2 * Copyright notice from original mutt:
3 * Copyright (C) 1996-2000 Michael R. Elkins <me@mutt.org>
4 * Copyright (C) 1998-2000 Thomas Roessler <roessler@does-not-exist.org>
6 * This file is part of mutt-ng, see http://www.muttng.org/.
7 * It's licensed under the GNU General Public License,
8 * please see the file GPL in the top level source directory.
11 #include <lib-lib/lib-lib.h>
13 #include <sys/utsname.h>
15 #ifndef _POSIX_PATH_MAX
16 #include <posix1_lim.h>
26 #define MAXLINKS 1024 /* maximum link depth */
28 # define LONG_STRING 1024
29 # define MAXLOCKATTEMPT 5
34 # define SETEGID setegid
36 # define SETEGID setgid
39 # define S_ISLNK(x) (((x) & S_IFMT) == S_IFLNK ? 1 : 0)
44 static int DotlockFlags;
45 static int Retry = MAXLOCKATTEMPT;
47 static char *Hostname;
54 static int dotlock_deference_symlink (char *, size_t, const char *);
55 static int dotlock_prepare (char *, ssize_t, const char *, int fd);
56 static int dotlock_check_stats (struct stat *, struct stat *);
57 static int dotlock_dispatch (const char *, int fd);
59 static int dotlock_init_privs (void);
60 static void usage (const char *);
62 static void dotlock_expand_link (char *, const char *, const char *);
63 static void BEGIN_PRIVILEGED (void);
64 static void END_PRIVILEGED (void);
66 /* These functions work on the current directory.
67 * Invoke dotlock_prepare () before and check their
71 static int dotlock_try (void);
72 static int dotlock_unlock (const char *);
73 static int dotlock_unlink (const char *);
74 static int dotlock_lock (const char *);
77 #define check_flags(a) if (a & DL_FL_ACTIONS) usage (argv[0])
79 int main (int argc, char **argv)
83 struct utsname utsname;
85 /* first, drop privileges */
87 if (dotlock_init_privs () == -1)
91 /* determine the system's host name */
94 if (!(Hostname = strdup (utsname.nodename))) /* __MEM_CHECKED__ */
96 if ((p = strchr (Hostname, '.')))
100 /* parse the command line options. */
103 while ((i = getopt (argc, argv, "dtfupr:")) != EOF) {
105 /* actions, mutually exclusive */
107 check_flags (DotlockFlags);
108 DotlockFlags |= DL_FL_TRY;
111 check_flags (DotlockFlags);
112 DotlockFlags |= DL_FL_UNLINK;
115 check_flags (DotlockFlags);
116 DotlockFlags |= DL_FL_UNLOCK;
121 DotlockFlags |= DL_FL_FORCE;
124 DotlockFlags |= DL_FL_USEPRIV;
127 DotlockFlags |= DL_FL_RETRY;
128 Retry = atoi (optarg);
136 if (optind == argc || Retry < 0)
139 return dotlock_dispatch (argv[optind], -1);
144 * Determine our effective group ID, and drop
149 * 0 - everything went fine
150 * -1 - we couldn't drop privileges.
155 static int dotlock_init_privs (void)
161 MailGid = getegid ();
163 if (SETEGID (UserGid) != 0)
172 static int dotlock_dispatch (const char *f, int fd)
174 char frealpath[_POSIX_PATH_MAX];
176 /* If dotlock_prepare () succeeds [return value == 0],
177 * realpath contains the basename of f, and we have
178 * successfully changed our working directory to
179 * `dirname $f`. Additionally, f has been opened for
180 * reading to verify that the user has at least read
181 * permissions on that file.
183 * For a more detailed explanation of all this, see the
184 * lengthy comment below.
187 if (dotlock_prepare (frealpath, sizeof (frealpath), f, fd) != 0)
190 /* Actually perform the locking operation. */
192 if (DotlockFlags & DL_FL_TRY)
193 return dotlock_try ();
194 else if (DotlockFlags & DL_FL_UNLOCK)
195 return dotlock_unlock (frealpath);
196 else if (DotlockFlags & DL_FL_UNLINK)
197 return dotlock_unlink (frealpath);
199 return dotlock_lock (frealpath);
206 * This function re-acquires the privileges we may have
207 * if the user told us to do so by giving the "-p"
208 * command line option.
210 * BEGIN_PRIVILEGES () won't return if an error occurs.
214 static void BEGIN_PRIVILEGED (void)
217 if (DotlockFlags & DL_FL_USEPRIV) {
218 if (SETEGID (MailGid) != 0) {
219 /* perror ("setegid"); */
229 * This function drops the group privileges we may have.
231 * END_PRIVILEGED () won't return if an error occurs.
235 static void END_PRIVILEGED (void)
238 if (DotlockFlags & DL_FL_USEPRIV) {
239 if (SETEGID (UserGid) != 0) {
240 /* perror ("setegid"); */
250 * This function doesn't return.
254 static void usage (const char *av0)
256 fprintf (stderr, "dotlock [Madmutt %s]\n", VERSION);
257 fprintf (stderr, "usage: %s [-t|-f|-u|-d] [-p] [-r <retries>] file\n", av0);
262 "\n -u\t\tunlock" "\n -d\t\tunlink" "\n -p\t\tprivileged"
266 "\n -r <retries>\tRetry locking" "\n", stderr);
272 * Access checking: Let's avoid to lock other users' mail
273 * spool files if we aren't permitted to read them.
275 * Some simple-minded access (2) checking isn't sufficient
276 * here: The problem is that the user may give us a
277 * deeply nested path to a file which has the same name
278 * as the file he wants to lock, but different
279 * permissions, say, e.g.
280 * /tmp/lots/of/subdirs/var/spool/mail/root.
282 * He may then try to replace /tmp/lots/of/subdirs by a
283 * symbolic link to / after we have invoked access () to
284 * check the file's permissions. The lockfile we'd
285 * create or remove would then actually be
286 * /var/spool/mail/root.
288 * To avoid this attack, we proceed as follows:
290 * - First, follow symbolic links a la
291 * dotlock_deference_symlink ().
293 * - get the result's dirname.
295 * - chdir to this directory. If you can't, bail out.
297 * - try to open the file in question, only using its
298 * basename. If you can't, bail out.
300 * - fstat that file and compare the result to a
301 * subsequent lstat (only using the basename). If
302 * the comparison fails, bail out.
304 * dotlock_prepare () is invoked from main () directly
305 * after the command line parsing has been done.
309 * 0 - Evereything's fine. The program's new current
310 * directory is the contains the file to be locked.
311 * The string pointed to by bn contains the name of
312 * the file to be locked.
314 * -1 - Something failed. Don't continue.
319 static int dotlock_check_stats (struct stat *fsb, struct stat *lsb)
321 /* S_ISLNK (fsb->st_mode) should actually be impossible,
322 * but we may have mixed up the parameters somewhere.
326 if (S_ISLNK (lsb->st_mode) || S_ISLNK (fsb->st_mode))
329 if ((lsb->st_dev != fsb->st_dev) ||
330 (lsb->st_ino != fsb->st_ino) ||
331 (lsb->st_mode != fsb->st_mode) ||
332 (lsb->st_nlink != fsb->st_nlink) ||
333 (lsb->st_uid != fsb->st_uid) ||
334 (lsb->st_gid != fsb->st_gid) ||
335 (lsb->st_rdev != fsb->st_rdev) || (lsb->st_size != fsb->st_size)) {
336 /* something's fishy */
343 static int dotlock_prepare (char *bn, ssize_t l, const char *f, int _fd)
345 struct stat fsb, lsb;
346 char frealpath[_POSIX_PATH_MAX];
347 char *fbasename, *dirname;
352 if (dotlock_deference_symlink (frealpath, sizeof (frealpath), f) == -1)
355 if ((p = strrchr (frealpath, '/'))) {
361 fbasename = frealpath;
362 dirname = m_strdup(".");
365 if (m_strlen(fbasename) + 1 > l)
368 m_strcpy(bn, l, fbasename);
370 if (chdir (dirname) == -1)
375 else if ((fd = open (fbasename, O_RDONLY)) == -1)
378 r = fstat (fd, &fsb);
386 if (lstat (fbasename, &lsb) == -1)
389 if (dotlock_check_stats (&fsb, &lsb) == -1)
396 * Expand a symbolic link.
398 * This function expects newpath to have space for
399 * at least _POSIX_PATH_MAX characters.
404 dotlock_expand_link (char *newpath, const char *path, const char *flink)
406 const char *lb = NULL;
409 /* link is full path */
411 m_strcpy(newpath, _POSIX_PATH_MAX, flink);
415 if ((lb = strrchr (path, '/')) == NULL) {
416 /* no path in link */
417 m_strcpy(newpath, _POSIX_PATH_MAX, flink);
422 memcpy (newpath, path, len);
423 m_strcpy(newpath + len, _POSIX_PATH_MAX - len, flink);
428 * Deference a chain of symbolic links
430 * The final path is written to d.
434 static int dotlock_deference_symlink (char *d, size_t l, const char *path)
437 char frealpath[_POSIX_PATH_MAX];
438 const char *pathptr = path;
441 while (count++ < MAXLINKS) {
442 if (lstat (pathptr, &sb) == -1) {
443 /* perror (pathptr); */
447 if (S_ISLNK (sb.st_mode)) {
448 char linkfile[_POSIX_PATH_MAX];
449 char linkpath[_POSIX_PATH_MAX];
452 if ((len = readlink (pathptr, linkfile, sizeof (linkfile))) == -1) {
453 /* perror (pathptr); */
457 linkfile[len] = '\0';
458 dotlock_expand_link (linkpath, pathptr, linkfile);
459 m_strcpy(frealpath, sizeof(frealpath), linkpath);
466 m_strcpy(d, l, pathptr);
473 * realpath is assumed _not_ to be an absolute path to
474 * the file we are about to lock. Invoke
475 * dotlock_prepare () before using this function!
479 #define HARDMAXATTEMPTS 10
481 static int dotlock_lock (const char *frealpath)
483 char lockfile[_POSIX_PATH_MAX + LONG_STRING];
484 char nfslockfile[_POSIX_PATH_MAX + LONG_STRING];
485 size_t prev_size = 0;
492 snprintf (nfslockfile, sizeof (nfslockfile), "%s.%s.%d",
493 frealpath, Hostname, (int) getpid ());
494 snprintf (lockfile, sizeof (lockfile), "%s.lock", frealpath);
499 unlink (nfslockfile);
501 while ((fd = open (nfslockfile, O_WRONLY | O_EXCL | O_CREAT, 0)) < 0) {
505 if (errno != EAGAIN) {
506 /* perror ("cannot open NFS lock file"); */
519 while (hard_count++ < HARDMAXATTEMPTS) {
522 link (nfslockfile, lockfile);
525 if (stat (nfslockfile, &sb) != 0) {
526 /* perror ("stat"); */
530 if (sb.st_nlink == 2)
534 prev_size = sb.st_size;
536 if (prev_size == sb.st_size && ++count > Retry) {
537 if (DotlockFlags & DL_FL_FORCE) {
547 unlink (nfslockfile);
553 prev_size = sb.st_size;
555 /* don't trust sleep (3) as it may be interrupted
556 * by users sending signals.
562 } while (time (NULL) == t);
566 unlink (nfslockfile);
576 * The same comment as for dotlock_lock () applies here.
580 static int dotlock_unlock (const char *frealpath)
582 char lockfile[_POSIX_PATH_MAX + LONG_STRING];
585 snprintf (lockfile, sizeof (lockfile), "%s.lock", frealpath);
588 i = unlink (lockfile);
597 /* remove an empty file */
599 static int dotlock_unlink (const char *frealpath)
604 if (dotlock_lock (frealpath) != DL_EX_OK)
607 if ((i = lstat (frealpath, &lsb)) == 0 && lsb.st_size == 0)
610 dotlock_unlock (frealpath);
612 return (i == 0) ? DL_EX_OK : DL_EX_ERROR;
617 * Check if a file can be locked at all.
619 * The same comment as for dotlock_lock () applies here.
623 static int dotlock_try (void)
629 if (access (".", W_OK) == 0)
633 if (stat (".", &sb) == 0) {
634 if ((sb.st_mode & S_IWGRP) == S_IWGRP && sb.st_gid == MailGid)
635 return DL_EX_NEED_PRIVS;
639 return DL_EX_IMPOSSIBLE;