3 * Copyright (C) 2008 - 2012 The Geeqie Team
5 * based on the code developped for ELinks by Laurent Monin
7 * This software is released under the GNU General Public License (GNU GPL).
8 * Please read the included file COPYING for more information.
9 * This software comes with no warranty of any kind, use at your own risk!
12 #include <glib/gprintf.h>
13 #include <glib/gstdio.h>
18 #include "secure_save.h"
21 /* ABOUT SECURE SAVE */
22 /* This code was borrowed from the ELinks project (http://elinks.cz)
23 * It was originally written by me (Laurent Monin aka Zas) and heavily
24 * modified and improved by all ELinks contributors.
25 * This code was released under the GPLv2 licence.
26 * It was modified to be included in geeqie on 2008/04/05 */
28 /* If ssi->secure_save is TRUE:
29 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
31 * A call to secure_open("/home/me/.confdir/filename", mask) will open a file
32 * named "filename.tmp_XXXXXX" in /home/me/.confdir/ and return a pointer to a
33 * structure SecureSaveInfo on success or NULL on error.
35 * filename.tmp_XXXXXX can't conflict with any file since it's created using
36 * mkstemp(). XXXXXX is a random string.
38 * Subsequent write operations are done using returned SecureSaveInfo FILE *
41 * If an error is encountered, SecureSaveInfo int field named err is set
42 * (automatically if using secure_fp*() functions or by programmer)
44 * When secure_close() is called, "filename.tmp_XXXXXX" is flushed and closed,
45 * and if SecureSaveInfo err field has a value of zero, "filename.tmp_XXXXXX"
46 * is renamed to "filename". If this succeeded, then secure_close() returns 0.
48 * WARNING: since rename() is used, any symlink called "filename" may be
49 * replaced by a regular file. If destination file isn't a regular file,
50 * then secsave is disabled for that file.
52 * If ssi->secure_save is FALSE:
53 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 * No temporary file is created, "filename" is truncated, all operations are
56 * done on it, no rename nor flush occur, symlinks are preserved.
61 * Access rights are affected by secure_open() mask parameter.
64 /* FIXME: locking system on files about to be rewritten ? */
65 /* FIXME: Low risk race conditions about ssi->file_name. */
67 SecureSaveErrno secsave_errno = SS_ERR_NONE;
70 /** Open a file for writing in a secure way. @returns a pointer to a
71 * structure secure_save_info on success, or NULL on failure. */
72 static SecureSaveInfo *
73 secure_open_umask(const gchar *file_name)
78 secsave_errno = SS_ERR_NONE;
80 ssi = g_new0(SecureSaveInfo, 1);
82 secsave_errno = SS_ERR_OUT_OF_MEM;
86 ssi->secure_save = TRUE;
87 ssi->preserve_perms = TRUE;
88 ssi->unlink_on_error = TRUE;
90 ssi->file_name = g_strdup(file_name);
91 if (!ssi->file_name) {
92 secsave_errno = SS_ERR_OUT_OF_MEM;
96 /* Check properties of final file. */
97 #ifndef NO_UNIX_SOFTLINKS
98 if (lstat(ssi->file_name, &st)) {
100 if (stat(ssi->file_name, &st)) {
102 /* We ignore error caused by file inexistence. */
103 if (errno != ENOENT) {
106 secsave_errno = SS_ERR_STAT;
110 if (!S_ISREG(st.st_mode)) {
111 /* Not a regular file, secure_save is disabled. */
112 ssi->secure_save = FALSE;
115 /* XXX: access() do not work with setuid programs. */
116 if (access(ssi->file_name, R_OK | W_OK) < 0) {
118 secsave_errno = SS_ERR_ACCESS;
124 /* We still have a race condition here between
125 * [l]stat() and fopen() */
127 f1 = fopen(ssi->file_name, "rb+");
132 secsave_errno = SS_ERR_OPEN_READ;
139 if (ssi->secure_save) {
140 /* We use a random name for temporary file, mkstemp() opens
141 * the file and return a file descriptor named fd, which is
142 * then converted to FILE * using fdopen().
145 gchar *randname = g_strconcat(ssi->file_name, ".tmp_XXXXXX", NULL);
148 secsave_errno = SS_ERR_OUT_OF_MEM;
152 /* No need to use safe_mkstemp() here. --Zas */
153 fd = g_mkstemp(randname);
155 secsave_errno = SS_ERR_MKSTEMP;
160 ssi->fp = fdopen(fd, "wb");
162 secsave_errno = SS_ERR_OPEN_WRITE;
168 ssi->tmp_file_name = randname;
170 /* No need to create a temporary file here. */
171 ssi->fp = fopen(ssi->file_name, "wb");
173 secsave_errno = SS_ERR_OPEN_WRITE;
182 g_free(ssi->file_name);
183 ssi->file_name = NULL;
194 secure_open(const gchar *file_name)
198 #ifdef CONFIG_OS_WIN32
199 /* There is neither S_IRWXG nor S_IRWXO under crossmingw32-gcc */
200 const mode_t mask = 0177;
202 const mode_t mask = S_IXUSR | S_IRWXG | S_IRWXO;
205 saved_mask = umask(mask);
206 ssi = secure_open_umask(file_name);
212 /** Close a file opened with secure_open(). Rreturns 0 on success,
213 * errno or -1 on failure.
216 secure_close(SecureSaveInfo *ssi)
220 if (!ssi) return ret;
221 if (!ssi->fp) goto free;
223 if (ssi->err) { /* Keep previous errno. */
225 fclose(ssi->fp); /* Close file */
229 /* Ensure data is effectively written to disk, we first flush libc buffers
230 * using fflush(), then fsync() to flush kernel buffers, and finally call
231 * fclose() (which call fflush() again, but the first one is needed since
232 * it doesn't make much sense to flush kernel buffers and then libc buffers,
233 * while closing file releases file descriptor we need to call fsync(). */
234 #if defined(HAVE_FFLUSH) || defined(HAVE_FSYNC)
235 if (ssi->secure_save) {
236 gboolean fail = FALSE;
239 fail = (fflush(ssi->fp) == EOF);
243 if (!fail) fail = fsync(fileno(ssi->fp));
248 secsave_errno = SS_ERR_OTHER;
250 fclose(ssi->fp); /* Close file, ignore errors. */
257 if (fclose(ssi->fp) == EOF) {
259 secsave_errno = SS_ERR_OTHER;
263 if (ssi->secure_save && ssi->file_name && ssi->tmp_file_name) {
266 /* FIXME: Race condition on ssi->file_name. The file
267 * named ssi->file_name may have changed since
268 * secure_open() call (where we stat() file and
270 #ifndef NO_UNIX_SOFTLINKS
271 if (lstat(ssi->file_name, &st) == 0)
273 if (stat(ssi->file_name, &st) == 0)
276 /* set the dest file attributes to that of source (ignoring errors) */
277 if (ssi->preserve_perms)
279 if (chown(ssi->tmp_file_name, st.st_uid, st.st_gid) != 0) log_printf("chown('%s', %d, %d) failed", ssi->tmp_file_name, st.st_uid, st.st_gid);
280 if (chmod(ssi->tmp_file_name, st.st_mode) != 0) log_printf("chmod('%s', %o) failed", ssi->tmp_file_name, st.st_mode);
283 if (ssi->preserve_mtime)
287 tb.actime = st.st_atime;
288 tb.modtime = st.st_mtime;
289 utime(ssi->tmp_file_name, &tb);
292 DEBUG_3("rename %s -> %s", ssi->tmp_file_name, ssi->file_name);
293 if (rename(ssi->tmp_file_name, ssi->file_name) == -1) {
295 secsave_errno = SS_ERR_RENAME;
300 ret = 0; /* Success. */
303 if (ssi->tmp_file_name)
305 if (ret && ssi->unlink_on_error) unlink(ssi->tmp_file_name);
306 g_free(ssi->tmp_file_name);
308 if (ssi->file_name) g_free(ssi->file_name);
309 if (ssi) g_free(ssi);
315 /** fputs() wrapper, set ssi->err to errno on error. If ssi->err is set when
316 * called, it immediatly returns EOF.
319 secure_fputs(SecureSaveInfo *ssi, const gchar *s)
323 if (!ssi || !ssi->fp || ssi->err) return EOF;
325 ret = fputs(s, ssi->fp);
327 secsave_errno = SS_ERR_OTHER;
335 /** fputc() wrapper, set ssi->err to errno on error. If ssi->err is set when
336 * called, it immediatly returns EOF.
339 secure_fputc(SecureSaveInfo *ssi, gint c)
343 if (!ssi || !ssi->fp || ssi->err) return EOF;
345 ret = fputc(c, ssi->fp);
348 secsave_errno = SS_ERR_OTHER;
354 /** fprintf() wrapper, set ssi->err to errno on error and return a negative
355 * value. If ssi->err is set when called, it immediatly returns -1.
358 secure_fprintf(SecureSaveInfo *ssi, const gchar *format, ...)
363 if (!ssi || !ssi->fp || ssi->err) return -1;
365 va_start(ap, format);
366 ret = g_vfprintf(ssi->fp, format, ap);
372 /** fwrite() wrapper, set ssi->err to errno on error and return a value less than
373 * the number of elements to write. If ssi->err is set when called, it immediatly returns 0.
376 secure_fwrite(gconstpointer ptr, size_t size, size_t nmemb, SecureSaveInfo *ssi)
380 if (!ssi || !ssi->fp || ssi->err) return 0;
382 ret = fwrite(ptr, size, nmemb, ssi->fp);
386 secsave_errno = SS_ERR_OTHER;
393 secsave_strerror(SecureSaveErrno secsave_error)
395 switch (secsave_error) {
396 case SS_ERR_OPEN_READ:
397 return _("Cannot read the file");
399 return _("Cannot get file status");
401 return _("Cannot access the file");
403 return _("Cannot create temp file");
405 return _("Cannot rename the file");
406 case SS_ERR_DISABLED:
407 return _("File saving disabled by option");
408 case SS_ERR_OUT_OF_MEM:
409 return _("Out of memory");
410 case SS_ERR_OPEN_WRITE:
411 return _("Cannot write the file");
412 case SS_ERR_NONE: /* Impossible. */
415 return _("Secure file saving error");
418 /* vim: set shiftwidth=8 softtabstop=0 cindent cinoptions={1s: */
projects / geeqie.git / blob