1 // MsgSyncReq: copy files to the remote host
3 // Copyright (C) 2021 Simon Ruderich
5 // This program is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, either version 3 of the License, or
8 // (at your option) any later version.
10 // This program is distributed in the hope that it will be useful,
11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 // GNU General Public License for more details.
15 // You should have received a copy of the GNU General Public License
16 // along with this program. If not, see <http://www.gnu.org/licenses/>.
38 "github.com/ianbruene/go-difflib/difflib"
39 "golang.org/x/sys/unix"
41 "ruderich.org/simon/safcm"
44 // NOTE: Don't use plain os.Open, os.OpenFile, os.Remove or any other function
45 // which uses absolute paths. These are vulnerable to symlink attacks. Always
46 // use *at syscalls. See below for details.
48 // openReadonlyFlags are flags for open* syscalls to safely read a file or
51 // O_NOFOLLOW prevents symlink attacks
52 // O_NONBLOCK is necessary to prevent blocking on FIFOs
53 const openReadonlyFlags = unix.O_RDONLY | unix.O_NOFOLLOW | unix.O_NONBLOCK
55 func (s *Sync) syncFiles() error {
56 // To create random file names for symlinks
57 rand.Seed(time.Now().UnixNano())
59 // Sort for deterministic order and so parent directories are present
60 // when files in them are created
61 var files []*safcm.File
62 for _, x := range s.req.Files {
63 files = append(files, x)
65 sort.Slice(files, func(i, j int) bool {
66 return files[i].Path < files[j].Path
69 for _, x := range files {
71 err := s.syncFile(x, &changed)
73 return fmt.Errorf("%q: %v", x.Path, err)
83 func (s *Sync) syncFile(file *safcm.File, changed *bool) error {
84 // The general strategy is "update by rename": If any property of a
85 // file changes it will be written to a temporary file and then
86 // renamed "over" the original file. This is simple and prevents race
87 // conditions where the file is partially readable while changes to
88 // permissions or owner/group are applied. However, this strategy does
89 // not work for directories which must be removed first (was
90 // directory), must remove the existing file (will be directory) or
91 // must be directly modified (changed permissions or owner). In the
92 // first two cases the old path is removed. In the last the directory
93 // is modified (carefully) in place.
95 // The implementation is careful not to follow any symlinks to prevent
96 // possible race conditions which can be exploited and are especially
97 // dangerous when running with elevated privileges (which will most
98 // likely be the case). This includes not using absolute paths in
99 // syscalls to prevent symlink attacks when a directory is writable by
100 // other users (e.g. when syncing a file to /home/user/dir/file the
101 // user could create dir as symlink to another directory and file
102 // would be written there). To prevent this *at syscalls are used and
103 // all symlinks in the path are rejected. This still permits the user
104 // to move dir during the sync but only to places which are writable
105 // by the user which cannot be prevented.
107 err := s.fileResolveIds(file)
112 change := safcm.FileChange{
114 New: safcm.FileChangeInfo{
123 debugf := func(format string, a ...interface{}) {
124 s.log.Debugf("files: %q (%s): %s",
125 file.Path, file.OrigGroup, fmt.Sprintf(format, a...))
127 verbosef := func(format string, a ...interface{}) {
128 s.log.Verbosef("files: %q (%s): %s",
129 file.Path, file.OrigGroup, fmt.Sprintf(format, a...))
132 parentFd, baseName, err := OpenParentDirectoryNoSymlinks(file.Path)
136 defer unix.Close(parentFd)
138 var oldStat unix.Stat_t
140 oldFh, err := OpenAtNoFollow(parentFd, baseName)
142 if err == unix.ELOOP || err == unix.EMLINK {
143 // ELOOP from symbolic link, this is fine
144 err := unix.Fstatat(parentFd, baseName, &oldStat,
145 unix.AT_SYMLINK_NOFOLLOW)
149 if oldStat.Mode&unix.S_IFMT != unix.S_IFLNK {
150 debugf("type changed from symlink, retrying")
153 } else if os.IsNotExist(err) {
154 change.Created = true
155 debugf("will create")
162 err := unix.Fstat(int(oldFh.Fd()), &oldStat)
169 var changeType, changePerm, changeUserOrGroup, changeData bool
171 // Manually convert to FileMode; from src/os/stat_linux.go in
172 // Go's sources (stat_*.go for other UNIX systems are
173 // identical, except for stat_darwin.go which has an extra
175 mode := fs.FileMode(oldStat.Mode & 0777)
176 switch oldStat.Mode & unix.S_IFMT {
178 mode |= fs.ModeDevice
180 mode |= fs.ModeDevice | fs.ModeCharDevice
184 mode |= fs.ModeNamedPipe
186 mode |= fs.ModeSymlink
190 mode |= fs.ModeSocket
191 // Guard against unknown file types (e.g. on darwin); not in
194 return fmt.Errorf("unexpected file mode %v",
195 oldStat.Mode&unix.S_IFMT)
197 if oldStat.Mode&unix.S_ISGID != 0 {
198 mode |= fs.ModeSetgid
200 if oldStat.Mode&unix.S_ISUID != 0 {
201 mode |= fs.ModeSetuid
203 if oldStat.Mode&unix.S_ISVTX != 0 {
204 mode |= fs.ModeSticky
207 // Compare permissions
208 change.Old.Mode = mode
209 if change.Old.Mode.Type() == fs.ModeSymlink {
210 // Some BSD systems permit changing permissions of
211 // symlinks but ignore them on traversal. To keep it
212 // simple we don't support that and always use 0777
213 // for symlink permissions (the value on GNU/Linux).
215 // TODO: Add proper support for symlinks on BSD
216 change.Old.Mode |= 0777
218 if change.Old.Mode != file.Mode {
219 if change.Old.Mode.Type() != file.Mode.Type() {
221 debugf("type differs %s -> %s",
222 change.Old.Mode.Type(),
225 // Be careful with .Perm() which does not
226 // contain the setuid/setgid/sticky bits!
228 debugf("permission differs %s -> %s",
229 change.Old.Mode, file.Mode)
233 // Compare user/group
234 change.Old.Uid = int(oldStat.Uid)
235 change.Old.Gid = int(oldStat.Gid)
236 if change.Old.Uid != file.Uid || change.Old.Gid != file.Gid {
237 changeUserOrGroup = true
238 debugf("uid/gid differs %d/%d -> %d/%d",
239 change.Old.Uid, change.Old.Gid,
242 u, g, err := resolveIdsToNames(change.Old.Uid, change.Old.Gid)
243 // Errors are not relevant as this is only used to report the
244 // change. If the user/group no longer exits only the ids will
251 // Compare file content (if possible)
252 switch change.Old.Mode.Type() {
253 case 0: // regular file
254 x, err := io.ReadAll(oldFh)
256 return fmt.Errorf("reading old content: %v",
261 buf := make([]byte, unix.PathMax)
262 n, err := unix.Readlinkat(parentFd, baseName, buf)
264 return fmt.Errorf("reading old content: %v",
269 if !changeType && file.Mode.Type() != fs.ModeDir {
270 if !bytes.Equal(oldData, file.Data) {
272 debugf("content differs")
278 if !change.Created && !changeType &&
279 !changePerm && !changeUserOrGroup &&
286 // Don't show a diff with the full content for newly created files or
287 // on type changes. This is just noise for the user as the new file
288 // content is obvious. But we always want to see a diff when files are
289 // replaced because this destroys data.
290 if !change.Created &&
291 (change.Old.Mode.Type() == 0 ||
292 change.Old.Mode.Type() == fs.ModeSymlink) {
293 change.DataDiff, err = diffData(oldData, file.Data)
299 // Add change here so it is stored even when applying it fails. This
300 // way the user knows exactly what was attempted.
301 s.resp.FileChanges = append(s.resp.FileChanges, change)
310 debugf("dry-run, skipping changes")
314 // We cannot rename over directories and vice versa
315 if changeType && (change.Old.Mode.IsDir() || file.Mode.IsDir()) {
316 debugf("removing (due to type change)")
317 // In the past os.RemoveAll() was used here. However, this is
318 // difficult to implement manually with *at syscalls. To keep
319 // it simple only permit removing files and empty directories
320 // here. This also has the bonus of preventing data loss when
321 // (accidentally) replacing a directory tree with a file.
322 const msg = "will not replace non-empty directory, " +
323 "please remove manually"
324 err := unix.Unlinkat(parentFd, baseName, 0)
325 if err != nil && !os.IsNotExist(err) {
326 err2 := unix.Unlinkat(parentFd, baseName,
328 if err2 != nil && !os.IsNotExist(err2) {
329 // See src/os/file_unix.go in Go's sources
330 if err2 == unix.ENOTDIR {
332 } else if err2 == unix.ENOTEMPTY {
333 return fmt.Errorf(msg)
341 // Directory: create new directory, also type change to directory
342 if file.Mode.IsDir() && (change.Created || changeType) {
343 debugf("creating directory")
344 err := unix.Mkdirat(parentFd, baseName, 0700)
348 // We must be careful not to chmod arbitrary files. If the
349 // target directory is writable then it might have changed to
350 // a symlink at this point. There's no lchmod and fchmodat is
351 // incomplete so open the directory.
352 debugf("chmodding %s", file.Mode)
353 dh, err := OpenAtNoFollow(parentFd, baseName)
359 err = dh.Chmod(file.Mode)
363 // Less restrictive access is not relevant here because there
364 // are no files present yet.
365 debugf("chowning %d/%d", file.Uid, file.Gid)
366 err = dh.Chown(file.Uid, file.Gid)
372 // Directory: changed permission or user/group
373 if file.Mode.IsDir() {
374 // We don't know if the new permission or if the new
375 // user/group is more restrictive (e.g. root:root 0750 ->
376 // user:group 0700; applying group first gives group
377 // unexpected access). To prevent a short window where the
378 // access might be too lax we temporarily deny all access.
379 if changePerm && changeUserOrGroup {
380 // Only drop group and other permission because user
381 // has access anyway (either before or after the
382 // change). This also prevents temporary errors during
383 // the error when the user tries to access this
384 // directory (access for the group will fail though).
385 mode := change.Old.Mode & fs.ModePerm & 0700
386 debugf("chmodding %#o (temporary)", mode)
387 err := oldFh.Chmod(mode)
392 if changeUserOrGroup {
393 debugf("chowning %d/%d", file.Uid, file.Gid)
394 err := oldFh.Chown(file.Uid, file.Gid)
400 debugf("chmodding %s", file.Mode)
401 err := oldFh.Chmod(file.Mode)
409 dir := slashpath.Dir(file.Path) // only used in debug messages
410 // Create hidden file which should be ignored by most other tools and
411 // thus not affect anything during creation
412 tmpBase := "." + baseName
414 switch file.Mode.Type() {
415 case 0: // regular file
416 debugf("creating temporary file %q",
417 slashpath.Join(dir, tmpBase+"*"))
418 x, err := WriteTempAt(parentFd, tmpBase, file.Data,
419 file.Uid, file.Gid, file.Mode)
428 x := tmpBase + strconv.Itoa(rand.Int())
429 debugf("creating temporary symlink %q",
430 slashpath.Join(dir, x))
431 err := unix.Symlinkat(string(file.Data), parentFd, x)
433 if os.IsExist(err) && i < 10000 {
441 err = unix.Fchownat(parentFd, tmpBase, file.Uid, file.Gid,
442 unix.AT_SYMLINK_NOFOLLOW)
444 unix.Unlinkat(parentFd, tmpBase, 0)
447 // Permissions are irrelevant for symlinks (on most systems)
450 panic(fmt.Sprintf("invalid file type %s", file.Mode))
453 debugf("renaming %q", slashpath.Join(dir, tmpBase))
454 err = unix.Renameat(parentFd, tmpBase, parentFd, baseName)
456 unix.Unlinkat(parentFd, tmpBase, 0)
459 // To guarantee durability fsync must be called on a parent directory
460 // after adding, renaming or removing files therein.
462 // Calling sync on the files itself is not enough according to POSIX; man 2
463 // fsync: "Calling fsync() does not necessarily ensure that the entry in the
464 // directory containing the file has also reached disk. For that an explicit
465 // fsync() on a file descriptor for the directory is also needed."
466 err = unix.Fsync(parentFd)
474 func (s *Sync) fileResolveIds(file *safcm.File) error {
475 if file.User != "" && file.Uid != -1 {
476 return fmt.Errorf("cannot set both User (%q) and Uid (%d)",
479 if file.Group != "" && file.Gid != -1 {
480 return fmt.Errorf("cannot set both Group (%q) and Gid (%d)",
481 file.Group, file.Gid)
484 if file.User == "" && file.Uid == -1 {
485 file.User = s.defaultUser
488 x, err := user.Lookup(file.User)
492 id, err := strconv.Atoi(x.Uid)
499 if file.Group == "" && file.Gid == -1 {
500 file.Group = s.defaultGroup
502 if file.Group != "" {
503 x, err := user.LookupGroup(file.Group)
507 id, err := strconv.Atoi(x.Gid)
517 // OpenParentDirectoryNoSymlinks opens the dirname of path without following
518 // any symlinks and returns a file descriptor to it and the basename of path.
519 // To prevent symlink attacks in earlier path components when these are
520 // writable by other users it starts at the root (or current directory for
521 // relative paths) and uses openat (with O_NOFOLLOW) for each path component.
522 // If a symlink is encountered it returns an error. However, it's impossible
523 // to guarantee that the returned descriptor refers to the same location as
524 // given in path because users with write access can rename path components.
525 // But this is not required to prevent the mentioned attacks.
526 func OpenParentDirectoryNoSymlinks(path string) (int, string, error) {
527 // Slash separated paths are used for the configuration
528 parts := strings.Split(path, "/")
532 // Root: use root itself as base name because root is the
535 parts = []string{"/"}
536 } else if parts[0] == "" {
540 } else if path == "." {
541 // Current directory: open parent directory and use current
542 // directory name as base name
543 wd, err := os.Getwd()
545 return -1, "", fmt.Errorf(
546 "failed to get working directory: %w", err)
549 parts = []string{filepath.Base(wd)}
550 } else if parts[0] != "." {
551 // Relative path: start at the current directory
555 dirFd, err := unix.Openat(unix.AT_FDCWD, dir, openReadonlyFlags, 0)
559 // Walk path one directory at a time to ensure there are no symlinks
560 // in the path. This prevents users with write access to change the
561 // path to point to arbitrary locations. O_NOFOLLOW when opening the
562 // path is not enough as only the last path component is checked.
563 for i, name := range parts[:len(parts)-1] {
564 fd, err := unix.Openat(dirFd, name, openReadonlyFlags, 0)
567 if err == unix.ELOOP || err == unix.EMLINK {
568 x := filepath.Join(append([]string{dir},
570 return -1, "", fmt.Errorf(
571 "symlink not permitted in path: %q",
580 return dirFd, parts[len(parts)-1], nil
583 func resolveIdsToNames(uid, gid int) (string, string, error) {
584 u, err := user.LookupId(strconv.Itoa(uid))
588 g, err := user.LookupGroupId(strconv.Itoa(gid))
592 return u.Username, g.Name, nil
595 func diffData(oldData []byte, newData []byte) (string, error) {
596 oldBin := !strings.HasPrefix(http.DetectContentType(oldData), "text/")
597 newBin := !strings.HasPrefix(http.DetectContentType(newData), "text/")
598 if oldBin && newBin {
599 return fmt.Sprintf("Binary files differ (%d -> %d bytes), "+
600 "cannot show diff", len(oldData), len(newData)), nil
603 oldData = []byte(fmt.Sprintf("<binary content, %d bytes>\n",
607 newData = []byte(fmt.Sprintf("<binary content, %d bytes>\n",
611 // TODO: difflib shows empty context lines at the end of the file
612 // which should not be there
613 // TODO: difflib has issues with missing newlines in either side
614 result, err := difflib.GetUnifiedDiffString(difflib.LineDiffParams{
615 A: difflib.SplitLines(string(oldData)),
616 B: difflib.SplitLines(string(newData)),
625 func OpenFileNoSymlinks(path string) (*os.File, error) {
626 parentFd, baseName, err := OpenParentDirectoryNoSymlinks(path)
630 defer unix.Close(parentFd)
631 return OpenAtNoFollow(parentFd, baseName)
634 func OpenAtNoFollow(dirFd int, base string) (*os.File, error) {
635 fd, err := unix.Openat(dirFd, base, openReadonlyFlags, 0)
639 return os.NewFile(uintptr(fd), ""), nil
642 func WriteTempAt(dirFd int, base string, data []byte, uid, gid int,
643 mode fs.FileMode) (string, error) {
645 fh, tmpBase, err := createTempAt(dirFd, base)
650 _, err = fh.Write(data)
653 unix.Unlinkat(dirFd, tmpBase, 0)
656 // createTempAt() creates the file with 0600
657 err = fh.Chown(uid, gid)
660 unix.Unlinkat(dirFd, tmpBase, 0)
666 unix.Unlinkat(dirFd, tmpBase, 0)
672 unix.Unlinkat(dirFd, tmpBase, 0)
677 unix.Unlinkat(dirFd, tmpBase, 0)
684 // createTempAt works similar to os.CreateTemp but uses unix.Openat to create
685 // the temporary file.
686 func createTempAt(dirFd int, base string) (*os.File, string, error) {
691 tmpBase = base + strconv.Itoa(rand.Int())
693 fd, err := unix.Openat(dirFd, tmpBase,
694 unix.O_RDWR|unix.O_CREAT|unix.O_EXCL, 0600)
696 if os.IsExist(err) && i < 10000 {
703 return os.NewFile(uintptr(fd), ""), tmpBase, nil
ruderich.org/simon / safcm / safcm.git / blob