1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
/* SPDX-License-Identifier: LGPL-2.1+ */
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/xattr.h>
#include "chown-recursive.h"
#include "dirent-util.h"
#include "fd-util.h"
#include "macro.h"
#include "stdio-util.h"
#include "strv.h"
#include "user-util.h"
static int chown_one(int fd, const struct stat *st, uid_t uid, gid_t gid) {
char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
const char *n;
assert(fd >= 0);
assert(st);
if ((!uid_is_valid(uid) || st->st_uid == uid) &&
(!gid_is_valid(gid) || st->st_gid == gid))
return 0;
/* We change ownership through the /proc/self/fd/%i path, so that we have a stable reference that works with
* O_PATH. (Note: fchown() and fchmod() do not work with O_PATH, the kernel refuses that. */
xsprintf(procfs_path, "/proc/self/fd/%i", fd);
/* Drop any ACL if there is one */
FOREACH_STRING(n, "system.posix_acl_access", "system.posix_acl_default")
if (removexattr(procfs_path, n) < 0)
if (!IN_SET(errno, ENODATA, EOPNOTSUPP, ENOSYS, ENOTTY))
return -errno;
if (chown(procfs_path, uid, gid) < 0)
return -errno;
/* The linux kernel alters the mode in some cases of chown(), as well when we change ACLs. Let's undo this. We
* do this only for non-symlinks however. That's because for symlinks the access mode is ignored anyway and
* because on some kernels/file systems trying to change the access mode will succeed but has no effect while
* on others it actively fails. */
if (!S_ISLNK(st->st_mode))
if (chmod(procfs_path, st->st_mode & 07777) < 0)
return -errno;
return 1;
}
static int chown_recursive_internal(int fd, const struct stat *st, uid_t uid, gid_t gid) {
_cleanup_closedir_ DIR *d = NULL;
bool changed = false;
struct dirent *de;
int r;
assert(fd >= 0);
assert(st);
d = fdopendir(fd);
if (!d) {
safe_close(fd);
return -errno;
}
FOREACH_DIRENT_ALL(de, d, return -errno) {
_cleanup_close_ int path_fd = -1;
struct stat fst;
if (dot_or_dot_dot(de->d_name))
continue;
/* Let's pin the child inode we want to fix now with an O_PATH fd, so that it cannot be swapped out
* while we manipulate it. */
path_fd = openat(dirfd(d), de->d_name, O_PATH|O_CLOEXEC|O_NOFOLLOW);
if (path_fd < 0)
return -errno;
if (fstat(path_fd, &fst) < 0)
return -errno;
if (S_ISDIR(fst.st_mode)) {
int subdir_fd;
/* Convert it to a "real" (i.e. non-O_PATH) fd now */
subdir_fd = fd_reopen(path_fd, O_RDONLY|O_CLOEXEC|O_NOATIME);
if (subdir_fd < 0)
return subdir_fd;
r = chown_recursive_internal(subdir_fd, &fst, uid, gid); /* takes possession of subdir_fd even on failure */
if (r < 0)
return r;
if (r > 0)
changed = true;
} else {
r = chown_one(path_fd, &fst, uid, gid);
if (r < 0)
return r;
if (r > 0)
changed = true;
}
}
r = chown_one(dirfd(d), st, uid, gid);
if (r < 0)
return r;
return r > 0 || changed;
}
int path_chown_recursive(const char *path, uid_t uid, gid_t gid) {
_cleanup_close_ int fd = -1;
struct stat st;
fd = open(path, O_RDONLY|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
if (fd < 0)
return -errno;
if (!uid_is_valid(uid) && !gid_is_valid(gid))
return 0; /* nothing to do */
if (fstat(fd, &st) < 0)
return -errno;
/* Let's take a shortcut: if the top-level directory is properly owned, we don't descend into the whole tree,
* under the assumption that all is OK anyway. */
if ((!uid_is_valid(uid) || st.st_uid == uid) &&
(!gid_is_valid(gid) || st.st_gid == gid))
return 0;
return chown_recursive_internal(TAKE_FD(fd), &st, uid, gid); /* we donate the fd to the call, regardless if it succeeded or failed */
}
|
