// openReadonlyFlags are flags for open* syscalls to safely read a file or
// directory.
//
-// O_NOFOLLOW prevents symlink attacks
+// O_NOFOLLOW prevents symlink attacks in the last path component
// O_NONBLOCK is necessary to prevent blocking on FIFOs
const openReadonlyFlags = unix.O_RDONLY | unix.O_NOFOLLOW | unix.O_NONBLOCK
func (s *Sync) syncFile(file *safcm.File, changed *bool) error {
// The general strategy is "update by rename": If any property of a
- // file changes it will be written to a temporary file and then
- // renamed "over" the original file. This is simple and prevents race
- // conditions where the file is partially readable while changes to
- // permissions or owner/group are applied. However, this strategy does
- // not work for directories which must be removed first (was
- // directory), must remove the existing file (will be directory) or
- // must be directly modified (changed permissions or owner). In the
+ // file changes the new version will be written to a temporary file
+ // and then renamed "over" the original file. This is simple and
+ // prevents race conditions where the file is partially readable while
+ // changes to permissions or owner/group are applied. However, this
+ // strategy does not work for directories which must be removed first
+ // (was directory), must remove the existing file (will be directory)
+ // or must be directly modified (changed permissions or owner). In the
// first two cases the old path is removed. In the last the directory
// is modified (carefully) in place.
//
// Some BSD systems permit changing permissions of
// symlinks but ignore them on traversal. To keep it
// simple we don't support that and always use 0777
- // for symlink permissions (the value on GNU/Linux).
+ // for symlink permissions (the value on GNU/Linux)
+ // when comparing. The actual permissions on the file
+ // system might be different on BSD systems.
//
// TODO: Add proper support for symlinks on BSD
change.Old.Mode |= 0777
// (accidentally) replacing a directory tree with a file.
const msg = "will not replace non-empty directory, " +
"please remove manually"
- err := unix.Unlinkat(parentFd, baseName, 0)
+ err := unix.Unlinkat(parentFd, baseName, 0 /* flags */)
if err != nil && !os.IsNotExist(err) {
err2 := unix.Unlinkat(parentFd, baseName,
unix.AT_REMOVEDIR)
err = unix.Fchownat(parentFd, tmpBase, file.Uid, file.Gid,
unix.AT_SYMLINK_NOFOLLOW)
if err != nil {
- unix.Unlinkat(parentFd, tmpBase, 0) //nolint:errcheck
+ unix.Unlinkat(parentFd, tmpBase, 0 /* flags */) //nolint:errcheck
return err
}
// Permissions are irrelevant for symlinks (on most systems)
debugf("renaming %q", slashpath.Join(dir, tmpBase))
err = unix.Renameat(parentFd, tmpBase, parentFd, baseName)
if err != nil {
- unix.Unlinkat(parentFd, tmpBase, 0) //nolint:errcheck
+ unix.Unlinkat(parentFd, tmpBase, 0 /* flags */) //nolint:errcheck
return err
}
// To guarantee durability fsync must be called on a parent directory
}
}
- dirFd, err := unix.Openat(unix.AT_FDCWD, dir, openReadonlyFlags, 0)
+ dirFd, err := unix.Openat(unix.AT_FDCWD, dir,
+ openReadonlyFlags, 0 /* mode */)
if err != nil {
return -1, "", err
}
}
func OpenAtNoFollow(dirFd int, base string) (*os.File, error) {
- fd, err := unix.Openat(dirFd, base, openReadonlyFlags, 0)
+ fd, err := unix.Openat(dirFd, base, openReadonlyFlags, 0 /* mode */)
if err != nil {
return nil, err
}
_, err = fh.Write(data)
if err != nil {
fh.Close()
- unix.Unlinkat(dirFd, tmpBase, 0) //nolint:errcheck
+ unix.Unlinkat(dirFd, tmpBase, 0 /* flags */) //nolint:errcheck
return "", err
}
// createTempAt() creates the file with 0600
ruderich.org/simon / safcm / safcm.git / commitdiff