c78
1 files changed, 50 insertions, 28 deletions
diff --git a/libbb/copy_file.c b/libbb/copy_file.c
index 636fbdc1d..58d657b02 100644
--- a/libbb/copy_file.c
+++ b/libbb/copy_file.c
@@ -11,13 +11,37 @@
11 11
12#include "libbb.h" 12#include "libbb.h"
13 13
14static int retry_overwrite(const char *dest, int flags) 14// POSIX: if exists and -i, ask (w/o -i assume yes).
15// Then open w/o EXCL (yes, not unlink!).
16// If open still fails and -f, try unlink, then try open again.
17// Result: a mess:
18// If dest is a softlink, we overwrite softlink's destination!
19// (or fail, if it points to dir/nonexistent location/etc).
20// This is strange, but POSIX-correct.
21// coreutils cp has --remove-destination to override this...
22
23#define DO_POSIX_CP 0 /* 1 - POSIX behavior, 0 - safe behavior */
24
25
26static int ask_and_unlink(const char *dest, int flags)
15{ 27{
28 // If !DO_POSIX_CP, act as if -f is always in effect - we don't want
29 // "'file' exists" msg, we want unlink to be done (silently unless -i
30 // is also in effect).
31 // This prevents safe way from asking more questions than POSIX does.
32#if DO_POSIX_CP
16 if (!(flags & (FILEUTILS_FORCE|FILEUTILS_INTERACTIVE))) { 33 if (!(flags & (FILEUTILS_FORCE|FILEUTILS_INTERACTIVE))) {
17 fprintf(stderr, "'%s' exists\n", dest); 34 fprintf(stderr, "'%s' exists\n", dest);
18 return -1; 35 return -1;
19 } 36 }
37#endif
38
39 // TODO: maybe we should do it only if ctty is present?
20 if (flags & FILEUTILS_INTERACTIVE) { 40 if (flags & FILEUTILS_INTERACTIVE) {
41 // We would not do POSIX insanity. -i asks,
42 // then _unlinks_ the offender. Presto.
43 // (No opening without O_EXCL, no unlinks only if -f)
44 // Or else we will end up having 3 open()s!
21 fprintf(stderr, "%s: overwrite '%s'? ", applet_name, dest); 45 fprintf(stderr, "%s: overwrite '%s'? ", applet_name, dest);
22 if (!bb_ask_confirmation()) 46 if (!bb_ask_confirmation())
23 return 0; // not allowed to overwrite 47 return 0; // not allowed to overwrite
@@ -29,6 +53,11 @@ static int retry_overwrite(const char *dest, int flags)
29 return 1; // ok (to try again) 53 return 1; // ok (to try again)
30} 54}
31 55
56/* Return:
57 * -1 error, copy not made
58 * 0 copy is made or user answered "no" in interactive mode
59 * (failures to preserve mode/owner/times are not reported in exit code)
60 */
32int copy_file(const char *source, const char *dest, int flags) 61int copy_file(const char *source, const char *dest, int flags)
33{ 62{
34 struct stat source_stat; 63 struct stat source_stat;
@@ -72,13 +101,11 @@ int copy_file(const char *source, const char *dest, int flags)
72 freecon(con); 101 freecon(con);
73 return -1; 102 return -1;
74 } 103 }
104 } else if (errno == ENOTSUP || errno == ENODATA) {
105 setfscreatecon_or_die(NULL);
75 } else { 106 } else {
76 if (errno == ENOTSUP || errno == ENODATA) { 107 bb_perror_msg("cannot lgetfilecon %s", source);
77 setfscreatecon_or_die(NULL); 108 return -1;
78 } else {
79 bb_perror_msg("cannot lgetfilecon %s", source);
80 return -1;
81 }
82 } 109 }
83 } 110 }
84#endif 111#endif
@@ -153,7 +180,7 @@ int copy_file(const char *source, const char *dest, int flags)
153 // (but realpath returns NULL on dangling symlinks...) 180 // (but realpath returns NULL on dangling symlinks...)
154 lf = (flags & FILEUTILS_MAKE_SOFTLINK) ? symlink : link; 181 lf = (flags & FILEUTILS_MAKE_SOFTLINK) ? symlink : link;
155 if (lf(source, dest) < 0) { 182 if (lf(source, dest) < 0) {
156 ovr = retry_overwrite(dest, flags); 183 ovr = ask_and_unlink(dest, flags);
157 if (ovr <= 0) 184 if (ovr <= 0)
158 return ovr; 185 return ovr;
159 if (lf(source, dest) < 0) { 186 if (lf(source, dest) < 0) {
@@ -164,8 +191,8 @@ int copy_file(const char *source, const char *dest, int flags)
164 return 0; 191 return 0;
165 192
166 } else if (S_ISREG(source_stat.st_mode) 193 } else if (S_ISREG(source_stat.st_mode)
167 // Huh? DEREF uses stat, which never returns links IIRC... 194 /* Huh? DEREF uses stat, which never returns links! */
168 || (FLAGS_DEREF && S_ISLNK(source_stat.st_mode)) 195 /* || (FLAGS_DEREF && S_ISLNK(source_stat.st_mode)) */
169 ) { 196 ) {
170 int src_fd; 197 int src_fd;
171 int dst_fd; 198 int dst_fd;
@@ -176,7 +203,7 @@ int copy_file(const char *source, const char *dest, int flags)
176 link_name = is_in_ino_dev_hashtable(&source_stat); 203 link_name = is_in_ino_dev_hashtable(&source_stat);
177 if (link_name) { 204 if (link_name) {
178 if (link(link_name, dest) < 0) { 205 if (link(link_name, dest) < 0) {
179 ovr = retry_overwrite(dest, flags); 206 ovr = ask_and_unlink(dest, flags);
180 if (ovr <= 0) 207 if (ovr <= 0)
181 return ovr; 208 return ovr;
182 if (link(link_name, dest) < 0) { 209 if (link(link_name, dest) < 0) {
@@ -196,27 +223,21 @@ int copy_file(const char *source, const char *dest, int flags)
196 return -1; 223 return -1;
197 } 224 }
198 225
199 // POSIX: if exists and -i, ask (w/o -i assume yes). 226#if DO_POSIX_CP /* POSIX way (a security problem versus symlink attacks!): */
200 // Then open w/o EXCL.
201 // If open still fails and -f, try unlink, then try open again.
202 // Result: a mess:
203 // If dest is a softlink, we overwrite softlink's destination!
204 // (or fail, if it points to dir/nonexistent location/etc).
205 // This is strange, but POSIX-correct.
206 // coreutils cp has --remove-destination to override this...
207 dst_fd = open(dest, (flags & FILEUTILS_INTERACTIVE) 227 dst_fd = open(dest, (flags & FILEUTILS_INTERACTIVE)
208 ? O_WRONLY|O_CREAT|O_TRUNC|O_EXCL 228 ? O_WRONLY|O_CREAT|O_EXCL
209 : O_WRONLY|O_CREAT|O_TRUNC, source_stat.st_mode); 229 : O_WRONLY|O_CREAT|O_TRUNC, source_stat.st_mode);
230#else /* safe way: */
231 dst_fd = open(dest, O_WRONLY|O_CREAT|O_EXCL, source_stat.st_mode);
232#endif
210 if (dst_fd == -1) { 233 if (dst_fd == -1) {
211 // We would not do POSIX insanity. -i asks, 234 ovr = ask_and_unlink(dest, flags);
212 // then _unlinks_ the offender. Presto.
213 // Or else we will end up having 3 open()s!
214 ovr = retry_overwrite(dest, flags);
215 if (ovr <= 0) { 235 if (ovr <= 0) {
216 close(src_fd); 236 close(src_fd);
217 return ovr; 237 return ovr;
218 } 238 }
219 dst_fd = open(dest, O_WRONLY|O_CREAT|O_TRUNC, source_stat.st_mode); 239 /* It shouldn't exist. If it exists, do not open (symlink attack?) */
240 dst_fd = open(dest, O_WRONLY|O_CREAT|O_EXCL, source_stat.st_mode);
220 if (dst_fd == -1) { 241 if (dst_fd == -1) {
221 bb_perror_msg("cannot open '%s'", dest); 242 bb_perror_msg("cannot open '%s'", dest);
222 close(src_fd); 243 close(src_fd);
@@ -227,7 +248,8 @@ int copy_file(const char *source, const char *dest, int flags)
227#if ENABLE_SELINUX 248#if ENABLE_SELINUX
228 if (((flags & FILEUTILS_PRESERVE_SECURITY_CONTEXT) 249 if (((flags & FILEUTILS_PRESERVE_SECURITY_CONTEXT)
229 || (flags & FILEUTILS_SET_SECURITY_CONTEXT)) 250 || (flags & FILEUTILS_SET_SECURITY_CONTEXT))
230 && is_selinux_enabled() > 0) { 251 && is_selinux_enabled() > 0
252 ) {
231 security_context_t con; 253 security_context_t con;
232 if (getfscreatecon(&con) == -1) { 254 if (getfscreatecon(&con) == -1) {
233 bb_perror_msg("getfscreatecon"); 255 bb_perror_msg("getfscreatecon");
@@ -260,7 +282,7 @@ int copy_file(const char *source, const char *dest, int flags)
260 ) { 282 ) {
261 // We are lazy here, a bit lax with races... 283 // We are lazy here, a bit lax with races...
262 if (dest_exists) { 284 if (dest_exists) {
263 ovr = retry_overwrite(dest, flags); 285 ovr = ask_and_unlink(dest, flags);
264 if (ovr <= 0) 286 if (ovr <= 0)
265 return ovr; 287 return ovr;
266 } 288 }
@@ -273,7 +295,7 @@ int copy_file(const char *source, const char *dest, int flags)
273 char *lpath; 295 char *lpath;
274 296
275 lpath = xmalloc_readlink_or_warn(source); 297 lpath = xmalloc_readlink_or_warn(source);
276 if (symlink(lpath, dest) < 0) { 298 if (lpath && symlink(lpath, dest) < 0) {
277 bb_perror_msg("cannot create symlink '%s'", dest); 299 bb_perror_msg("cannot create symlink '%s'", dest);
278 free(lpath); 300 free(lpath);
279 return -1; 301 return -1;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-17 00:35:45 +0000