2 * Copyright (C) 2008 - 2016 The Geeqie Team
4 * Author: Laurent Monin
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 #include <glib/gprintf.h>
27 #include "secure-save.h"
30 * @file secure-save.cc
32 * ABOUT SECURE SAVE \n
33 * This code was borrowed from the ELinks project (http://elinks.cz)
34 * It was originally written by me (Laurent Monin aka Zas) and heavily
35 * modified and improved by all ELinks contributors.
36 * This code was released under the GPLv2 licence.
37 * It was modified to be included in geeqie on 2008/04/05
38 * If ssi->secure_save is TRUE:
40 * A call to secure_open("/home/me/.confdir/filename", mask) will open a file
41 * named "filename.tmp_XXXXXX" in /home/me/.confdir/ and return a pointer to a
42 * structure SecureSaveInfo on success or NULL on error.
44 * filename.tmp_XXXXXX can't conflict with any file since it's created using
45 * mkstemp(). XXXXXX is a random string.
47 * Subsequent write operations are done using returned SecureSaveInfo FILE *
50 * If an error is encountered, SecureSaveInfo int field named err is set
51 * (automatically if using secure_fp*() functions or by programmer)
53 * When secure_close() is called, "filename.tmp_XXXXXX" is flushed and closed,
54 * and if SecureSaveInfo err field has a value of zero, "filename.tmp_XXXXXX"
55 * is renamed to "filename". If this succeeded, then secure_close() returns 0.
57 * WARNING: since rename() is used, any symlink called "filename" may be
58 * replaced by a regular file. If destination file isn't a regular file,
59 * then secsave is disabled for that file.
61 * If ssi->secure_save is FALSE:
63 * No temporary file is created, "filename" is truncated, all operations are
64 * done on it, no rename nor flush occur, symlinks are preserved.
68 * Access rights are affected by secure_open() mask parameter.
73 * @FIXME locking system on files about to be rewritten ?
74 * @FIXME Low risk race conditions about ssi->file_name.
77 SecureSaveErrno secsave_errno = SS_ERR_NONE;
80 /** Open a file for writing in a secure way. @returns a pointer to a
81 * structure secure_save_info on success, or NULL on failure. */
82 static SecureSaveInfo *
83 secure_open_umask(const gchar *file_name)
87 secsave_errno = SS_ERR_NONE;
89 std::unique_ptr<SecureSaveInfo, decltype(&g_free)> ssi{g_new0(SecureSaveInfo, 1), g_free};
91 secsave_errno = SS_ERR_OUT_OF_MEM;
95 ssi->secure_save = TRUE;
96 ssi->preserve_perms = TRUE;
97 ssi->unlink_on_error = TRUE;
99 std::unique_ptr<gchar, decltype(&g_free)> file_name_watcher{g_strdup(file_name), g_free};
100 ssi->file_name = file_name_watcher.get();
101 if (!ssi->file_name) {
102 secsave_errno = SS_ERR_OUT_OF_MEM;
106 /* Check properties of final file. */
107 #ifndef NO_UNIX_SOFTLINKS
108 if (lstat(ssi->file_name, &st)) {
110 if (stat(ssi->file_name, &st)) {
112 /* We ignore error caused by file inexistence. */
113 if (errno != ENOENT) {
116 secsave_errno = SS_ERR_STAT;
120 if (!S_ISREG(st.st_mode)) {
121 /* Not a regular file, secure_save is disabled. */
122 ssi->secure_save = FALSE;
125 /* XXX: access() do not work with setuid programs. */
126 if (access(ssi->file_name, R_OK | W_OK) < 0) {
128 secsave_errno = SS_ERR_ACCESS;
134 /* We still have a race condition here between
135 * [l]stat() and fopen() */
137 f1 = fopen(ssi->file_name, "rb+");
142 secsave_errno = SS_ERR_OPEN_READ;
149 if (ssi->secure_save) {
150 /* We use a random name for temporary file, mkstemp() opens
151 * the file and return a file descriptor named fd, which is
152 * then converted to FILE * using fdopen().
155 gchar *randname = g_strconcat(ssi->file_name, ".tmp_XXXXXX", NULL);
158 secsave_errno = SS_ERR_OUT_OF_MEM;
162 /* No need to use safe_mkstemp() here. --Zas */
163 fd = g_mkstemp(randname);
165 secsave_errno = SS_ERR_MKSTEMP;
170 ssi->fp = fdopen(fd, "wb");
172 secsave_errno = SS_ERR_OPEN_WRITE;
178 ssi->tmp_file_name = randname;
180 /* No need to create a temporary file here. */
181 ssi->fp = fopen(ssi->file_name, "wb");
183 secsave_errno = SS_ERR_OPEN_WRITE;
189 ssi->file_name = file_name_watcher.release();
190 return ssi.release();
194 secure_open(const gchar *file_name)
198 #ifdef CONFIG_OS_WIN32
199 /* There is neither S_IRWXG nor S_IRWXO under crossmingw32-gcc */
200 const mode_t mask = 0177;
202 const mode_t mask = S_IXUSR | S_IRWXG | S_IRWXO;
205 saved_mask = umask(mask);
206 ssi = secure_open_umask(file_name);
212 /** Close a file opened with secure_open(). Rreturns 0 on success,
213 * errno or -1 on failure.
216 secure_close(SecureSaveInfo *ssi)
220 auto ssi_free = [](SecureSaveInfo *ssi, gint ret)
222 if (ssi->tmp_file_name)
224 if (ret && ssi->unlink_on_error) unlink(ssi->tmp_file_name);
225 g_free(ssi->tmp_file_name);
227 if (ssi->file_name) g_free(ssi->file_name);
232 if (!ssi->fp) return ssi_free(ssi, -1);
234 if (ssi->err) { /* Keep previous errno. */
235 fclose(ssi->fp); /* Close file */
236 return ssi_free(ssi, ssi->err);
239 /* Ensure data is effectively written to disk, we first flush libc buffers
240 * using fflush(), then fsync() to flush kernel buffers, and finally call
241 * fclose() (which call fflush() again, but the first one is needed since
242 * it doesn't make much sense to flush kernel buffers and then libc buffers,
243 * while closing file releases file descriptor we need to call fsync(). */
244 #if defined(HAVE_FFLUSH) || defined(HAVE_FSYNC)
245 if (ssi->secure_save) {
246 gboolean fail = FALSE;
249 fail = (fflush(ssi->fp) == EOF);
253 if (!fail) fail = fsync(fileno(ssi->fp));
258 secsave_errno = SS_ERR_OTHER;
260 fclose(ssi->fp); /* Close file, ignore errors. */
261 return ssi_free(ssi, ret);
267 if (fclose(ssi->fp) == EOF) {
268 secsave_errno = SS_ERR_OTHER;
269 return ssi_free(ssi, errno);
272 if (ssi->secure_save && ssi->file_name && ssi->tmp_file_name) {
276 * @FIXME Race condition on ssi->file_name. The file
277 * named ssi->file_name may have changed since
278 * secure_open() call (where we stat() file and
280 #ifndef NO_UNIX_SOFTLINKS
281 if (lstat(ssi->file_name, &st) == 0)
283 if (stat(ssi->file_name, &st) == 0)
286 /* set the dest file attributes to that of source (ignoring errors) */
287 if (ssi->preserve_perms)
289 if (chown(ssi->tmp_file_name, st.st_uid, st.st_gid) != 0) log_printf("chown('%s', %d, %d) failed", ssi->tmp_file_name, st.st_uid, st.st_gid);
290 if (chmod(ssi->tmp_file_name, st.st_mode) != 0) log_printf("chmod('%s', %o) failed", ssi->tmp_file_name, st.st_mode);
293 if (ssi->preserve_mtime)
297 tb.actime = st.st_atime;
298 tb.modtime = st.st_mtime;
299 utime(ssi->tmp_file_name, &tb);
302 if (rename(ssi->tmp_file_name, ssi->file_name) == -1) {
303 secsave_errno = SS_ERR_RENAME;
304 return ssi_free(ssi, errno);
308 return ssi_free(ssi, 0); /* Success. */
312 /** fputs() wrapper, set ssi->err to errno on error. If ssi->err is set when
313 * called, it immediately returns EOF.
316 secure_fputs(SecureSaveInfo *ssi, const gchar *s)
320 if (!ssi || !ssi->fp || ssi->err) return EOF;
322 ret = fputs(s, ssi->fp);
324 secsave_errno = SS_ERR_OTHER;
332 /** fputc() wrapper, set ssi->err to errno on error. If ssi->err is set when
333 * called, it immediately returns EOF.
336 secure_fputc(SecureSaveInfo *ssi, gint c)
340 if (!ssi || !ssi->fp || ssi->err) return EOF;
342 ret = fputc(c, ssi->fp);
345 secsave_errno = SS_ERR_OTHER;
351 /** fprintf() wrapper, set ssi->err to errno on error and return a negative
352 * value. If ssi->err is set when called, it immediately returns -1.
355 secure_fprintf(SecureSaveInfo *ssi, const gchar *format, ...)
360 if (!ssi || !ssi->fp || ssi->err) return -1;
362 va_start(ap, format);
363 ret = g_vfprintf(ssi->fp, format, ap);
369 /** fwrite() wrapper, set ssi->err to errno on error and return a value less than
370 * the number of elements to write. If ssi->err is set when called, it immediately returns 0.
373 secure_fwrite(gconstpointer ptr, size_t size, size_t nmemb, SecureSaveInfo *ssi)
377 if (!ssi || !ssi->fp || ssi->err) return 0;
379 ret = fwrite(ptr, size, nmemb, ssi->fp);
383 secsave_errno = SS_ERR_OTHER;
390 secsave_strerror(SecureSaveErrno secsave_error)
392 switch (secsave_error) {
393 case SS_ERR_OPEN_READ:
394 return _("Cannot read the file");
396 return _("Cannot get file status");
398 return _("Cannot access the file");
400 return _("Cannot create temp file");
402 return _("Cannot rename the file");
403 case SS_ERR_DISABLED:
404 return _("File saving disabled by option");
405 case SS_ERR_OUT_OF_MEM:
406 return _("Out of memory");
407 case SS_ERR_OPEN_WRITE:
408 return _("Cannot write the file");
409 case SS_ERR_NONE: /* Impossible. */
412 return _("Secure file saving error");
415 /* vim: set shiftwidth=8 softtabstop=0 cindent cinoptions={1s: */
projects / geeqie.git / blob