2 * Copyright (C) 2008 - 2016 The Geeqie Team
4 * Author: Laurent Monin
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 #include "secure-save.h"
31 #include <glib/gprintf.h>
39 * @file secure-save.cc
41 * ABOUT SECURE SAVE \n
42 * This code was borrowed from the ELinks project (http://elinks.cz)
43 * It was originally written by me (Laurent Monin aka Zas) and heavily
44 * modified and improved by all ELinks contributors.
45 * This code was released under the GPLv2 licence.
46 * It was modified to be included in geeqie on 2008/04/05
47 * If ssi->secure_save is TRUE:
49 * A call to secure_open("/home/me/.confdir/filename", mask) will open a file
50 * named "filename.tmp_XXXXXX" in /home/me/.confdir/ and return a pointer to a
51 * structure SecureSaveInfo on success or NULL on error.
53 * filename.tmp_XXXXXX can't conflict with any file since it's created using
54 * mkstemp(). XXXXXX is a random string.
56 * Subsequent write operations are done using returned SecureSaveInfo FILE *
59 * If an error is encountered, SecureSaveInfo int field named err is set
60 * (automatically if using secure_fp*() functions or by programmer)
62 * When secure_close() is called, "filename.tmp_XXXXXX" is flushed and closed,
63 * and if SecureSaveInfo err field has a value of zero, "filename.tmp_XXXXXX"
64 * is renamed to "filename". If this succeeded, then secure_close() returns 0.
66 * WARNING: since rename() is used, any symlink called "filename" may be
67 * replaced by a regular file. If destination file isn't a regular file,
68 * then secsave is disabled for that file.
70 * If ssi->secure_save is FALSE:
72 * No temporary file is created, "filename" is truncated, all operations are
73 * done on it, no rename nor flush occur, symlinks are preserved.
77 * Access rights are affected by secure_open() mask parameter.
82 * @FIXME locking system on files about to be rewritten ?
83 * @FIXME Low risk race conditions about ssi->file_name.
86 SecureSaveErrno secsave_errno = SS_ERR_NONE;
89 /** Open a file for writing in a secure way. @returns a pointer to a
90 * structure secure_save_info on success, or NULL on failure. */
91 static SecureSaveInfo *
92 secure_open_umask(const gchar *file_name)
96 secsave_errno = SS_ERR_NONE;
98 std::unique_ptr<SecureSaveInfo, decltype(&g_free)> ssi{g_new0(SecureSaveInfo, 1), g_free};
100 secsave_errno = SS_ERR_OUT_OF_MEM;
104 ssi->secure_save = TRUE;
105 ssi->preserve_perms = TRUE;
106 ssi->unlink_on_error = TRUE;
108 std::unique_ptr<gchar, decltype(&g_free)> file_name_watcher{g_strdup(file_name), g_free};
109 ssi->file_name = file_name_watcher.get();
110 if (!ssi->file_name) {
111 secsave_errno = SS_ERR_OUT_OF_MEM;
115 /* Check properties of final file. */
116 #ifndef NO_UNIX_SOFTLINKS
117 if (lstat(ssi->file_name, &st)) {
119 if (stat(ssi->file_name, &st)) {
121 /* We ignore error caused by file inexistence. */
122 if (errno != ENOENT) {
125 secsave_errno = SS_ERR_STAT;
129 if (!S_ISREG(st.st_mode)) {
130 /* Not a regular file, secure_save is disabled. */
131 ssi->secure_save = FALSE;
134 /* XXX: access() do not work with setuid programs. */
135 if (access(ssi->file_name, R_OK | W_OK) < 0) {
137 secsave_errno = SS_ERR_ACCESS;
143 /* We still have a race condition here between
144 * [l]stat() and fopen() */
146 f1 = fopen(ssi->file_name, "rb+");
151 secsave_errno = SS_ERR_OPEN_READ;
158 if (ssi->secure_save) {
159 /* We use a random name for temporary file, mkstemp() opens
160 * the file and return a file descriptor named fd, which is
161 * then converted to FILE * using fdopen().
164 gchar *randname = g_strconcat(ssi->file_name, ".tmp_XXXXXX", NULL);
167 secsave_errno = SS_ERR_OUT_OF_MEM;
171 /* No need to use safe_mkstemp() here. --Zas */
172 fd = g_mkstemp(randname);
174 secsave_errno = SS_ERR_MKSTEMP;
179 ssi->fp = fdopen(fd, "wb");
181 secsave_errno = SS_ERR_OPEN_WRITE;
187 ssi->tmp_file_name = randname;
189 /* No need to create a temporary file here. */
190 ssi->fp = fopen(ssi->file_name, "wb");
192 secsave_errno = SS_ERR_OPEN_WRITE;
198 ssi->file_name = file_name_watcher.release();
199 return ssi.release();
203 secure_open(const gchar *file_name)
207 #ifdef CONFIG_OS_WIN32
208 /* There is neither S_IRWXG nor S_IRWXO under crossmingw32-gcc */
209 const mode_t mask = 0177;
211 const mode_t mask = S_IXUSR | S_IRWXG | S_IRWXO;
214 saved_mask = umask(mask);
215 ssi = secure_open_umask(file_name);
221 /** Close a file opened with secure_open(). Rreturns 0 on success,
222 * errno or -1 on failure.
225 secure_close(SecureSaveInfo *ssi)
229 auto ssi_free = [](SecureSaveInfo *ssi, gint ret)
231 if (ssi->tmp_file_name)
233 if (ret && ssi->unlink_on_error) unlink(ssi->tmp_file_name);
234 g_free(ssi->tmp_file_name);
236 if (ssi->file_name) g_free(ssi->file_name);
241 if (!ssi->fp) return ssi_free(ssi, -1);
243 if (ssi->err) { /* Keep previous errno. */
244 fclose(ssi->fp); /* Close file */
245 return ssi_free(ssi, ssi->err);
248 /* Ensure data is effectively written to disk, we first flush libc buffers
249 * using fflush(), then fsync() to flush kernel buffers, and finally call
250 * fclose() (which call fflush() again, but the first one is needed since
251 * it doesn't make much sense to flush kernel buffers and then libc buffers,
252 * while closing file releases file descriptor we need to call fsync(). */
253 #if defined(HAVE_FFLUSH) || defined(HAVE_FSYNC)
254 if (ssi->secure_save) {
255 gboolean fail = FALSE;
258 fail = (fflush(ssi->fp) == EOF);
262 if (!fail) fail = fsync(fileno(ssi->fp));
267 secsave_errno = SS_ERR_OTHER;
269 fclose(ssi->fp); /* Close file, ignore errors. */
270 return ssi_free(ssi, ret);
276 if (fclose(ssi->fp) == EOF) {
277 secsave_errno = SS_ERR_OTHER;
278 return ssi_free(ssi, errno);
281 if (ssi->secure_save && ssi->file_name && ssi->tmp_file_name) {
285 * @FIXME Race condition on ssi->file_name. The file
286 * named ssi->file_name may have changed since
287 * secure_open() call (where we stat() file and
289 #ifndef NO_UNIX_SOFTLINKS
290 if (lstat(ssi->file_name, &st) == 0)
292 if (stat(ssi->file_name, &st) == 0)
295 /* set the dest file attributes to that of source (ignoring errors) */
296 if (ssi->preserve_perms)
298 if (chown(ssi->tmp_file_name, st.st_uid, st.st_gid) != 0) log_printf("chown('%s', %d, %d) failed", ssi->tmp_file_name, st.st_uid, st.st_gid);
299 if (chmod(ssi->tmp_file_name, st.st_mode) != 0) log_printf("chmod('%s', %o) failed", ssi->tmp_file_name, st.st_mode);
302 if (ssi->preserve_mtime)
306 tb.actime = st.st_atime;
307 tb.modtime = st.st_mtime;
308 utime(ssi->tmp_file_name, &tb);
311 if (rename(ssi->tmp_file_name, ssi->file_name) == -1) {
312 secsave_errno = SS_ERR_RENAME;
313 return ssi_free(ssi, errno);
317 return ssi_free(ssi, 0); /* Success. */
321 /** fputs() wrapper, set ssi->err to errno on error. If ssi->err is set when
322 * called, it immediately returns EOF.
325 secure_fputs(SecureSaveInfo *ssi, const gchar *s)
329 if (!ssi || !ssi->fp || ssi->err) return EOF;
331 ret = fputs(s, ssi->fp);
333 secsave_errno = SS_ERR_OTHER;
341 /** fputc() wrapper, set ssi->err to errno on error. If ssi->err is set when
342 * called, it immediately returns EOF.
345 secure_fputc(SecureSaveInfo *ssi, gint c)
349 if (!ssi || !ssi->fp || ssi->err) return EOF;
351 ret = fputc(c, ssi->fp);
354 secsave_errno = SS_ERR_OTHER;
360 /** fprintf() wrapper, set ssi->err to errno on error and return a negative
361 * value. If ssi->err is set when called, it immediately returns -1.
364 secure_fprintf(SecureSaveInfo *ssi, const gchar *format, ...)
369 if (!ssi || !ssi->fp || ssi->err) return -1;
371 va_start(ap, format);
372 ret = g_vfprintf(ssi->fp, format, ap);
378 /** fwrite() wrapper, set ssi->err to errno on error and return a value less than
379 * the number of elements to write. If ssi->err is set when called, it immediately returns 0.
382 secure_fwrite(gconstpointer ptr, size_t size, size_t nmemb, SecureSaveInfo *ssi)
386 if (!ssi || !ssi->fp || ssi->err) return 0;
388 ret = fwrite(ptr, size, nmemb, ssi->fp);
392 secsave_errno = SS_ERR_OTHER;
399 secsave_strerror(SecureSaveErrno secsave_error)
401 switch (secsave_error) {
402 case SS_ERR_OPEN_READ:
403 return _("Cannot read the file");
405 return _("Cannot get file status");
407 return _("Cannot access the file");
409 return _("Cannot create temp file");
411 return _("Cannot rename the file");
412 case SS_ERR_DISABLED:
413 return _("File saving disabled by option");
414 case SS_ERR_OUT_OF_MEM:
415 return _("Out of memory");
416 case SS_ERR_OPEN_WRITE:
417 return _("Cannot write the file");
418 case SS_ERR_NONE: /* Impossible. */
421 return _("Secure file saving error");
424 /* vim: set shiftwidth=8 softtabstop=0 cindent cinoptions={1s: */
projects / geeqie.git / blob