4 * Author: Vladimir Nadvornik
5 * based on the code developped for ELinks by Laurent Monin
7 * This software is released under the GNU General Public License (GNU GPL).
8 * Please read the included file COPYING for more information.
9 * This software comes with no warranty of any kind, use at your own risk!
12 #include <glib/gstdio.h>
16 #include "secure_save.h"
18 /* ABOUT SECURE SAVE */
19 /* This code was borrowed from the ELinks project (http://elinks.cz)
20 * It was originally written by me (Laurent Monin aka Zas) and heavily
21 * modified and improved by all ELinks contributors.
22 * This code was released under the GPLv2 licence.
23 * It was modified to be included in geeqie on 2008/04/05 */
25 /* If ssi->secure_save is TRUE:
26 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
28 * A call to secure_open("/home/me/.confdir/filename", mask) will open a file
29 * named "filename.tmp_XXXXXX" in /home/me/.confdir/ and return a pointer to a
30 * structure SecureSaveInfo on success or NULL on error.
32 * filename.tmp_XXXXXX can't conflict with any file since it's created using
33 * mkstemp(). XXXXXX is a random string.
35 * Subsequent write operations are done using returned SecureSaveInfo FILE *
38 * If an error is encountered, SecureSaveInfo int field named err is set
39 * (automatically if using secure_fp*() functions or by programmer)
41 * When secure_close() is called, "filename.tmp_XXXXXX" is flushed and closed,
42 * and if SecureSaveInfo err field has a value of zero, "filename.tmp_XXXXXX"
43 * is renamed to "filename". If this succeeded, then secure_close() returns 0.
45 * WARNING: since rename() is used, any symlink called "filename" may be
46 * replaced by a regular file. If destination file isn't a regular file,
47 * then secsave is disabled for that file.
49 * If ssi->secure_save is FALSE:
50 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
52 * No temporary file is created, "filename" is truncated, all operations are
53 * done on it, no rename nor flush occur, symlinks are preserved.
58 * Access rights are affected by secure_open() mask parameter.
61 /* FIXME: locking system on files about to be rewritten ? */
62 /* FIXME: Low risk race conditions about ssi->file_name. */
64 SecureSaveErrno secsave_errno = SS_ERR_NONE;
67 /** Open a file for writing in a secure way. @returns a pointer to a
68 * structure secure_save_info on success, or NULL on failure. */
69 static SecureSaveInfo *
70 secure_open_umask(const gchar *file_name)
75 secsave_errno = SS_ERR_NONE;
77 ssi = g_new0(SecureSaveInfo, 1);
79 secsave_errno = SS_ERR_OUT_OF_MEM;
83 ssi->secure_save = TRUE;
85 ssi->file_name = g_strdup(file_name);
86 if (!ssi->file_name) {
87 secsave_errno = SS_ERR_OUT_OF_MEM;
91 /* Check properties of final file. */
92 #ifndef NO_UNIX_SOFTLINKS
93 if (g_lstat(ssi->file_name, &st)) {
95 if (g_stat(ssi->file_name, &st)) {
97 /* We ignore error caused by file inexistence. */
98 if (errno != ENOENT) {
101 secsave_errno = SS_ERR_STAT;
105 if (!S_ISREG(st.st_mode)) {
106 /* Not a regular file, secure_save is disabled. */
107 ssi->secure_save = 0;
110 /* XXX: access() do not work with setuid programs. */
111 if (g_access(ssi->file_name, R_OK | W_OK) < 0) {
113 secsave_errno = SS_ERR_ACCESS;
119 /* We still have a race condition here between
120 * [l]stat() and fopen() */
122 f1 = g_fopen(ssi->file_name, "rb+");
127 secsave_errno = SS_ERR_OPEN_READ;
134 if (ssi->secure_save) {
135 /* We use a random name for temporary file, mkstemp() opens
136 * the file and return a file descriptor named fd, which is
137 * then converted to FILE * using fdopen().
140 gchar *randname = g_strconcat(ssi->file_name, ".tmp_XXXXXX", NULL);
143 secsave_errno = SS_ERR_OUT_OF_MEM;
147 /* No need to use safe_mkstemp() here. --Zas */
148 fd = g_mkstemp(randname);
150 secsave_errno = SS_ERR_MKSTEMP;
155 ssi->fp = fdopen(fd, "wb");
157 secsave_errno = SS_ERR_OPEN_WRITE;
163 ssi->tmp_file_name = randname;
165 /* No need to create a temporary file here. */
166 ssi->fp = g_fopen(ssi->file_name, "wb");
168 secsave_errno = SS_ERR_OPEN_WRITE;
177 g_free(ssi->file_name);
178 ssi->file_name = NULL;
189 secure_open(const gchar *file_name)
193 #ifdef CONFIG_OS_WIN32
194 /* There is neither S_IRWXG nor S_IRWXO under crossmingw32-gcc */
195 const mode_t mask = 0177;
197 const mode_t mask = S_IXUSR | S_IRWXG | S_IRWXO;
200 saved_mask = umask(mask);
201 ssi = secure_open_umask(file_name);
207 /** Close a file opened with secure_open(). Rreturns 0 on success,
208 * errno or -1 on failure.
211 secure_close(SecureSaveInfo *ssi)
215 if (!ssi) return ret;
216 if (!ssi->fp) goto free;
218 if (ssi->err) { /* Keep previous errno. */
220 fclose(ssi->fp); /* Close file */
224 /* Ensure data is effectively written to disk, we first flush libc buffers
225 * using fflush(), then fsync() to flush kernel buffers, and finally call
226 * fclose() (which call fflush() again, but the first one is needed since
227 * it doesn't make much sense to flush kernel buffers and then libc buffers,
228 * while closing file releases file descriptor we need to call fsync(). */
229 #if defined(HAVE_FFLUSH) || defined(HAVE_FSYNC)
230 if (ssi->secure_save) {
234 fail = (fflush(ssi->fp) == EOF);
238 if (!fail) fail = fsync(fileno(ssi->fp));
243 secsave_errno = SS_ERR_OTHER;
245 fclose(ssi->fp); /* Close file, ignore errors. */
252 if (fclose(ssi->fp) == EOF) {
254 secsave_errno = SS_ERR_OTHER;
258 if (ssi->secure_save && ssi->file_name && ssi->tmp_file_name) {
259 /* FIXME: Race condition on ssi->file_name. The file
260 * named ssi->file_name may have changed since
261 * secure_open() call (where we stat() file and
263 if (debug > 2) g_printf("rename %s -> %s", ssi->tmp_file_name, ssi->file_name);
264 if (g_rename(ssi->tmp_file_name, ssi->file_name) == -1) {
266 secsave_errno = SS_ERR_RENAME;
271 ret = 0; /* Success. */
274 if (ssi->tmp_file_name) g_free(ssi->tmp_file_name);
275 if (ssi->file_name) g_free(ssi->file_name);
276 if (ssi) g_free(ssi);
282 /** fputs() wrapper, set ssi->err to errno on error. If ssi->err is set when
283 * called, it immediatly returns EOF.
286 secure_fputs(SecureSaveInfo *ssi, const gchar *s)
290 if (!ssi || !ssi->fp || ssi->err) return EOF;
292 ret = fputs(s, ssi->fp);
294 secsave_errno = SS_ERR_OTHER;
302 /** fputc() wrapper, set ssi->err to errno on error. If ssi->err is set when
303 * called, it immediatly returns EOF.
306 secure_fputc(SecureSaveInfo *ssi, gint c)
310 if (!ssi || !ssi->fp || ssi->err) return EOF;
312 ret = fputc(c, ssi->fp);
315 secsave_errno = SS_ERR_OTHER;
321 /** fprintf() wrapper, set ssi->err to errno on error and return a negative
322 * value. If ssi->err is set when called, it immediatly returns -1.
325 secure_fprintf(SecureSaveInfo *ssi, const gchar *format, ...)
330 if (!ssi || !ssi->fp || ssi->err) return -1;
332 va_start(ap, format);
333 ret = vfprintf(ssi->fp, format, ap);
334 if (ret < 0) ssi->err = errno;
341 secsave_strerror(SecureSaveErrno secsave_error)
343 switch (secsave_error) {
344 case SS_ERR_OPEN_READ:
345 return _("Cannot read the file");
347 return _("Cannot get file status");
349 return _("Cannot access the file");
351 return _("Cannot create temp file");
353 return _("Cannot rename the file");
354 case SS_ERR_DISABLED:
355 return _("File saving disabled by option");
356 case SS_ERR_OUT_OF_MEM:
357 return _("Out of memory");
358 case SS_ERR_OPEN_WRITE:
359 return _("Cannot write the file");
360 case SS_ERR_NONE: /* Impossible. */
363 return _("Secure file saving error");