Patrick Williams | 03514f1 | 2024-04-05 07:04:11 -0500 | [diff] [blame^] | 1 | From 4842cff4f1329f0b5034b529d56f8ad1f234ac4c Mon Sep 17 00:00:00 2001 |
Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 2 | From: Andre McCurdy <armccurdy@gmail.com> |
| 3 | Date: Tue, 10 Oct 2017 14:33:30 -0700 |
Patrick Williams | 03514f1 | 2024-04-05 07:04:11 -0500 | [diff] [blame^] | 4 | Subject: [PATCH 07/22] don't pass AT_SYMLINK_NOFOLLOW flag to faccessat() |
Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 5 | |
| 6 | Avoid using AT_SYMLINK_NOFOLLOW flag. It doesn't seem like the right |
| 7 | thing to do and it's not portable (not supported by musl). See: |
| 8 | |
| 9 | http://lists.landley.net/pipermail/toybox-landley.net/2014-September/003610.html |
| 10 | http://www.openwall.com/lists/musl/2015/02/05/2 |
| 11 | |
| 12 | Note that laccess() is never passing AT_EACCESS so a lot of the |
| 13 | discussion in the links above doesn't apply. Note also that |
| 14 | (currently) all systemd callers of laccess() pass mode as F_OK, so |
| 15 | only check for existence of a file, not access permissions. |
| 16 | Therefore, in this case, the only distiction between faccessat() |
| 17 | with (flag == 0) and (flag == AT_SYMLINK_NOFOLLOW) is the behaviour |
| 18 | for broken symlinks; laccess() on a broken symlink will succeed with |
| 19 | (flag == AT_SYMLINK_NOFOLLOW) and fail (flag == 0). |
| 20 | |
| 21 | The laccess() macros was added to systemd some time ago and it's not |
| 22 | clear if or why it needs to return success for broken symlinks. Maybe |
| 23 | just historical and not actually necessary or desired behaviour? |
| 24 | |
| 25 | Upstream-Status: Inappropriate [musl specific] |
| 26 | |
| 27 | Signed-off-by: Andre McCurdy <armccurdy@gmail.com> |
Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 28 | --- |
Patrick Williams | da29531 | 2023-12-05 16:48:56 -0600 | [diff] [blame] | 29 | src/basic/fs-util.h | 21 ++++++++++++++++++++- |
Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 30 | src/shared/base-filesystem.c | 6 +++--- |
Patrick Williams | da29531 | 2023-12-05 16:48:56 -0600 | [diff] [blame] | 31 | 2 files changed, 23 insertions(+), 4 deletions(-) |
Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 32 | |
Patrick Williams | da29531 | 2023-12-05 16:48:56 -0600 | [diff] [blame] | 33 | diff --git a/src/basic/fs-util.h b/src/basic/fs-util.h |
Patrick Williams | 03514f1 | 2024-04-05 07:04:11 -0500 | [diff] [blame^] | 34 | index 1023ab73ca..c78ff6f27f 100644 |
Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 35 | --- a/src/basic/fs-util.h |
| 36 | +++ b/src/basic/fs-util.h |
Patrick Williams | da29531 | 2023-12-05 16:48:56 -0600 | [diff] [blame] | 37 | @@ -49,8 +49,27 @@ int futimens_opath(int fd, const struct timespec ts[2]); |
Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 38 | int fd_warn_permissions(const char *path, int fd); |
| 39 | int stat_warn_permissions(const char *path, const struct stat *st); |
| 40 | |
| 41 | +/* |
| 42 | + Avoid using AT_SYMLINK_NOFOLLOW flag. It doesn't seem like the right thing to |
| 43 | + do and it's not portable (not supported by musl). See: |
| 44 | + |
| 45 | + http://lists.landley.net/pipermail/toybox-landley.net/2014-September/003610.html |
| 46 | + http://www.openwall.com/lists/musl/2015/02/05/2 |
| 47 | + |
| 48 | + Note that laccess() is never passing AT_EACCESS so a lot of the discussion in |
| 49 | + the links above doesn't apply. Note also that (currently) all systemd callers |
| 50 | + of laccess() pass mode as F_OK, so only check for existence of a file, not |
| 51 | + access permissions. Therefore, in this case, the only distiction between |
| 52 | + faccessat() with (flag == 0) and (flag == AT_SYMLINK_NOFOLLOW) is the |
| 53 | + behaviour for broken symlinks; laccess() on a broken symlink will succeed |
| 54 | + with (flag == AT_SYMLINK_NOFOLLOW) and fail (flag == 0). |
| 55 | + |
| 56 | + The laccess() macros was added to systemd some time ago and it's not clear if |
| 57 | + or why it needs to return success for broken symlinks. Maybe just historical |
| 58 | + and not actually necessary or desired behaviour? |
| 59 | +*/ |
| 60 | #define laccess(path, mode) \ |
| 61 | - RET_NERRNO(faccessat(AT_FDCWD, (path), (mode), AT_SYMLINK_NOFOLLOW)) |
| 62 | + RET_NERRNO(faccessat(AT_FDCWD, (path), (mode), 0)) |
| 63 | |
| 64 | int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode); |
Patrick Williams | da29531 | 2023-12-05 16:48:56 -0600 | [diff] [blame] | 65 | |
| 66 | diff --git a/src/shared/base-filesystem.c b/src/shared/base-filesystem.c |
Patrick Williams | 03514f1 | 2024-04-05 07:04:11 -0500 | [diff] [blame^] | 67 | index 569ef466c3..7ae921a113 100644 |
Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 68 | --- a/src/shared/base-filesystem.c |
| 69 | +++ b/src/shared/base-filesystem.c |
Patrick Williams | da29531 | 2023-12-05 16:48:56 -0600 | [diff] [blame] | 70 | @@ -145,7 +145,7 @@ int base_filesystem_create_fd(int fd, const char *root, uid_t uid, gid_t gid) { |
| 71 | /* The "root" parameter is decoration only – it's only used as part of log messages */ |
Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 72 | |
| 73 | for (size_t i = 0; i < ELEMENTSOF(table); i++) { |
| 74 | - if (faccessat(fd, table[i].dir, F_OK, AT_SYMLINK_NOFOLLOW) >= 0) |
| 75 | + if (faccessat(fd, table[i].dir, F_OK, 0) >= 0) |
| 76 | continue; |
| 77 | |
Patrick Williams | da29531 | 2023-12-05 16:48:56 -0600 | [diff] [blame] | 78 | if (table[i].target) { /* Create as symlink? */ |
| 79 | @@ -153,7 +153,7 @@ int base_filesystem_create_fd(int fd, const char *root, uid_t uid, gid_t gid) { |
Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 80 | |
| 81 | /* check if one of the targets exists */ |
| 82 | NULSTR_FOREACH(s, table[i].target) { |
| 83 | - if (faccessat(fd, s, F_OK, AT_SYMLINK_NOFOLLOW) < 0) |
| 84 | + if (faccessat(fd, s, F_OK, 0) < 0) |
| 85 | continue; |
| 86 | |
| 87 | /* check if a specific file exists at the target path */ |
Patrick Williams | da29531 | 2023-12-05 16:48:56 -0600 | [diff] [blame] | 88 | @@ -164,7 +164,7 @@ int base_filesystem_create_fd(int fd, const char *root, uid_t uid, gid_t gid) { |
Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 89 | if (!p) |
| 90 | return log_oom(); |
| 91 | |
| 92 | - if (faccessat(fd, p, F_OK, AT_SYMLINK_NOFOLLOW) < 0) |
| 93 | + if (faccessat(fd, p, F_OK, 0) < 0) |
| 94 | continue; |
| 95 | } |
| 96 | |
Patrick Williams | da29531 | 2023-12-05 16:48:56 -0600 | [diff] [blame] | 97 | -- |
Patrick Williams | 03514f1 | 2024-04-05 07:04:11 -0500 | [diff] [blame^] | 98 | 2.34.1 |
Patrick Williams | da29531 | 2023-12-05 16:48:56 -0600 | [diff] [blame] | 99 | |