1 ///////////////////////////////////////////////////////////////////////////////
4 /// \brief File opening, unlinking, and closing
6 // Author: Lasse Collin
8 // This file has been put into the public domain.
9 // You can do whatever you want with this file.
11 ///////////////////////////////////////////////////////////////////////////////
21 #if defined(HAVE_FUTIMES) || defined(HAVE_FUTIMESAT) || defined(HAVE_UTIMES)
22 # include <sys/time.h>
23 #elif defined(HAVE_UTIME)
36 # include "open_stdxxx.h"
37 static bool warn_fchown;
45 // Make sure that stdin, stdout, and and stderr are connected to
46 // a valid file descriptor. Exit immediatelly with exit code ERROR
47 // if we cannot make the file descriptors valid. Maybe we should
48 // print an error message, but our stderr could be screwed anyway.
51 // If fchown() fails setting the owner, we warn about it only if
53 warn_fchown = geteuid() == 0;
57 // Avoid doing useless things when statting files.
58 // This isn't important but doesn't hurt.
59 _djstat_flags = _STAT_INODE | _STAT_EXEC_EXT
60 | _STAT_EXEC_MAGIC | _STAT_DIRSIZE;
67 /// \brief Unlinks a file
69 /// This tries to verify that the file being unlinked really is the file that
70 /// we want to unlink by verifying device and inode numbers. There's still
71 /// a small unavoidable race, but this is much better than nothing (the file
72 /// could have been moved/replaced even hours earlier).
74 io_unlink(const char *name, const struct stat *known_st)
77 // On Windows, st_ino is meaningless, so don't bother testing it.
78 // Just silence a compiler warning.
83 if (lstat(name, &new_st)
84 || new_st.st_dev != known_st->st_dev
85 || new_st.st_ino != known_st->st_ino)
86 message_error(_("%s: File seems to be moved, not removing"),
90 // There's a race condition between lstat() and unlink()
91 // but at least we have tried to avoid removing wrong file.
93 message_error(_("%s: Cannot remove: %s"),
94 name, strerror(errno));
100 /// \brief Copies owner/group and permissions
102 /// \todo ACL and EA support
105 io_copy_attrs(const file_pair *pair)
107 // Skip chown and chmod on Windows.
109 // This function is more tricky than you may think at first.
110 // Blindly copying permissions may permit users to access the
111 // destination file who didn't have permission to access the
114 // Try changing the owner of the file. If we aren't root or the owner
115 // isn't already us, fchown() probably doesn't succeed. We warn
116 // about failing fchown() only if we are root.
117 if (fchown(pair->dest_fd, pair->src_st.st_uid, -1) && warn_fchown)
118 message_warning(_("%s: Cannot set the file owner: %s"),
119 pair->dest_name, strerror(errno));
123 if (fchown(pair->dest_fd, -1, pair->src_st.st_gid)) {
124 message_warning(_("%s: Cannot set the file group: %s"),
125 pair->dest_name, strerror(errno));
126 // We can still safely copy some additional permissions:
127 // `group' must be at least as strict as `other' and
130 // NOTE: After this, the owner of the source file may
131 // get additional permissions. This shouldn't be too bad,
132 // because the owner would have had permission to chmod
133 // the original file anyway.
134 mode = ((pair->src_st.st_mode & 0070) >> 3)
135 & (pair->src_st.st_mode & 0007);
136 mode = (pair->src_st.st_mode & 0700) | (mode << 3) | mode;
138 // Drop the setuid, setgid, and sticky bits.
139 mode = pair->src_st.st_mode & 0777;
142 if (fchmod(pair->dest_fd, mode))
143 message_warning(_("%s: Cannot set the file permissions: %s"),
144 pair->dest_name, strerror(errno));
147 // Copy the timestamps. We have several possible ways to do this, of
148 // which some are better in both security and precision.
150 // First, get the nanosecond part of the timestamps. As of writing,
151 // it's not standardized by POSIX, and there are several names for
152 // the same thing in struct stat.
156 # if defined(HAVE_STRUCT_STAT_ST_ATIM_TV_NSEC)
158 atime_nsec = pair->src_st.st_atim.tv_nsec;
159 mtime_nsec = pair->src_st.st_mtim.tv_nsec;
161 # elif defined(HAVE_STRUCT_STAT_ST_ATIMESPEC_TV_NSEC)
163 atime_nsec = pair->src_st.st_atimespec.tv_nsec;
164 mtime_nsec = pair->src_st.st_mtimespec.tv_nsec;
166 # elif defined(HAVE_STRUCT_STAT_ST_ATIMENSEC)
167 // GNU and BSD without extensions
168 atime_nsec = pair->src_st.st_atimensec;
169 mtime_nsec = pair->src_st.st_mtimensec;
171 # elif defined(HAVE_STRUCT_STAT_ST_UATIME)
173 atime_nsec = pair->src_st.st_uatime * 1000;
174 mtime_nsec = pair->src_st.st_umtime * 1000;
176 # elif defined(HAVE_STRUCT_STAT_ST_ATIM_ST__TIM_TV_NSEC)
178 atime_nsec = pair->src_st.st_atim.st__tim.tv_nsec;
179 mtime_nsec = pair->src_st.st_mtim.st__tim.tv_nsec;
187 // Construct a structure to hold the timestamps and call appropriate
188 // function to set the timestamps.
189 #if defined(HAVE_FUTIMENS)
190 // Use nanosecond precision.
191 struct timespec tv[2];
192 tv[0].tv_sec = pair->src_st.st_atime;
193 tv[0].tv_nsec = atime_nsec;
194 tv[1].tv_sec = pair->src_st.st_mtime;
195 tv[1].tv_nsec = mtime_nsec;
197 (void)futimens(pair->dest_fd, tv);
199 #elif defined(HAVE_FUTIMES) || defined(HAVE_FUTIMESAT) || defined(HAVE_UTIMES)
200 // Use microsecond precision.
201 struct timeval tv[2];
202 tv[0].tv_sec = pair->src_st.st_atime;
203 tv[0].tv_usec = atime_nsec / 1000;
204 tv[1].tv_sec = pair->src_st.st_mtime;
205 tv[1].tv_usec = mtime_nsec / 1000;
207 # if defined(HAVE_FUTIMES)
208 (void)futimes(pair->dest_fd, tv);
209 # elif defined(HAVE_FUTIMESAT)
210 (void)futimesat(pair->dest_fd, NULL, tv);
212 // Argh, no function to use a file descriptor to set the timestamp.
213 (void)utimes(pair->dest_name, tv);
216 #elif defined(HAVE_UTIME)
217 // Use one-second precision. utime() doesn't support using file
218 // descriptor either. Some systems have broken utime() prototype
219 // so don't make this const.
220 struct utimbuf buf = {
221 .actime = pair->src_st.st_atime,
222 .modtime = pair->src_st.st_mtime,
229 (void)utime(pair->dest_name, &buf);
236 /// Opens the source file. Returns false on success, true on error.
238 io_open_src(file_pair *pair)
240 // There's nothing to open when reading from stdin.
241 if (pair->src_name == stdin_filename) {
242 pair->src_fd = STDIN_FILENO;
244 setmode(STDIN_FILENO, O_BINARY);
249 // We accept only regular files if we are writing the output
250 // to disk too, and if --force was not given.
251 const bool reg_files_only = !opt_stdout && !opt_force;
254 int flags = O_RDONLY | O_BINARY | O_NOCTTY;
257 // If we accept only regular files, we need to be careful to avoid
258 // problems with special files like devices and FIFOs. O_NONBLOCK
259 // prevents blocking when opening such files. When we want to accept
260 // special files, we must not use O_NONBLOCK, or otherwise we won't
261 // block waiting e.g. FIFOs to become readable.
266 #if defined(O_NOFOLLOW)
269 #elif !defined(DOSLIKE)
270 // Some POSIX-like systems lack O_NOFOLLOW (it's not required
271 // by POSIX). Check for symlinks with a separate lstat() on
273 if (reg_files_only) {
275 if (lstat(pair->src_name, &st)) {
276 message_error("%s: %s", pair->src_name,
280 } else if (S_ISLNK(st.st_mode)) {
281 message_warning(_("%s: Is a symbolic link, "
282 "skipping"), pair->src_name);
288 // Try to open the file. If we are accepting non-regular files,
289 // unblock the caught signals so that open() can be interrupted
290 // if it blocks e.g. due to a FIFO file.
294 // Maybe this wouldn't need a loop, since all the signal handlers for
295 // which we don't use SA_RESTART set user_abort to true. But it
296 // doesn't hurt to have it just in case.
298 pair->src_fd = open(pair->src_name, flags);
299 } while (pair->src_fd == -1 && errno == EINTR && !user_abort);
304 if (pair->src_fd == -1) {
305 // If we were interrupted, don't display any error message.
306 if (errno == EINTR) {
307 // All the signals that don't have SA_RESTART
314 // Give an understandable error message in if reason
315 // for failing was that the file was a symbolic link.
317 // Note that at least Linux, OpenBSD, Solaris, and Darwin
318 // use ELOOP to indicate if O_NOFOLLOW was the reason
319 // that open() failed. Because there may be
320 // directories in the pathname, ELOOP may occur also
321 // because of a symlink loop in the directory part.
322 // So ELOOP doesn't tell us what actually went wrong.
324 // FreeBSD associates EMLINK with O_NOFOLLOW and
325 // Tru64 uses ENOTSUP. We use these directly here
326 // and skip the lstat() call and the associated race.
327 // I want to hear if there are other kernels that
328 // fail with something else than ELOOP with O_NOFOLLOW.
329 bool was_symlink = false;
331 # if defined(__FreeBSD__) || defined(__DragonFly__)
335 # elif defined(__digital__) && defined(__unix__)
336 if (errno == ENOTSUP)
339 # elif defined(__NetBSD__)
340 // FIXME? As of 2008-11-20, NetBSD doesn't document what
341 // errno is used with O_NOFOLLOW. It seems to be EFTYPE,
342 // but since it isn't documented, it may be wrong to rely
348 if (errno == ELOOP && reg_files_only) {
349 const int saved_errno = errno;
351 if (lstat(pair->src_name, &st) == 0
352 && S_ISLNK(st.st_mode))
360 message_warning(_("%s: Is a symbolic link, "
361 "skipping"), pair->src_name);
364 // Something else than O_NOFOLLOW failing
365 // (assuming that the race conditions didn't
367 message_error("%s: %s", pair->src_name,
374 // Drop O_NONBLOCK, which is used only when we are accepting only
375 // regular files. After the open() call, we want things to block
376 // instead of giving EAGAIN.
377 if (reg_files_only) {
378 flags = fcntl(pair->src_fd, F_GETFL);
382 flags &= ~O_NONBLOCK;
384 if (fcntl(pair->src_fd, F_SETFL, flags))
389 // Stat the source file. We need the result also when we copy
390 // the permissions, and when unlinking.
391 if (fstat(pair->src_fd, &pair->src_st))
394 if (S_ISDIR(pair->src_st.st_mode)) {
395 message_warning(_("%s: Is a directory, skipping"),
400 if (reg_files_only) {
401 if (!S_ISREG(pair->src_st.st_mode)) {
402 message_warning(_("%s: Not a regular file, "
403 "skipping"), pair->src_name);
407 // These are meaningless on Windows.
409 if (pair->src_st.st_mode & (S_ISUID | S_ISGID)) {
410 // gzip rejects setuid and setgid files even
411 // when --force was used. bzip2 doesn't check
412 // for them, but calls fchown() after fchmod(),
413 // and many systems automatically drop setuid
414 // and setgid bits there.
416 // We accept setuid and setgid files if
417 // --force was used. We drop these bits
418 // explicitly in io_copy_attr().
419 message_warning(_("%s: File has setuid or "
420 "setgid bit set, skipping"),
425 if (pair->src_st.st_mode & S_ISVTX) {
426 message_warning(_("%s: File has sticky bit "
432 if (pair->src_st.st_nlink > 1) {
433 message_warning(_("%s: Input file has more "
434 "than one hard link, "
435 "skipping"), pair->src_name);
444 message_error("%s: %s", pair->src_name, strerror(errno));
446 (void)close(pair->src_fd);
451 /// \brief Closes source file of the file_pair structure
453 /// \param pair File whose src_fd should be closed
454 /// \param success If true, the file will be removed from the disk if
455 /// closing succeeds and --keep hasn't been used.
457 io_close_src(file_pair *pair, bool success)
459 if (pair->src_fd != STDIN_FILENO && pair->src_fd != -1) {
461 (void)close(pair->src_fd);
464 // If we are going to unlink(), do it before closing the file.
465 // This way there's no risk that someone replaces the file and
466 // happens to get same inode number, which would make us
467 // unlink() wrong file.
469 // NOTE: DOS-like systems are an exception to this, because
470 // they don't allow unlinking files that are open. *sigh*
471 if (success && !opt_keep_original)
472 io_unlink(pair->src_name, &pair->src_st);
475 (void)close(pair->src_fd);
484 io_open_dest(file_pair *pair)
486 if (opt_stdout || pair->src_fd == STDIN_FILENO) {
487 // We don't modify or free() this.
488 pair->dest_name = (char *)"(stdout)";
489 pair->dest_fd = STDOUT_FILENO;
491 setmode(STDOUT_FILENO, O_BINARY);
496 pair->dest_name = suffix_get_dest_name(pair->src_name);
497 if (pair->dest_name == NULL)
500 // If --force was used, unlink the target file first.
501 if (opt_force && unlink(pair->dest_name) && errno != ENOENT) {
502 message_error("%s: Cannot unlink: %s",
503 pair->dest_name, strerror(errno));
504 free(pair->dest_name);
508 if (opt_force && unlink(pair->dest_name) && errno != ENOENT) {
509 message_error("%s: Cannot unlink: %s", pair->dest_name,
511 free(pair->dest_name);
516 const int flags = O_WRONLY | O_BINARY | O_NOCTTY | O_CREAT | O_EXCL;
517 const mode_t mode = S_IRUSR | S_IWUSR;
518 pair->dest_fd = open(pair->dest_name, flags, mode);
520 if (pair->dest_fd == -1) {
521 // Don't bother with error message if user requested
522 // us to exit anyway.
524 message_error("%s: %s", pair->dest_name,
527 free(pair->dest_name);
531 // If this really fails... well, we have a safe fallback.
532 if (fstat(pair->dest_fd, &pair->dest_st)) {
533 pair->dest_st.st_dev = 0;
534 pair->dest_st.st_ino = 0;
541 /// \brief Closes destination file of the file_pair structure
543 /// \param pair File whose dest_fd should be closed
544 /// \param success If false, the file will be removed from the disk.
546 /// \return Zero if closing succeeds. On error, -1 is returned and
547 /// error message printed.
549 io_close_dest(file_pair *pair, bool success)
551 if (pair->dest_fd == -1 || pair->dest_fd == STDOUT_FILENO)
554 if (close(pair->dest_fd)) {
555 message_error(_("%s: Closing the file failed: %s"),
556 pair->dest_name, strerror(errno));
558 // Closing destination file failed, so we cannot trust its
559 // contents. Get rid of junk:
560 io_unlink(pair->dest_name, &pair->dest_st);
561 free(pair->dest_name);
565 // If the operation using this file wasn't successful, we git rid
568 io_unlink(pair->dest_name, &pair->dest_st);
570 free(pair->dest_name);
577 io_open(const char *src_name)
579 if (is_empty_filename(src_name))
582 // Since we have only one file open at a time, we can use
583 // a statically allocated structure.
584 static file_pair pair;
587 .src_name = src_name,
594 // Block the signals, for which we have a custom signal handler, so
595 // that we don't need to worry about EINTR.
598 file_pair *ret = NULL;
599 if (!io_open_src(&pair)) {
600 // io_open_src() may have unblocked the signals temporarily,
601 // and thus user_abort may have got set even if open()
603 if (user_abort || io_open_dest(&pair))
604 io_close_src(&pair, false);
616 io_close(file_pair *pair, bool success)
620 if (success && pair->dest_fd != STDOUT_FILENO)
623 // Close the destination first. If it fails, we must not remove
625 if (io_close_dest(pair, success))
628 // Close the source file, and unlink it if the operation using this
629 // file pair was successful and we haven't requested to keep the
631 io_close_src(pair, success);
640 io_read(file_pair *pair, uint8_t *buf, size_t size)
642 // We use small buffers here.
643 assert(size < SSIZE_MAX);
648 const ssize_t amount = read(pair->src_fd, buf, left);
651 pair->src_eof = true;
656 if (errno == EINTR) {
663 message_error(_("%s: Read error: %s"),
664 pair->src_name, strerror(errno));
666 // FIXME Is this needed?
667 pair->src_eof = true;
672 buf += (size_t)(amount);
673 left -= (size_t)(amount);
681 io_write(const file_pair *pair, const uint8_t *buf, size_t size)
683 assert(size < SSIZE_MAX);
686 const ssize_t amount = write(pair->dest_fd, buf, size);
688 if (errno == EINTR) {
695 // Handle broken pipe specially. gzip and bzip2
696 // don't print anything on SIGPIPE. In addition,
697 // gzip --quiet uses exit status 2 (warning) on
698 // broken pipe instead of whatever raise(SIGPIPE)
699 // would make it return. It is there to hide "Broken
700 // pipe" message on some old shells (probably old
703 // We don't do anything special with --quiet, which
704 // is what bzip2 does too. If we get SIGPIPE, we
705 // will handle it like other signals by setting
706 // user_abort, and get EPIPE here.
708 message_error(_("%s: Write error: %s"),
709 pair->dest_name, strerror(errno));
714 buf += (size_t)(amount);
715 size -= (size_t)(amount);
projects / icculus / xz.git / blob