1 /* copy.c -- core functions for copying files and directories
2 Copyright (C) 1989-2020 Free Software Foundation, Inc.
3
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <https://www.gnu.org/licenses/>. */
16
17 /* Extracted from cp.c and librarified by Jim Meyering. */
18
19 #include <config.h>
20 #include <stdio.h>
21 #include <assert.h>
22 #include <sys/ioctl.h>
23 #include <sys/types.h>
24 #include <selinux/selinux.h>
25
26 #if HAVE_HURD_H
27 # include <hurd.h>
28 #endif
29 #if HAVE_PRIV_H
30 # include <priv.h>
31 #endif
32
33 #include "system.h"
34 #include "acl.h"
35 #include "backupfile.h"
36 #include "buffer-lcm.h"
37 #include "canonicalize.h"
38 #include "copy.h"
39 #include "cp-hash.h"
40 #include "extent-scan.h"
41 #include "die.h"
42 #include "error.h"
43 #include "fadvise.h"
44 #include "fcntl--.h"
45 #include "fiemap.h"
46 #include "file-set.h"
47 #include "filemode.h"
48 #include "filenamecat.h"
49 #include "force-link.h"
50 #include "full-write.h"
51 #include "hash.h"
52 #include "hash-triple.h"
53 #include "ignore-value.h"
54 #include "ioblksize.h"
55 #include "quote.h"
56 #include "renameatu.h"
57 #include "root-uid.h"
58 #include "same.h"
59 #include "savedir.h"
60 #include "stat-size.h"
61 #include "stat-time.h"
62 #include "utimecmp.h"
63 #include "utimens.h"
64 #include "write-any-file.h"
65 #include "areadlink.h"
66 #include "yesno.h"
67 #include "selinux.h"
68
69 #if USE_XATTR
70 # include <attr/error_context.h>
71 # include <attr/libattr.h>
72 # include <stdarg.h>
73 # include "verror.h"
74 #endif
75
76 #if HAVE_LINUX_FALLOC_H
77 # include <linux/falloc.h>
78 #endif
79
80 /* See HAVE_FALLOCATE workaround when including this file. */
81 #ifdef HAVE_LINUX_FS_H
82 # include <linux/fs.h>
83 #endif
84
85 #if !defined FICLONE && defined __linux__
86 # define FICLONE _IOW (0x94, 9, int)
87 #endif
88
89 #ifndef HAVE_FCHOWN
90 # define HAVE_FCHOWN false
91 # define fchown(fd, uid, gid) (-1)
92 #endif
93
94 #ifndef HAVE_LCHOWN
95 # define HAVE_LCHOWN false
96 # define lchown(name, uid, gid) chown (name, uid, gid)
97 #endif
98
99 #ifndef HAVE_MKFIFO
100 static int
rpl_mkfifo(char const * file,mode_t mode)101 rpl_mkfifo (char const *file, mode_t mode)
102 {
103 errno = ENOTSUP;
104 return -1;
105 }
106 # define mkfifo rpl_mkfifo
107 #endif
108
109 #ifndef USE_ACL
110 # define USE_ACL 0
111 #endif
112
113 #define SAME_OWNER(A, B) ((A).st_uid == (B).st_uid)
114 #define SAME_GROUP(A, B) ((A).st_gid == (B).st_gid)
115 #define SAME_OWNER_AND_GROUP(A, B) (SAME_OWNER (A, B) && SAME_GROUP (A, B))
116
117 /* LINK_FOLLOWS_SYMLINKS is tri-state; if it is -1, we don't know
118 how link() behaves, so assume we can't hardlink symlinks in that case. */
119 #if (defined HAVE_LINKAT && ! LINKAT_SYMLINK_NOTSUP) || ! LINK_FOLLOWS_SYMLINKS
120 # define CAN_HARDLINK_SYMLINKS 1
121 #else
122 # define CAN_HARDLINK_SYMLINKS 0
123 #endif
124
125 struct dir_list
126 {
127 struct dir_list *parent;
128 ino_t ino;
129 dev_t dev;
130 };
131
132 /* Initial size of the cp.dest_info hash table. */
133 #define DEST_INFO_INITIAL_CAPACITY 61
134
135 static bool copy_internal (char const *src_name, char const *dst_name,
136 bool new_dst, struct stat const *parent,
137 struct dir_list *ancestors,
138 const struct cp_options *x,
139 bool command_line_arg,
140 bool *first_dir_created_per_command_line_arg,
141 bool *copy_into_self,
142 bool *rename_succeeded);
143 static bool owner_failure_ok (struct cp_options const *x);
144
145 /* Pointers to the file names: they're used in the diagnostic that is issued
146 when we detect the user is trying to copy a directory into itself. */
147 static char const *top_level_src_name;
148 static char const *top_level_dst_name;
149
150 #ifndef DEV_FD_MIGHT_BE_CHR
151 # define DEV_FD_MIGHT_BE_CHR false
152 #endif
153
154 /* Act like fstat (DIRFD, FILENAME, ST, FLAGS), except when following
155 symbolic links on Solaris-like systems, treat any character-special
156 device like /dev/fd/0 as if it were the file it is open on. */
157 static int
follow_fstatat(int dirfd,char const * filename,struct stat * st,int flags)158 follow_fstatat (int dirfd, char const *filename, struct stat *st, int flags)
159 {
160 int result = fstatat (dirfd, filename, st, flags);
161
162 if (DEV_FD_MIGHT_BE_CHR && result == 0 && !(flags & AT_SYMLINK_NOFOLLOW)
163 && S_ISCHR (st->st_mode))
164 {
165 static dev_t stdin_rdev;
166 static signed char stdin_rdev_status;
167 if (stdin_rdev_status == 0)
168 {
169 struct stat stdin_st;
170 if (stat ("/dev/stdin", &stdin_st) == 0 && S_ISCHR (stdin_st.st_mode)
171 && minor (stdin_st.st_rdev) == STDIN_FILENO)
172 {
173 stdin_rdev = stdin_st.st_rdev;
174 stdin_rdev_status = 1;
175 }
176 else
177 stdin_rdev_status = -1;
178 }
179 if (0 < stdin_rdev_status && major (stdin_rdev) == major (st->st_rdev))
180 result = fstat (minor (st->st_rdev), st);
181 }
182
183 return result;
184 }
185
186 /* Set the timestamp of symlink, FILE, to TIMESPEC.
187 If this system lacks support for that, simply return 0. */
188 static inline int
utimens_symlink(char const * file,struct timespec const * timespec)189 utimens_symlink (char const *file, struct timespec const *timespec)
190 {
191 int err = lutimens (file, timespec);
192 /* When configuring on a system with new headers and libraries, and
193 running on one with a kernel that is old enough to lack the syscall,
194 utimensat fails with ENOSYS. Ignore that. */
195 if (err && errno == ENOSYS)
196 err = 0;
197 return err;
198 }
199
200 /* Attempt to punch a hole to avoid any permanent
201 speculative preallocation on file systems such as XFS.
202 Return values as per fallocate(2) except ENOSYS etc. are ignored. */
203
204 static int
punch_hole(int fd,off_t offset,off_t length)205 punch_hole (int fd, off_t offset, off_t length)
206 {
207 int ret = 0;
208 /* +0 is to work around older <linux/fs.h> defining HAVE_FALLOCATE to empty. */
209 #if HAVE_FALLOCATE + 0
210 # if defined FALLOC_FL_PUNCH_HOLE && defined FALLOC_FL_KEEP_SIZE
211 ret = fallocate (fd, FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE,
212 offset, length);
213 if (ret < 0 && (is_ENOTSUP (errno) || errno == ENOSYS))
214 ret = 0;
215 # endif
216 #endif
217 return ret;
218 }
219
220 /* Create a hole at the end of a file,
221 avoiding preallocation if requested. */
222
223 static bool
create_hole(int fd,char const * name,bool punch_holes,off_t size)224 create_hole (int fd, char const *name, bool punch_holes, off_t size)
225 {
226 off_t file_end = lseek (fd, size, SEEK_CUR);
227
228 if (file_end < 0)
229 {
230 error (0, errno, _("cannot lseek %s"), quoteaf (name));
231 return false;
232 }
233
234 /* Some file systems (like XFS) preallocate when write extending a file.
235 I.e., a previous write() may have preallocated extra space
236 that the seek above will not discard. A subsequent write() could
237 then make this allocation permanent. */
238 if (punch_holes && punch_hole (fd, file_end - size, size) < 0)
239 {
240 error (0, errno, _("error deallocating %s"), quoteaf (name));
241 return false;
242 }
243
244 return true;
245 }
246
247
248 /* Copy the regular file open on SRC_FD/SRC_NAME to DST_FD/DST_NAME,
249 honoring the MAKE_HOLES setting and using the BUF_SIZE-byte buffer
250 BUF for temporary storage. Copy no more than MAX_N_READ bytes.
251 Return true upon successful completion;
252 print a diagnostic and return false upon error.
253 Note that for best results, BUF should be "well"-aligned.
254 BUF must have sizeof(uintptr_t)-1 bytes of additional space
255 beyond BUF[BUF_SIZE-1].
256 Set *LAST_WRITE_MADE_HOLE to true if the final operation on
257 DEST_FD introduced a hole. Set *TOTAL_N_READ to the number of
258 bytes read. */
259 static bool
sparse_copy(int src_fd,int dest_fd,char * buf,size_t buf_size,size_t hole_size,bool punch_holes,char const * src_name,char const * dst_name,uintmax_t max_n_read,off_t * total_n_read,bool * last_write_made_hole)260 sparse_copy (int src_fd, int dest_fd, char *buf, size_t buf_size,
261 size_t hole_size, bool punch_holes,
262 char const *src_name, char const *dst_name,
263 uintmax_t max_n_read, off_t *total_n_read,
264 bool *last_write_made_hole)
265 {
266 *last_write_made_hole = false;
267 *total_n_read = 0;
268 bool make_hole = false;
269 off_t psize = 0;
270
271 while (max_n_read)
272 {
273 ssize_t n_read = read (src_fd, buf, MIN (max_n_read, buf_size));
274 if (n_read < 0)
275 {
276 if (errno == EINTR)
277 continue;
278 error (0, errno, _("error reading %s"), quoteaf (src_name));
279 return false;
280 }
281 if (n_read == 0)
282 break;
283 max_n_read -= n_read;
284 *total_n_read += n_read;
285
286 /* Loop over the input buffer in chunks of hole_size. */
287 size_t csize = hole_size ? hole_size : buf_size;
288 char *cbuf = buf;
289 char *pbuf = buf;
290
291 while (n_read)
292 {
293 bool prev_hole = make_hole;
294 csize = MIN (csize, n_read);
295
296 if (hole_size && csize)
297 make_hole = is_nul (cbuf, csize);
298
299 bool transition = (make_hole != prev_hole) && psize;
300 bool last_chunk = (n_read == csize && ! make_hole) || ! csize;
301
302 if (transition || last_chunk)
303 {
304 if (! transition)
305 psize += csize;
306
307 if (! prev_hole)
308 {
309 if (full_write (dest_fd, pbuf, psize) != psize)
310 {
311 error (0, errno, _("error writing %s"),
312 quoteaf (dst_name));
313 return false;
314 }
315 }
316 else
317 {
318 if (! create_hole (dest_fd, dst_name, punch_holes, psize))
319 return false;
320 }
321
322 pbuf = cbuf;
323 psize = csize;
324
325 if (last_chunk)
326 {
327 if (! csize)
328 n_read = 0; /* Finished processing buffer. */
329
330 if (transition)
331 csize = 0; /* Loop again to deal with last chunk. */
332 else
333 psize = 0; /* Reset for next read loop. */
334 }
335 }
336 else /* Coalesce writes/seeks. */
337 {
338 if (INT_ADD_WRAPV (psize, csize, &psize))
339 {
340 error (0, 0, _("overflow reading %s"), quoteaf (src_name));
341 return false;
342 }
343 }
344
345 n_read -= csize;
346 cbuf += csize;
347 }
348
349 *last_write_made_hole = make_hole;
350
351 /* It's tempting to break early here upon a short read from
352 a regular file. That would save the final read syscall
353 for each file. Unfortunately that doesn't work for
354 certain files in /proc or /sys with linux kernels. */
355 }
356
357 /* Ensure a trailing hole is created, so that subsequent
358 calls of sparse_copy() start at the correct offset. */
359 if (make_hole && ! create_hole (dest_fd, dst_name, punch_holes, psize))
360 return false;
361 else
362 return true;
363 }
364
365 /* Perform the O(1) btrfs clone operation, if possible.
366 Upon success, return 0. Otherwise, return -1 and set errno. */
367 static inline int
clone_file(int dest_fd,int src_fd)368 clone_file (int dest_fd, int src_fd)
369 {
370 #ifdef FICLONE
371 return ioctl (dest_fd, FICLONE, src_fd);
372 #else
373 (void) dest_fd;
374 (void) src_fd;
375 errno = ENOTSUP;
376 return -1;
377 #endif
378 }
379
380 /* Write N_BYTES zero bytes to file descriptor FD. Return true if successful.
381 Upon write failure, set errno and return false. */
382 static bool
write_zeros(int fd,off_t n_bytes)383 write_zeros (int fd, off_t n_bytes)
384 {
385 static char *zeros;
386 static size_t nz = IO_BUFSIZE;
387
388 /* Attempt to use a relatively large calloc'd source buffer for
389 efficiency, but if that allocation fails, resort to a smaller
390 statically allocated one. */
391 if (zeros == NULL)
392 {
393 static char fallback[1024];
394 zeros = calloc (nz, 1);
395 if (zeros == NULL)
396 {
397 zeros = fallback;
398 nz = sizeof fallback;
399 }
400 }
401
402 while (n_bytes)
403 {
404 size_t n = MIN (nz, n_bytes);
405 if ((full_write (fd, zeros, n)) != n)
406 return false;
407 n_bytes -= n;
408 }
409
410 return true;
411 }
412
413 /* Perform an efficient extent copy, if possible. This avoids
414 the overhead of detecting holes in hole-introducing/preserving
415 copy, and thus makes copying sparse files much more efficient.
416 Upon a successful copy, return true. If the initial extent scan
417 fails, set *NORMAL_COPY_REQUIRED to true and return false.
418 Upon any other failure, set *NORMAL_COPY_REQUIRED to false and
419 return false. */
420 static bool
extent_copy(int src_fd,int dest_fd,char * buf,size_t buf_size,size_t hole_size,off_t src_total_size,enum Sparse_type sparse_mode,char const * src_name,char const * dst_name,bool * require_normal_copy)421 extent_copy (int src_fd, int dest_fd, char *buf, size_t buf_size,
422 size_t hole_size, off_t src_total_size,
423 enum Sparse_type sparse_mode,
424 char const *src_name, char const *dst_name,
425 bool *require_normal_copy)
426 {
427 struct extent_scan scan;
428 off_t last_ext_start = 0;
429 off_t last_ext_len = 0;
430
431 /* Keep track of the output position.
432 We may need this at the end, for a final ftruncate. */
433 off_t dest_pos = 0;
434
435 extent_scan_init (src_fd, &scan);
436
437 *require_normal_copy = false;
438 bool wrote_hole_at_eof = true;
439 do
440 {
441 bool ok = extent_scan_read (&scan);
442 if (! ok)
443 {
444 if (scan.hit_final_extent)
445 break;
446
447 if (scan.initial_scan_failed)
448 {
449 *require_normal_copy = true;
450 return false;
451 }
452
453 error (0, errno, _("%s: failed to get extents info"),
454 quotef (src_name));
455 return false;
456 }
457
458 bool empty_extent = false;
459 for (unsigned int i = 0; i < scan.ei_count || empty_extent; i++)
460 {
461 off_t ext_start;
462 off_t ext_len;
463 off_t ext_hole_size;
464
465 if (i < scan.ei_count)
466 {
467 ext_start = scan.ext_info[i].ext_logical;
468 ext_len = scan.ext_info[i].ext_length;
469 }
470 else /* empty extent at EOF. */
471 {
472 i--;
473 ext_start = last_ext_start + scan.ext_info[i].ext_length;
474 ext_len = 0;
475 }
476
477 /* Truncate extent to EOF. Extents starting after EOF are
478 treated as zero length extents starting right after EOF.
479 Generally this will trigger with an extent starting after
480 src_total_size, and result in creating a hole or zeros until EOF.
481 Though in a file in which extents have changed since src_total_size
482 was determined, we might have an extent spanning that size,
483 in which case we'll only copy data up to that size. */
484 if (src_total_size < ext_start + ext_len)
485 {
486 if (src_total_size < ext_start)
487 ext_start = src_total_size;
488 ext_len = src_total_size - ext_start;
489 }
490
491 ext_hole_size = ext_start - last_ext_start - last_ext_len;
492
493 wrote_hole_at_eof = false;
494
495 if (ext_hole_size)
496 {
497 if (lseek (src_fd, ext_start, SEEK_SET) < 0)
498 {
499 error (0, errno, _("cannot lseek %s"), quoteaf (src_name));
500 fail:
501 extent_scan_free (&scan);
502 return false;
503 }
504
505 if ((empty_extent && sparse_mode == SPARSE_ALWAYS)
506 || (!empty_extent && sparse_mode != SPARSE_NEVER))
507 {
508 if (! create_hole (dest_fd, dst_name,
509 sparse_mode == SPARSE_ALWAYS,
510 ext_hole_size))
511 goto fail;
512 wrote_hole_at_eof = true;
513 }
514 else
515 {
516 /* When not inducing holes and when there is a hole between
517 the end of the previous extent and the beginning of the
518 current one, write zeros to the destination file. */
519 off_t nzeros = ext_hole_size;
520 if (empty_extent)
521 nzeros = MIN (src_total_size - dest_pos, ext_hole_size);
522
523 if (! write_zeros (dest_fd, nzeros))
524 {
525 error (0, errno, _("%s: write failed"),
526 quotef (dst_name));
527 goto fail;
528 }
529
530 dest_pos = MIN (src_total_size, ext_start);
531 }
532 }
533
534 last_ext_start = ext_start;
535
536 /* Treat an unwritten but allocated extent much like a hole.
537 I.e., don't read, but don't convert to a hole in the destination,
538 unless SPARSE_ALWAYS. */
539 /* For now, do not treat FIEMAP_EXTENT_UNWRITTEN specially,
540 because that (in combination with no sync) would lead to data
541 loss at least on XFS and ext4 when using 2.6.39-rc3 kernels. */
542 if (0 && (scan.ext_info[i].ext_flags & FIEMAP_EXTENT_UNWRITTEN))
543 {
544 empty_extent = true;
545 last_ext_len = 0;
546 if (ext_len == 0) /* The last extent is empty and processed. */
547 empty_extent = false;
548 }
549 else
550 {
551 off_t n_read;
552 empty_extent = false;
553 last_ext_len = ext_len;
554 bool read_hole;
555
556 if ( ! sparse_copy (src_fd, dest_fd, buf, buf_size,
557 sparse_mode == SPARSE_ALWAYS ? hole_size: 0,
558 true, src_name, dst_name, ext_len, &n_read,
559 &read_hole))
560 goto fail;
561
562 dest_pos = ext_start + n_read;
563 if (n_read)
564 wrote_hole_at_eof = read_hole;
565 }
566
567 /* If the file ends with unwritten extents not accounted for in the
568 size, then skip processing them, and the associated redundant
569 read() calls which will always return 0. We will need to
570 remove this when we add fallocate() so that we can maintain
571 extents beyond the apparent size. */
572 if (dest_pos == src_total_size)
573 {
574 scan.hit_final_extent = true;
575 break;
576 }
577 }
578
579 /* Release the space allocated to scan->ext_info. */
580 extent_scan_free (&scan);
581
582 }
583 while (! scan.hit_final_extent);
584
585 /* When the source file ends with a hole, we have to do a little more work,
586 since the above copied only up to and including the final extent.
587 In order to complete the copy, we may have to insert a hole or write
588 zeros in the destination corresponding to the source file's hole-at-EOF.
589
590 In addition, if the final extent was a block of zeros at EOF and we've
591 just converted them to a hole in the destination, we must call ftruncate
592 here in order to record the proper length in the destination. */
593 if ((dest_pos < src_total_size || wrote_hole_at_eof)
594 && (sparse_mode != SPARSE_NEVER
595 ? ftruncate (dest_fd, src_total_size)
596 : ! write_zeros (dest_fd, src_total_size - dest_pos)))
597 {
598 error (0, errno, _("failed to extend %s"), quoteaf (dst_name));
599 return false;
600 }
601
602 if (sparse_mode == SPARSE_ALWAYS && dest_pos < src_total_size
603 && punch_hole (dest_fd, dest_pos, src_total_size - dest_pos) < 0)
604 {
605 error (0, errno, _("error deallocating %s"), quoteaf (dst_name));
606 return false;
607 }
608
609 return true;
610 }
611
612 /* FIXME: describe */
613 /* FIXME: rewrite this to use a hash table so we avoid the quadratic
614 performance hit that's probably noticeable only on trees deeper
615 than a few hundred levels. See use of active_dir_map in remove.c */
616
617 static bool _GL_ATTRIBUTE_PURE
is_ancestor(const struct stat * sb,const struct dir_list * ancestors)618 is_ancestor (const struct stat *sb, const struct dir_list *ancestors)
619 {
620 while (ancestors != 0)
621 {
622 if (ancestors->ino == sb->st_ino && ancestors->dev == sb->st_dev)
623 return true;
624 ancestors = ancestors->parent;
625 }
626 return false;
627 }
628
629 static bool
errno_unsupported(int err)630 errno_unsupported (int err)
631 {
632 return err == ENOTSUP || err == ENODATA;
633 }
634
635 #if USE_XATTR
636 static void
copy_attr_error(struct error_context * ctx _GL_UNUSED,char const * fmt,...)637 copy_attr_error (struct error_context *ctx _GL_UNUSED,
638 char const *fmt, ...)
639 {
640 if (!errno_unsupported (errno))
641 {
642 int err = errno;
643 va_list ap;
644
645 /* use verror module to print error message */
646 va_start (ap, fmt);
647 verror (0, err, fmt, ap);
648 va_end (ap);
649 }
650 }
651
652 static void
copy_attr_allerror(struct error_context * ctx _GL_UNUSED,char const * fmt,...)653 copy_attr_allerror (struct error_context *ctx _GL_UNUSED,
654 char const *fmt, ...)
655 {
656 int err = errno;
657 va_list ap;
658
659 /* use verror module to print error message */
660 va_start (ap, fmt);
661 verror (0, err, fmt, ap);
662 va_end (ap);
663 }
664
665 static char const *
copy_attr_quote(struct error_context * ctx _GL_UNUSED,char const * str)666 copy_attr_quote (struct error_context *ctx _GL_UNUSED, char const *str)
667 {
668 return quoteaf (str);
669 }
670
671 static void
copy_attr_free(struct error_context * ctx _GL_UNUSED,char const * str _GL_UNUSED)672 copy_attr_free (struct error_context *ctx _GL_UNUSED,
673 char const *str _GL_UNUSED)
674 {
675 }
676
677 /* Exclude SELinux extended attributes that are otherwise handled,
678 and are problematic to copy again. Also honor attributes
679 configured for exclusion in /etc/xattr.conf.
680 FIXME: Should we handle POSIX ACLs similarly?
681 Return zero to skip. */
682 static int
check_selinux_attr(const char * name,struct error_context * ctx)683 check_selinux_attr (const char *name, struct error_context *ctx)
684 {
685 return STRNCMP_LIT (name, "security.selinux")
686 && attr_copy_check_permissions (name, ctx);
687 }
688
689 /* If positive SRC_FD and DST_FD descriptors are passed,
690 then copy by fd, otherwise copy by name. */
691
692 static bool
copy_attr(char const * src_path,int src_fd,char const * dst_path,int dst_fd,struct cp_options const * x)693 copy_attr (char const *src_path, int src_fd,
694 char const *dst_path, int dst_fd, struct cp_options const *x)
695 {
696 int ret;
697 bool all_errors = (!x->data_copy_required || x->require_preserve_xattr);
698 bool some_errors = (!all_errors && !x->reduce_diagnostics);
699 bool selinux_done = (x->preserve_security_context || x->set_security_context);
700 struct error_context ctx =
701 {
702 .error = all_errors ? copy_attr_allerror : copy_attr_error,
703 .quote = copy_attr_quote,
704 .quote_free = copy_attr_free
705 };
706 if (0 <= src_fd && 0 <= dst_fd)
707 ret = attr_copy_fd (src_path, src_fd, dst_path, dst_fd,
708 selinux_done ? check_selinux_attr : NULL,
709 (all_errors || some_errors ? &ctx : NULL));
710 else
711 ret = attr_copy_file (src_path, dst_path,
712 selinux_done ? check_selinux_attr : NULL,
713 (all_errors || some_errors ? &ctx : NULL));
714
715 return ret == 0;
716 }
717 #else /* USE_XATTR */
718
719 static bool
copy_attr(char const * src_path _GL_UNUSED,int src_fd _GL_UNUSED,char const * dst_path _GL_UNUSED,int dst_fd _GL_UNUSED,struct cp_options const * x _GL_UNUSED)720 copy_attr (char const *src_path _GL_UNUSED,
721 int src_fd _GL_UNUSED,
722 char const *dst_path _GL_UNUSED,
723 int dst_fd _GL_UNUSED,
724 struct cp_options const *x _GL_UNUSED)
725 {
726 return true;
727 }
728 #endif /* USE_XATTR */
729
730 /* Read the contents of the directory SRC_NAME_IN, and recursively
731 copy the contents to DST_NAME_IN. NEW_DST is true if
732 DST_NAME_IN is a directory that was created previously in the
733 recursion. SRC_SB and ANCESTORS describe SRC_NAME_IN.
734 Set *COPY_INTO_SELF if SRC_NAME_IN is a parent of
735 (or the same as) DST_NAME_IN; otherwise, clear it.
736 Propagate *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG from
737 caller to each invocation of copy_internal. Be careful to
738 pass the address of a temporary, and to update
739 *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG only upon completion.
740 Return true if successful. */
741
742 static bool
copy_dir(char const * src_name_in,char const * dst_name_in,bool new_dst,const struct stat * src_sb,struct dir_list * ancestors,const struct cp_options * x,bool * first_dir_created_per_command_line_arg,bool * copy_into_self)743 copy_dir (char const *src_name_in, char const *dst_name_in, bool new_dst,
744 const struct stat *src_sb, struct dir_list *ancestors,
745 const struct cp_options *x,
746 bool *first_dir_created_per_command_line_arg,
747 bool *copy_into_self)
748 {
749 char *name_space;
750 char *namep;
751 struct cp_options non_command_line_options = *x;
752 bool ok = true;
753
754 name_space = savedir (src_name_in, SAVEDIR_SORT_FASTREAD);
755 if (name_space == NULL)
756 {
757 /* This diagnostic is a bit vague because savedir can fail in
758 several different ways. */
759 error (0, errno, _("cannot access %s"), quoteaf (src_name_in));
760 return false;
761 }
762
763 /* For cp's -H option, dereference command line arguments, but do not
764 dereference symlinks that are found via recursive traversal. */
765 if (x->dereference == DEREF_COMMAND_LINE_ARGUMENTS)
766 non_command_line_options.dereference = DEREF_NEVER;
767
768 bool new_first_dir_created = false;
769 namep = name_space;
770 while (*namep != '\0')
771 {
772 bool local_copy_into_self;
773 char *src_name = file_name_concat (src_name_in, namep, NULL);
774 char *dst_name = file_name_concat (dst_name_in, namep, NULL);
775 bool first_dir_created = *first_dir_created_per_command_line_arg;
776
777 ok &= copy_internal (src_name, dst_name, new_dst, src_sb,
778 ancestors, &non_command_line_options, false,
779 &first_dir_created,
780 &local_copy_into_self, NULL);
781 *copy_into_self |= local_copy_into_self;
782
783 free (dst_name);
784 free (src_name);
785
786 /* If we're copying into self, there's no point in continuing,
787 and in fact, that would even infloop, now that we record only
788 the first created directory per command line argument. */
789 if (local_copy_into_self)
790 break;
791
792 new_first_dir_created |= first_dir_created;
793 namep += strlen (namep) + 1;
794 }
795 free (name_space);
796 *first_dir_created_per_command_line_arg = new_first_dir_created;
797
798 return ok;
799 }
800
801 /* Set the owner and owning group of DEST_DESC to the st_uid and
802 st_gid fields of SRC_SB. If DEST_DESC is undefined (-1), set
803 the owner and owning group of DST_NAME instead; for
804 safety prefer lchown if the system supports it since no
805 symbolic links should be involved. DEST_DESC must
806 refer to the same file as DEST_NAME if defined.
807 Upon failure to set both UID and GID, try to set only the GID.
808 NEW_DST is true if the file was newly created; otherwise,
809 DST_SB is the status of the destination.
810 Return 1 if the initial syscall succeeds, 0 if it fails but it's OK
811 not to preserve ownership, -1 otherwise. */
812
813 static int
set_owner(const struct cp_options * x,char const * dst_name,int dest_desc,struct stat const * src_sb,bool new_dst,struct stat const * dst_sb)814 set_owner (const struct cp_options *x, char const *dst_name, int dest_desc,
815 struct stat const *src_sb, bool new_dst,
816 struct stat const *dst_sb)
817 {
818 uid_t uid = src_sb->st_uid;
819 gid_t gid = src_sb->st_gid;
820
821 /* Naively changing the ownership of an already-existing file before
822 changing its permissions would create a window of vulnerability if
823 the file's old permissions are too generous for the new owner and
824 group. Avoid the window by first changing to a restrictive
825 temporary mode if necessary. */
826
827 if (!new_dst && (x->preserve_mode || x->move_mode || x->set_mode))
828 {
829 mode_t old_mode = dst_sb->st_mode;
830 mode_t new_mode =
831 (x->preserve_mode || x->move_mode ? src_sb->st_mode : x->mode);
832 mode_t restrictive_temp_mode = old_mode & new_mode & S_IRWXU;
833
834 if ((USE_ACL
835 || (old_mode & CHMOD_MODE_BITS
836 & (~new_mode | S_ISUID | S_ISGID | S_ISVTX)))
837 && qset_acl (dst_name, dest_desc, restrictive_temp_mode) != 0)
838 {
839 if (! owner_failure_ok (x))
840 error (0, errno, _("clearing permissions for %s"),
841 quoteaf (dst_name));
842 return -x->require_preserve;
843 }
844 }
845
846 if (HAVE_FCHOWN && dest_desc != -1)
847 {
848 if (fchown (dest_desc, uid, gid) == 0)
849 return 1;
850 if (errno == EPERM || errno == EINVAL)
851 {
852 /* We've failed to set *both*. Now, try to set just the group
853 ID, but ignore any failure here, and don't change errno. */
854 int saved_errno = errno;
855 ignore_value (fchown (dest_desc, -1, gid));
856 errno = saved_errno;
857 }
858 }
859 else
860 {
861 if (lchown (dst_name, uid, gid) == 0)
862 return 1;
863 if (errno == EPERM || errno == EINVAL)
864 {
865 /* We've failed to set *both*. Now, try to set just the group
866 ID, but ignore any failure here, and don't change errno. */
867 int saved_errno = errno;
868 ignore_value (lchown (dst_name, -1, gid));
869 errno = saved_errno;
870 }
871 }
872
873 if (! chown_failure_ok (x))
874 {
875 error (0, errno, _("failed to preserve ownership for %s"),
876 quoteaf (dst_name));
877 if (x->require_preserve)
878 return -1;
879 }
880
881 return 0;
882 }
883
884 /* Set the st_author field of DEST_DESC to the st_author field of
885 SRC_SB. If DEST_DESC is undefined (-1), set the st_author field
886 of DST_NAME instead. DEST_DESC must refer to the same file as
887 DEST_NAME if defined. */
888
889 static void
set_author(const char * dst_name,int dest_desc,const struct stat * src_sb)890 set_author (const char *dst_name, int dest_desc, const struct stat *src_sb)
891 {
892 #if HAVE_STRUCT_STAT_ST_AUTHOR
893 /* FIXME: Modify the following code so that it does not
894 follow symbolic links. */
895
896 /* Preserve the st_author field. */
897 file_t file = (dest_desc < 0
898 ? file_name_lookup (dst_name, 0, 0)
899 : getdport (dest_desc));
900 if (file == MACH_PORT_NULL)
901 error (0, errno, _("failed to lookup file %s"), quoteaf (dst_name));
902 else
903 {
904 error_t err = file_chauthor (file, src_sb->st_author);
905 if (err)
906 error (0, err, _("failed to preserve authorship for %s"),
907 quoteaf (dst_name));
908 mach_port_deallocate (mach_task_self (), file);
909 }
910 #else
911 (void) dst_name;
912 (void) dest_desc;
913 (void) src_sb;
914 #endif
915 }
916
917 /* Set the default security context for the process. New files will
918 have this security context set. Also existing files can have their
919 context adjusted based on this process context, by
920 set_file_security_ctx() called with PROCESS_LOCAL=true.
921 This should be called before files are created so there is no race
922 where a file may be present without an appropriate security context.
923 Based on CP_OPTIONS, diagnose warnings and fail when appropriate.
924 Return FALSE on failure, TRUE on success. */
925
926 bool
set_process_security_ctx(char const * src_name,char const * dst_name,mode_t mode,bool new_dst,const struct cp_options * x)927 set_process_security_ctx (char const *src_name, char const *dst_name,
928 mode_t mode, bool new_dst, const struct cp_options *x)
929 {
930 if (x->preserve_security_context)
931 {
932 /* Set the default context for the process to match the source. */
933 bool all_errors = !x->data_copy_required || x->require_preserve_context;
934 bool some_errors = !all_errors && !x->reduce_diagnostics;
935 char *con;
936
937 if (0 <= lgetfilecon (src_name, &con))
938 {
939 if (setfscreatecon (con) < 0)
940 {
941 if (all_errors || (some_errors && !errno_unsupported (errno)))
942 error (0, errno,
943 _("failed to set default file creation context to %s"),
944 quote (con));
945 if (x->require_preserve_context)
946 {
947 freecon (con);
948 return false;
949 }
950 }
951 freecon (con);
952 }
953 else
954 {
955 if (all_errors || (some_errors && !errno_unsupported (errno)))
956 {
957 error (0, errno,
958 _("failed to get security context of %s"),
959 quoteaf (src_name));
960 }
961 if (x->require_preserve_context)
962 return false;
963 }
964 }
965 else if (x->set_security_context)
966 {
967 /* With -Z, adjust the default context for the process
968 to have the type component adjusted as per the destination path. */
969 if (new_dst && defaultcon (dst_name, mode) < 0
970 && ! ignorable_ctx_err (errno))
971 {
972 error (0, errno,
973 _("failed to set default file creation context for %s"),
974 quoteaf (dst_name));
975 }
976 }
977
978 return true;
979 }
980
981 /* Reset the security context of DST_NAME, to that already set
982 as the process default if PROCESS_LOCAL is true. Otherwise
983 adjust the type component of DST_NAME's security context as
984 per the system default for that path. Issue warnings upon
985 failure, when allowed by various settings in CP_OPTIONS.
986 Return FALSE on failure, TRUE on success. */
987
988 bool
set_file_security_ctx(char const * dst_name,bool process_local,bool recurse,const struct cp_options * x)989 set_file_security_ctx (char const *dst_name, bool process_local,
990 bool recurse, const struct cp_options *x)
991 {
992 bool all_errors = (!x->data_copy_required
993 || x->require_preserve_context);
994 bool some_errors = !all_errors && !x->reduce_diagnostics;
995
996 if (! restorecon (dst_name, recurse, process_local))
997 {
998 if (all_errors || (some_errors && !errno_unsupported (errno)))
999 error (0, errno, _("failed to set the security context of %s"),
1000 quoteaf_n (0, dst_name));
1001 return false;
1002 }
1003
1004 return true;
1005 }
1006
1007 /* Change the file mode bits of the file identified by DESC or NAME to MODE.
1008 Use DESC if DESC is valid and fchmod is available, NAME otherwise. */
1009
1010 static int
fchmod_or_lchmod(int desc,char const * name,mode_t mode)1011 fchmod_or_lchmod (int desc, char const *name, mode_t mode)
1012 {
1013 #if HAVE_FCHMOD
1014 if (0 <= desc)
1015 return fchmod (desc, mode);
1016 #endif
1017 return lchmod (name, mode);
1018 }
1019
1020 #ifndef HAVE_STRUCT_STAT_ST_BLOCKS
1021 # define HAVE_STRUCT_STAT_ST_BLOCKS 0
1022 #endif
1023
1024 /* Use a heuristic to determine whether stat buffer SB comes from a file
1025 with sparse blocks. If the file has fewer blocks than would normally
1026 be needed for a file of its size, then at least one of the blocks in
1027 the file is a hole. In that case, return true. */
1028 static bool
is_probably_sparse(struct stat const * sb)1029 is_probably_sparse (struct stat const *sb)
1030 {
1031 return (HAVE_STRUCT_STAT_ST_BLOCKS
1032 && S_ISREG (sb->st_mode)
1033 && ST_NBLOCKS (*sb) < sb->st_size / ST_NBLOCKSIZE);
1034 }
1035
1036
1037 /* Copy a regular file from SRC_NAME to DST_NAME.
1038 If the source file contains holes, copies holes and blocks of zeros
1039 in the source file as holes in the destination file.
1040 (Holes are read as zeroes by the 'read' system call.)
1041 When creating the destination, use DST_MODE & ~OMITTED_PERMISSIONS
1042 as the third argument in the call to open, adding
1043 OMITTED_PERMISSIONS after copying as needed.
1044 X provides many option settings.
1045 Return true if successful.
1046 *NEW_DST is as in copy_internal.
1047 SRC_SB is the result of calling follow_fstatat on SRC_NAME. */
1048
1049 static bool
copy_reg(char const * src_name,char const * dst_name,const struct cp_options * x,mode_t dst_mode,mode_t omitted_permissions,bool * new_dst,struct stat const * src_sb)1050 copy_reg (char const *src_name, char const *dst_name,
1051 const struct cp_options *x,
1052 mode_t dst_mode, mode_t omitted_permissions, bool *new_dst,
1053 struct stat const *src_sb)
1054 {
1055 char *buf;
1056 char *buf_alloc = NULL;
1057 char *name_alloc = NULL;
1058 int dest_desc;
1059 int dest_errno;
1060 int source_desc;
1061 mode_t src_mode = src_sb->st_mode;
1062 struct stat sb;
1063 struct stat src_open_sb;
1064 bool return_val = true;
1065 bool data_copy_required = x->data_copy_required;
1066
1067 source_desc = open (src_name,
1068 (O_RDONLY | O_BINARY
1069 | (x->dereference == DEREF_NEVER ? O_NOFOLLOW : 0)));
1070 if (source_desc < 0)
1071 {
1072 error (0, errno, _("cannot open %s for reading"), quoteaf (src_name));
1073 return false;
1074 }
1075
1076 if (fstat (source_desc, &src_open_sb) != 0)
1077 {
1078 error (0, errno, _("cannot fstat %s"), quoteaf (src_name));
1079 return_val = false;
1080 goto close_src_desc;
1081 }
1082
1083 /* Compare the source dev/ino from the open file to the incoming,
1084 saved ones obtained via a previous call to stat. */
1085 if (! SAME_INODE (*src_sb, src_open_sb))
1086 {
1087 error (0, 0,
1088 _("skipping file %s, as it was replaced while being copied"),
1089 quoteaf (src_name));
1090 return_val = false;
1091 goto close_src_desc;
1092 }
1093
1094 /* The semantics of the following open calls are mandated
1095 by the specs for both cp and mv. */
1096 if (! *new_dst)
1097 {
1098 int open_flags =
1099 O_WRONLY | O_BINARY | (x->data_copy_required ? O_TRUNC : 0);
1100 dest_desc = open (dst_name, open_flags);
1101 dest_errno = errno;
1102
1103 /* When using cp --preserve=context to copy to an existing destination,
1104 reset the context as per the default context, which has already been
1105 set according to the src.
1106 When using the mutually exclusive -Z option, then adjust the type of
1107 the existing context according to the system default for the dest.
1108 Note we set the context here, _after_ the file is opened, lest the
1109 new context disallow that. */
1110 if ((x->set_security_context || x->preserve_security_context)
1111 && 0 <= dest_desc)
1112 {
1113 if (! set_file_security_ctx (dst_name, x->preserve_security_context,
1114 false, x))
1115 {
1116 if (x->require_preserve_context)
1117 {
1118 return_val = false;
1119 goto close_src_and_dst_desc;
1120 }
1121 }
1122 }
1123
1124 if (dest_desc < 0 && x->unlink_dest_after_failed_open)
1125 {
1126 if (unlink (dst_name) != 0)
1127 {
1128 error (0, errno, _("cannot remove %s"), quoteaf (dst_name));
1129 return_val = false;
1130 goto close_src_desc;
1131 }
1132 if (x->verbose)
1133 printf (_("removed %s\n"), quoteaf (dst_name));
1134
1135 /* Tell caller that the destination file was unlinked. */
1136 *new_dst = true;
1137
1138 /* Ensure there is no race where a file may be left without
1139 an appropriate security context. */
1140 if (x->set_security_context)
1141 {
1142 if (! set_process_security_ctx (src_name, dst_name, dst_mode,
1143 *new_dst, x))
1144 {
1145 return_val = false;
1146 goto close_src_desc;
1147 }
1148 }
1149 }
1150 }
1151
1152 if (*new_dst)
1153 {
1154 open_with_O_CREAT:;
1155
1156 int open_flags = O_WRONLY | O_CREAT | O_BINARY;
1157 dest_desc = open (dst_name, open_flags | O_EXCL,
1158 dst_mode & ~omitted_permissions);
1159 dest_errno = errno;
1160
1161 /* When trying to copy through a dangling destination symlink,
1162 the above open fails with EEXIST. If that happens, and
1163 lstat'ing the DST_NAME shows that it is a symlink, then we
1164 have a problem: trying to resolve this dangling symlink to
1165 a directory/destination-entry pair is fundamentally racy,
1166 so punt. If x->open_dangling_dest_symlink is set (cp sets
1167 that when POSIXLY_CORRECT is set in the environment), simply
1168 call open again, but without O_EXCL (potentially dangerous).
1169 If not, fail with a diagnostic. These shenanigans are necessary
1170 only when copying, i.e., not in move_mode. */
1171 if (dest_desc < 0 && dest_errno == EEXIST && ! x->move_mode)
1172 {
1173 struct stat dangling_link_sb;
1174 if (lstat (dst_name, &dangling_link_sb) == 0
1175 && S_ISLNK (dangling_link_sb.st_mode))
1176 {
1177 if (x->open_dangling_dest_symlink)
1178 {
1179 dest_desc = open (dst_name, open_flags,
1180 dst_mode & ~omitted_permissions);
1181 dest_errno = errno;
1182 }
1183 else
1184 {
1185 error (0, 0, _("not writing through dangling symlink %s"),
1186 quoteaf (dst_name));
1187 return_val = false;
1188 goto close_src_desc;
1189 }
1190 }
1191 }
1192
1193 /* Improve quality of diagnostic when a nonexistent dst_name
1194 ends in a slash and open fails with errno == EISDIR. */
1195 if (dest_desc < 0 && dest_errno == EISDIR
1196 && *dst_name && dst_name[strlen (dst_name) - 1] == '/')
1197 dest_errno = ENOTDIR;
1198 }
1199 else
1200 {
1201 omitted_permissions = 0;
1202 }
1203
1204 if (dest_desc < 0)
1205 {
1206 /* If we've just failed due to ENOENT for an ostensibly preexisting
1207 destination (*new_dst was 0), that's a bit of a contradiction/race:
1208 the prior stat/lstat said the file existed (*new_dst was 0), yet
1209 the subsequent open-existing-file failed with ENOENT. With NFS,
1210 the race window is wider still, since its meta-data caching tends
1211 to make the stat succeed for a just-removed remote file, while the
1212 more-definitive initial open call will fail with ENOENT. When this
1213 situation arises, we attempt to open again, but this time with
1214 O_CREAT. Do this only when not in move-mode, since when handling
1215 a cross-device move, we must never open an existing destination. */
1216 if (dest_errno == ENOENT && ! *new_dst && ! x->move_mode)
1217 {
1218 *new_dst = 1;
1219 goto open_with_O_CREAT;
1220 }
1221
1222 /* Otherwise, it's an error. */
1223 error (0, dest_errno, _("cannot create regular file %s"),
1224 quoteaf (dst_name));
1225 return_val = false;
1226 goto close_src_desc;
1227 }
1228
1229 if (fstat (dest_desc, &sb) != 0)
1230 {
1231 error (0, errno, _("cannot fstat %s"), quoteaf (dst_name));
1232 return_val = false;
1233 goto close_src_and_dst_desc;
1234 }
1235
1236 /* --attributes-only overrides --reflink. */
1237 if (data_copy_required && x->reflink_mode)
1238 {
1239 bool clone_ok = clone_file (dest_desc, source_desc) == 0;
1240 if (clone_ok || x->reflink_mode == REFLINK_ALWAYS)
1241 {
1242 if (!clone_ok)
1243 {
1244 error (0, errno, _("failed to clone %s from %s"),
1245 quoteaf_n (0, dst_name), quoteaf_n (1, src_name));
1246 return_val = false;
1247 goto close_src_and_dst_desc;
1248 }
1249 data_copy_required = false;
1250 }
1251 }
1252
1253 if (data_copy_required)
1254 {
1255 /* Choose a suitable buffer size; it may be adjusted later. */
1256 size_t buf_alignment = getpagesize ();
1257 size_t buf_size = io_blksize (sb);
1258 size_t hole_size = ST_BLKSIZE (sb);
1259
1260 fdadvise (source_desc, 0, 0, FADVISE_SEQUENTIAL);
1261
1262 /* Deal with sparse files. */
1263 bool make_holes = false;
1264 bool sparse_src = is_probably_sparse (&src_open_sb);
1265
1266 if (S_ISREG (sb.st_mode))
1267 {
1268 /* Even with --sparse=always, try to create holes only
1269 if the destination is a regular file. */
1270 if (x->sparse_mode == SPARSE_ALWAYS)
1271 make_holes = true;
1272
1273 /* Use a heuristic to determine whether SRC_NAME contains any sparse
1274 blocks. If the file has fewer blocks than would normally be
1275 needed for a file of its size, then at least one of the blocks in
1276 the file is a hole. */
1277 if (x->sparse_mode == SPARSE_AUTO && sparse_src)
1278 make_holes = true;
1279 }
1280
1281 /* If not making a sparse file, try to use a more-efficient
1282 buffer size. */
1283 if (! make_holes)
1284 {
1285 /* Compute the least common multiple of the input and output
1286 buffer sizes, adjusting for outlandish values. */
1287 size_t blcm_max = MIN (SIZE_MAX, SSIZE_MAX) - buf_alignment;
1288 size_t blcm = buffer_lcm (io_blksize (src_open_sb), buf_size,
1289 blcm_max);
1290
1291 /* Do not bother with a buffer larger than the input file, plus one
1292 byte to make sure the file has not grown while reading it. */
1293 if (S_ISREG (src_open_sb.st_mode) && src_open_sb.st_size < buf_size)
1294 buf_size = src_open_sb.st_size + 1;
1295
1296 /* However, stick with a block size that is a positive multiple of
1297 blcm, overriding the above adjustments. Watch out for
1298 overflow. */
1299 buf_size += blcm - 1;
1300 buf_size -= buf_size % blcm;
1301 if (buf_size == 0 || blcm_max < buf_size)
1302 buf_size = blcm;
1303 }
1304
1305 buf_alloc = xmalloc (buf_size + buf_alignment);
1306 buf = ptr_align (buf_alloc, buf_alignment);
1307
1308 if (sparse_src)
1309 {
1310 bool normal_copy_required;
1311
1312 /* Perform an efficient extent-based copy, falling back to the
1313 standard copy only if the initial extent scan fails. If the
1314 '--sparse=never' option is specified, write all data but use
1315 any extents to read more efficiently. */
1316 if (extent_copy (source_desc, dest_desc, buf, buf_size, hole_size,
1317 src_open_sb.st_size,
1318 make_holes ? x->sparse_mode : SPARSE_NEVER,
1319 src_name, dst_name, &normal_copy_required))
1320 goto preserve_metadata;
1321
1322 if (! normal_copy_required)
1323 {
1324 return_val = false;
1325 goto close_src_and_dst_desc;
1326 }
1327 }
1328
1329 off_t n_read;
1330 bool wrote_hole_at_eof;
1331 if (! sparse_copy (source_desc, dest_desc, buf, buf_size,
1332 make_holes ? hole_size : 0,
1333 x->sparse_mode == SPARSE_ALWAYS, src_name, dst_name,
1334 UINTMAX_MAX, &n_read,
1335 &wrote_hole_at_eof))
1336 {
1337 return_val = false;
1338 goto close_src_and_dst_desc;
1339 }
1340 else if (wrote_hole_at_eof && ftruncate (dest_desc, n_read) < 0)
1341 {
1342 error (0, errno, _("failed to extend %s"), quoteaf (dst_name));
1343 return_val = false;
1344 goto close_src_and_dst_desc;
1345 }
1346 }
1347
1348 preserve_metadata:
1349 if (x->preserve_timestamps)
1350 {
1351 struct timespec timespec[2];
1352 timespec[0] = get_stat_atime (src_sb);
1353 timespec[1] = get_stat_mtime (src_sb);
1354
1355 if (fdutimens (dest_desc, dst_name, timespec) != 0)
1356 {
1357 error (0, errno, _("preserving times for %s"), quoteaf (dst_name));
1358 if (x->require_preserve)
1359 {
1360 return_val = false;
1361 goto close_src_and_dst_desc;
1362 }
1363 }
1364 }
1365
1366 /* Set ownership before xattrs as changing owners will
1367 clear capabilities. */
1368 if (x->preserve_ownership && ! SAME_OWNER_AND_GROUP (*src_sb, sb))
1369 {
1370 switch (set_owner (x, dst_name, dest_desc, src_sb, *new_dst, &sb))
1371 {
1372 case -1:
1373 return_val = false;
1374 goto close_src_and_dst_desc;
1375
1376 case 0:
1377 src_mode &= ~ (S_ISUID | S_ISGID | S_ISVTX);
1378 break;
1379 }
1380 }
1381
1382 /* To allow copying xattrs on read-only files, temporarily chmod u+rw.
1383 This workaround is required as an inode permission check is done
1384 by xattr_permission() in fs/xattr.c of the GNU/Linux kernel tree. */
1385 if (x->preserve_xattr)
1386 {
1387 bool access_changed = false;
1388
1389 if (!(sb.st_mode & S_IWUSR) && geteuid () != ROOT_UID)
1390 {
1391 access_changed = fchmod_or_lchmod (dest_desc, dst_name,
1392 S_IRUSR | S_IWUSR) == 0;
1393 }
1394
1395 if (!copy_attr (src_name, source_desc, dst_name, dest_desc, x)
1396 && x->require_preserve_xattr)
1397 return_val = false;
1398
1399 if (access_changed)
1400 fchmod_or_lchmod (dest_desc, dst_name, dst_mode & ~omitted_permissions);
1401 }
1402
1403 set_author (dst_name, dest_desc, src_sb);
1404
1405 if (x->preserve_mode || x->move_mode)
1406 {
1407 if (copy_acl (src_name, source_desc, dst_name, dest_desc, src_mode) != 0
1408 && x->require_preserve)
1409 return_val = false;
1410 }
1411 else if (x->set_mode)
1412 {
1413 if (set_acl (dst_name, dest_desc, x->mode) != 0)
1414 return_val = false;
1415 }
1416 else if (x->explicit_no_preserve_mode && *new_dst)
1417 {
1418 if (set_acl (dst_name, dest_desc, MODE_RW_UGO & ~cached_umask ()) != 0)
1419 return_val = false;
1420 }
1421 else if (omitted_permissions)
1422 {
1423 omitted_permissions &= ~ cached_umask ();
1424 if (omitted_permissions
1425 && fchmod_or_lchmod (dest_desc, dst_name, dst_mode) != 0)
1426 {
1427 error (0, errno, _("preserving permissions for %s"),
1428 quoteaf (dst_name));
1429 if (x->require_preserve)
1430 return_val = false;
1431 }
1432 }
1433
1434 close_src_and_dst_desc:
1435 if (close (dest_desc) < 0)
1436 {
1437 error (0, errno, _("failed to close %s"), quoteaf (dst_name));
1438 return_val = false;
1439 }
1440 close_src_desc:
1441 if (close (source_desc) < 0)
1442 {
1443 error (0, errno, _("failed to close %s"), quoteaf (src_name));
1444 return_val = false;
1445 }
1446
1447 free (buf_alloc);
1448 free (name_alloc);
1449 return return_val;
1450 }
1451
1452 /* Return true if it's ok that the source and destination
1453 files are the 'same' by some measure. The goal is to avoid
1454 making the 'copy' operation remove both copies of the file
1455 in that case, while still allowing the user to e.g., move or
1456 copy a regular file onto a symlink that points to it.
1457 Try to minimize the cost of this function in the common case.
1458 Set *RETURN_NOW if we've determined that the caller has no more
1459 work to do and should return successfully, right away. */
1460
1461 static bool
same_file_ok(char const * src_name,struct stat const * src_sb,char const * dst_name,struct stat const * dst_sb,const struct cp_options * x,bool * return_now)1462 same_file_ok (char const *src_name, struct stat const *src_sb,
1463 char const *dst_name, struct stat const *dst_sb,
1464 const struct cp_options *x, bool *return_now)
1465 {
1466 const struct stat *src_sb_link;
1467 const struct stat *dst_sb_link;
1468 struct stat tmp_dst_sb;
1469 struct stat tmp_src_sb;
1470
1471 bool same_link;
1472 bool same = SAME_INODE (*src_sb, *dst_sb);
1473
1474 *return_now = false;
1475
1476 /* FIXME: this should (at the very least) be moved into the following
1477 if-block. More likely, it should be removed, because it inhibits
1478 making backups. But removing it will result in a change in behavior
1479 that will probably have to be documented -- and tests will have to
1480 be updated. */
1481 if (same && x->hard_link)
1482 {
1483 *return_now = true;
1484 return true;
1485 }
1486
1487 if (x->dereference == DEREF_NEVER)
1488 {
1489 same_link = same;
1490
1491 /* If both the source and destination files are symlinks (and we'll
1492 know this here IFF preserving symlinks), then it's usually ok
1493 when they are distinct. */
1494 if (S_ISLNK (src_sb->st_mode) && S_ISLNK (dst_sb->st_mode))
1495 {
1496 bool sn = same_name (src_name, dst_name);
1497 if ( ! sn)
1498 {
1499 /* It's fine when we're making any type of backup. */
1500 if (x->backup_type != no_backups)
1501 return true;
1502
1503 /* Here we have two symlinks that are hard-linked together,
1504 and we're not making backups. In this unusual case, simply
1505 returning true would lead to mv calling "rename(A,B)",
1506 which would do nothing and return 0. */
1507 if (same_link)
1508 {
1509 *return_now = true;
1510 return ! x->move_mode;
1511 }
1512 }
1513
1514 return ! sn;
1515 }
1516
1517 src_sb_link = src_sb;
1518 dst_sb_link = dst_sb;
1519 }
1520 else
1521 {
1522 if (!same)
1523 return true;
1524
1525 if (lstat (dst_name, &tmp_dst_sb) != 0
1526 || lstat (src_name, &tmp_src_sb) != 0)
1527 return true;
1528
1529 src_sb_link = &tmp_src_sb;
1530 dst_sb_link = &tmp_dst_sb;
1531
1532 same_link = SAME_INODE (*src_sb_link, *dst_sb_link);
1533
1534 /* If both are symlinks, then it's ok, but only if the destination
1535 will be unlinked before being opened. This is like the test
1536 above, but with the addition of the unlink_dest_before_opening
1537 conjunct because otherwise, with two symlinks to the same target,
1538 we'd end up truncating the source file. */
1539 if (S_ISLNK (src_sb_link->st_mode) && S_ISLNK (dst_sb_link->st_mode)
1540 && x->unlink_dest_before_opening)
1541 return true;
1542 }
1543
1544 /* The backup code ensures there's a copy, so it's usually ok to
1545 remove any destination file. One exception is when both
1546 source and destination are the same directory entry. In that
1547 case, moving the destination file aside (in making the backup)
1548 would also rename the source file and result in an error. */
1549 if (x->backup_type != no_backups)
1550 {
1551 if (!same_link)
1552 {
1553 /* In copy mode when dereferencing symlinks, if the source is a
1554 symlink and the dest is not, then backing up the destination
1555 (moving it aside) would make it a dangling symlink, and the
1556 subsequent attempt to open it in copy_reg would fail with
1557 a misleading diagnostic. Avoid that by returning zero in
1558 that case so the caller can make cp (or mv when it has to
1559 resort to reading the source file) fail now. */
1560
1561 /* FIXME-note: even with the following kludge, we can still provoke
1562 the offending diagnostic. It's just a little harder to do :-)
1563 $ rm -f a b c; touch c; ln -s c b; ln -s b a; cp -b a b
1564 cp: cannot open 'a' for reading: No such file or directory
1565 That's misleading, since a subsequent 'ls' shows that 'a'
1566 is still there.
1567 One solution would be to open the source file *before* moving
1568 aside the destination, but that'd involve a big rewrite. */
1569 if ( ! x->move_mode
1570 && x->dereference != DEREF_NEVER
1571 && S_ISLNK (src_sb_link->st_mode)
1572 && ! S_ISLNK (dst_sb_link->st_mode))
1573 return false;
1574
1575 return true;
1576 }
1577
1578 /* FIXME: What about case insensitive file systems ? */
1579 return ! same_name (src_name, dst_name);
1580 }
1581
1582 #if 0
1583 /* FIXME: use or remove */
1584
1585 /* If we're making a backup, we'll detect the problem case in
1586 copy_reg because SRC_NAME will no longer exist. Allowing
1587 the test to be deferred lets cp do some useful things.
1588 But when creating hardlinks and SRC_NAME is a symlink
1589 but DST_NAME is not we must test anyway. */
1590 if (x->hard_link
1591 || !S_ISLNK (src_sb_link->st_mode)
1592 || S_ISLNK (dst_sb_link->st_mode))
1593 return true;
1594
1595 if (x->dereference != DEREF_NEVER)
1596 return true;
1597 #endif
1598
1599 if (x->move_mode || x->unlink_dest_before_opening)
1600 {
1601 /* They may refer to the same file if we're in move mode and the
1602 target is a symlink. That is ok, since we remove any existing
1603 destination file before opening it -- via 'rename' if they're on
1604 the same file system, via 'unlink (DST_NAME)' otherwise. */
1605 if (S_ISLNK (dst_sb_link->st_mode))
1606 return true;
1607
1608 /* It's not ok if they're distinct hard links to the same file as
1609 this causes a race condition and we may lose data in this case. */
1610 if (same_link
1611 && 1 < dst_sb_link->st_nlink
1612 && ! same_name (src_name, dst_name))
1613 return ! x->move_mode;
1614 }
1615
1616 /* If neither is a symlink, then it's ok as long as they aren't
1617 hard links to the same file. */
1618 if (!S_ISLNK (src_sb_link->st_mode) && !S_ISLNK (dst_sb_link->st_mode))
1619 {
1620 if (!SAME_INODE (*src_sb_link, *dst_sb_link))
1621 return true;
1622
1623 /* If they are the same file, it's ok if we're making hard links. */
1624 if (x->hard_link)
1625 {
1626 *return_now = true;
1627 return true;
1628 }
1629 }
1630
1631 /* At this point, it is normally an error (data loss) to move a symlink
1632 onto its referent, but in at least one narrow case, it is not:
1633 In move mode, when
1634 1) src is a symlink,
1635 2) dest has a link count of 2 or more and
1636 3) dest and the referent of src are not the same directory entry,
1637 then it's ok, since while we'll lose one of those hard links,
1638 src will still point to a remaining link.
1639 Note that technically, condition #3 obviates condition #2, but we
1640 retain the 1 < st_nlink condition because that means fewer invocations
1641 of the more expensive #3.
1642
1643 Given this,
1644 $ touch f && ln f l && ln -s f s
1645 $ ls -og f l s
1646 -rw-------. 2 0 Jan 4 22:46 f
1647 -rw-------. 2 0 Jan 4 22:46 l
1648 lrwxrwxrwx. 1 1 Jan 4 22:46 s -> f
1649 this must fail: mv s f
1650 this must succeed: mv s l */
1651 if (x->move_mode
1652 && S_ISLNK (src_sb->st_mode)
1653 && 1 < dst_sb_link->st_nlink)
1654 {
1655 char *abs_src = canonicalize_file_name (src_name);
1656 if (abs_src)
1657 {
1658 bool result = ! same_name (abs_src, dst_name);
1659 free (abs_src);
1660 return result;
1661 }
1662 }
1663
1664 /* It's ok to recreate a destination symlink. */
1665 if (x->symbolic_link && S_ISLNK (dst_sb_link->st_mode))
1666 return true;
1667
1668 if (x->dereference == DEREF_NEVER)
1669 {
1670 if ( ! S_ISLNK (src_sb_link->st_mode))
1671 tmp_src_sb = *src_sb_link;
1672 else if (stat (src_name, &tmp_src_sb) != 0)
1673 return true;
1674
1675 if ( ! S_ISLNK (dst_sb_link->st_mode))
1676 tmp_dst_sb = *dst_sb_link;
1677 else if (stat (dst_name, &tmp_dst_sb) != 0)
1678 return true;
1679
1680 if ( ! SAME_INODE (tmp_src_sb, tmp_dst_sb))
1681 return true;
1682
1683 if (x->hard_link)
1684 {
1685 /* It's ok to attempt to hardlink the same file,
1686 and return early if not replacing a symlink.
1687 Note we need to return early to avoid a later
1688 unlink() of DST (when SRC is a symlink). */
1689 *return_now = ! S_ISLNK (dst_sb_link->st_mode);
1690 return true;
1691 }
1692 }
1693
1694 return false;
1695 }
1696
1697 /* Return true if FILE, with mode MODE, is writable in the sense of 'mv'.
1698 Always consider a symbolic link to be writable. */
1699 static bool
writable_destination(char const * file,mode_t mode)1700 writable_destination (char const *file, mode_t mode)
1701 {
1702 return (S_ISLNK (mode)
1703 || can_write_any_file ()
1704 || euidaccess (file, W_OK) == 0);
1705 }
1706
1707 static bool
overwrite_ok(struct cp_options const * x,char const * dst_name,struct stat const * dst_sb)1708 overwrite_ok (struct cp_options const *x, char const *dst_name,
1709 struct stat const *dst_sb)
1710 {
1711 if (! writable_destination (dst_name, dst_sb->st_mode))
1712 {
1713 char perms[12]; /* "-rwxrwxrwx " ls-style modes. */
1714 strmode (dst_sb->st_mode, perms);
1715 perms[10] = '\0';
1716 fprintf (stderr,
1717 (x->move_mode || x->unlink_dest_before_opening
1718 || x->unlink_dest_after_failed_open)
1719 ? _("%s: replace %s, overriding mode %04lo (%s)? ")
1720 : _("%s: unwritable %s (mode %04lo, %s); try anyway? "),
1721 program_name, quoteaf (dst_name),
1722 (unsigned long int) (dst_sb->st_mode & CHMOD_MODE_BITS),
1723 &perms[1]);
1724 }
1725 else
1726 {
1727 fprintf (stderr, _("%s: overwrite %s? "),
1728 program_name, quoteaf (dst_name));
1729 }
1730
1731 return yesno ();
1732 }
1733
1734 /* Initialize the hash table implementing a set of F_triple entries
1735 corresponding to destination files. */
1736 extern void
dest_info_init(struct cp_options * x)1737 dest_info_init (struct cp_options *x)
1738 {
1739 x->dest_info
1740 = hash_initialize (DEST_INFO_INITIAL_CAPACITY,
1741 NULL,
1742 triple_hash,
1743 triple_compare,
1744 triple_free);
1745 }
1746
1747 /* Initialize the hash table implementing a set of F_triple entries
1748 corresponding to source files listed on the command line. */
1749 extern void
src_info_init(struct cp_options * x)1750 src_info_init (struct cp_options *x)
1751 {
1752
1753 /* Note that we use triple_hash_no_name here.
1754 Contrast with the use of triple_hash above.
1755 That is necessary because a source file may be specified
1756 in many different ways. We want to warn about this
1757 cp a a d/
1758 as well as this:
1759 cp a ./a d/
1760 */
1761 x->src_info
1762 = hash_initialize (DEST_INFO_INITIAL_CAPACITY,
1763 NULL,
1764 triple_hash_no_name,
1765 triple_compare,
1766 triple_free);
1767 }
1768
1769 /* When effecting a move (e.g., for mv(1)), and given the name DST_NAME
1770 of the destination and a corresponding stat buffer, DST_SB, return
1771 true if the logical 'move' operation should _not_ proceed.
1772 Otherwise, return false.
1773 Depending on options specified in X, this code may issue an
1774 interactive prompt asking whether it's ok to overwrite DST_NAME. */
1775 static bool
abandon_move(const struct cp_options * x,char const * dst_name,struct stat const * dst_sb)1776 abandon_move (const struct cp_options *x,
1777 char const *dst_name,
1778 struct stat const *dst_sb)
1779 {
1780 assert (x->move_mode);
1781 return (x->interactive == I_ALWAYS_NO
1782 || ((x->interactive == I_ASK_USER
1783 || (x->interactive == I_UNSPECIFIED
1784 && x->stdin_tty
1785 && ! writable_destination (dst_name, dst_sb->st_mode)))
1786 && ! overwrite_ok (x, dst_name, dst_sb)));
1787 }
1788
1789 /* Print --verbose output on standard output, e.g. 'new' -> 'old'.
1790 If BACKUP_DST_NAME is non-NULL, then also indicate that it is
1791 the name of a backup file. */
1792 static void
emit_verbose(char const * src,char const * dst,char const * backup_dst_name)1793 emit_verbose (char const *src, char const *dst, char const *backup_dst_name)
1794 {
1795 printf ("%s -> %s", quoteaf_n (0, src), quoteaf_n (1, dst));
1796 if (backup_dst_name)
1797 printf (_(" (backup: %s)"), quoteaf (backup_dst_name));
1798 putchar ('\n');
1799 }
1800
1801 /* A wrapper around "setfscreatecon (NULL)" that exits upon failure. */
1802 static void
restore_default_fscreatecon_or_die(void)1803 restore_default_fscreatecon_or_die (void)
1804 {
1805 if (setfscreatecon (NULL) != 0)
1806 die (EXIT_FAILURE, errno,
1807 _("failed to restore the default file creation context"));
1808 }
1809
1810 /* Create a hard link DST_NAME to SRC_NAME, honoring the REPLACE, VERBOSE and
1811 DEREFERENCE settings. Return true upon success. Otherwise, diagnose the
1812 failure and return false. If SRC_NAME is a symbolic link, then it will not
1813 be followed unless DEREFERENCE is true.
1814 If the system doesn't support hard links to symbolic links, then DST_NAME
1815 will be created as a symbolic link to SRC_NAME. */
1816 static bool
create_hard_link(char const * src_name,char const * dst_name,bool replace,bool verbose,bool dereference)1817 create_hard_link (char const *src_name, char const *dst_name,
1818 bool replace, bool verbose, bool dereference)
1819 {
1820 int err = force_linkat (AT_FDCWD, src_name, AT_FDCWD, dst_name,
1821 dereference ? AT_SYMLINK_FOLLOW : 0,
1822 replace, -1);
1823 if (0 < err)
1824 {
1825 error (0, err, _("cannot create hard link %s to %s"),
1826 quoteaf_n (0, dst_name), quoteaf_n (1, src_name));
1827 return false;
1828 }
1829 if (err < 0 && verbose)
1830 printf (_("removed %s\n"), quoteaf (dst_name));
1831 return true;
1832 }
1833
1834 /* Return true if the current file should be (tried to be) dereferenced:
1835 either for DEREF_ALWAYS or for DEREF_COMMAND_LINE_ARGUMENTS in the case
1836 where the current file is a COMMAND_LINE_ARG; otherwise return false. */
1837 static inline bool _GL_ATTRIBUTE_PURE
should_dereference(const struct cp_options * x,bool command_line_arg)1838 should_dereference (const struct cp_options *x, bool command_line_arg)
1839 {
1840 return x->dereference == DEREF_ALWAYS
1841 || (x->dereference == DEREF_COMMAND_LINE_ARGUMENTS
1842 && command_line_arg);
1843 }
1844
1845 /* Return true if the source file with basename SRCBASE and status SRC_ST
1846 is likely to be the simple backup file for DST_NAME. */
1847 static bool
source_is_dst_backup(char const * srcbase,struct stat const * src_st,char const * dst_name)1848 source_is_dst_backup (char const *srcbase, struct stat const *src_st,
1849 char const *dst_name)
1850 {
1851 size_t srcbaselen = strlen (srcbase);
1852 char const *dstbase = last_component (dst_name);
1853 size_t dstbaselen = strlen (dstbase);
1854 size_t suffixlen = strlen (simple_backup_suffix);
1855 if (! (srcbaselen == dstbaselen + suffixlen
1856 && memcmp (srcbase, dstbase, dstbaselen) == 0
1857 && STREQ (srcbase + dstbaselen, simple_backup_suffix)))
1858 return false;
1859 size_t dstlen = strlen (dst_name);
1860 char *dst_back = xmalloc (dstlen + suffixlen + 1);
1861 strcpy (mempcpy (dst_back, dst_name, dstlen), simple_backup_suffix);
1862 struct stat dst_back_sb;
1863 int dst_back_status = stat (dst_back, &dst_back_sb);
1864 free (dst_back);
1865 return dst_back_status == 0 && SAME_INODE (*src_st, dst_back_sb);
1866 }
1867
1868 /* Copy the file SRC_NAME to the file DST_NAME. The files may be of
1869 any type. NEW_DST should be true if the file DST_NAME cannot
1870 exist because its parent directory was just created; NEW_DST should
1871 be false if DST_NAME might already exist. A non-null PARENT describes the
1872 parent directory. ANCESTORS points to a linked, null terminated list of
1873 devices and inodes of parent directories of SRC_NAME. COMMAND_LINE_ARG
1874 is true iff SRC_NAME was specified on the command line.
1875 FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG is both input and output.
1876 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
1877 same as) DST_NAME; otherwise, clear it.
1878 Return true if successful. */
1879 static bool
copy_internal(char const * src_name,char const * dst_name,bool new_dst,struct stat const * parent,struct dir_list * ancestors,const struct cp_options * x,bool command_line_arg,bool * first_dir_created_per_command_line_arg,bool * copy_into_self,bool * rename_succeeded)1880 copy_internal (char const *src_name, char const *dst_name,
1881 bool new_dst,
1882 struct stat const *parent,
1883 struct dir_list *ancestors,
1884 const struct cp_options *x,
1885 bool command_line_arg,
1886 bool *first_dir_created_per_command_line_arg,
1887 bool *copy_into_self,
1888 bool *rename_succeeded)
1889 {
1890 struct stat src_sb;
1891 struct stat dst_sb;
1892 mode_t src_mode IF_LINT ( = 0);
1893 mode_t dst_mode IF_LINT ( = 0);
1894 mode_t dst_mode_bits;
1895 mode_t omitted_permissions;
1896 bool restore_dst_mode = false;
1897 char *earlier_file = NULL;
1898 char *dst_backup = NULL;
1899 bool delayed_ok;
1900 bool copied_as_regular = false;
1901 bool dest_is_symlink = false;
1902 bool have_dst_lstat = false;
1903
1904 *copy_into_self = false;
1905
1906 int rename_errno = x->rename_errno;
1907 if (x->move_mode)
1908 {
1909 if (rename_errno < 0)
1910 rename_errno = (renameatu (AT_FDCWD, src_name, AT_FDCWD, dst_name,
1911 RENAME_NOREPLACE)
1912 ? errno : 0);
1913 new_dst = rename_errno == 0;
1914 if (rename_succeeded)
1915 *rename_succeeded = new_dst;
1916 }
1917
1918 if (rename_errno == 0
1919 ? !x->last_file
1920 : rename_errno != EEXIST || x->interactive != I_ALWAYS_NO)
1921 {
1922 char const *name = rename_errno == 0 ? dst_name : src_name;
1923 int fstatat_flags
1924 = x->dereference == DEREF_NEVER ? AT_SYMLINK_NOFOLLOW : 0;
1925 if (follow_fstatat (AT_FDCWD, name, &src_sb, fstatat_flags) != 0)
1926 {
1927 error (0, errno, _("cannot stat %s"), quoteaf (name));
1928 return false;
1929 }
1930
1931 src_mode = src_sb.st_mode;
1932
1933 if (S_ISDIR (src_mode) && !x->recursive)
1934 {
1935 error (0, 0, ! x->install_mode /* cp */
1936 ? _("-r not specified; omitting directory %s")
1937 : _("omitting directory %s"),
1938 quoteaf (src_name));
1939 return false;
1940 }
1941 }
1942 #ifdef lint
1943 else
1944 {
1945 assert (x->move_mode);
1946 memset (&src_sb, 0, sizeof src_sb);
1947 }
1948 #endif
1949
1950 /* Detect the case in which the same source file appears more than
1951 once on the command line and no backup option has been selected.
1952 If so, simply warn and don't copy it the second time.
1953 This check is enabled only if x->src_info is non-NULL. */
1954 if (command_line_arg && x->src_info)
1955 {
1956 if ( ! S_ISDIR (src_mode)
1957 && x->backup_type == no_backups
1958 && seen_file (x->src_info, src_name, &src_sb))
1959 {
1960 error (0, 0, _("warning: source file %s specified more than once"),
1961 quoteaf (src_name));
1962 return true;
1963 }
1964
1965 record_file (x->src_info, src_name, &src_sb);
1966 }
1967
1968 bool dereference = should_dereference (x, command_line_arg);
1969
1970 if (!new_dst)
1971 {
1972 if (! (rename_errno == EEXIST && x->interactive == I_ALWAYS_NO))
1973 {
1974 /* Regular files can be created by writing through symbolic
1975 links, but other files cannot. So use stat on the
1976 destination when copying a regular file, and lstat otherwise.
1977 However, if we intend to unlink or remove the destination
1978 first, use lstat, since a copy won't actually be made to the
1979 destination in that case. */
1980 bool use_lstat
1981 = ((! S_ISREG (src_mode)
1982 && (! x->copy_as_regular
1983 || S_ISDIR (src_mode) || S_ISLNK (src_mode)))
1984 || x->move_mode || x->symbolic_link || x->hard_link
1985 || x->backup_type != no_backups
1986 || x->unlink_dest_before_opening);
1987 int fstatat_flags = use_lstat ? AT_SYMLINK_NOFOLLOW : 0;
1988 if (follow_fstatat (AT_FDCWD, dst_name, &dst_sb, fstatat_flags) == 0)
1989 {
1990 have_dst_lstat = use_lstat;
1991 rename_errno = EEXIST;
1992 }
1993 else
1994 {
1995 if (errno == ELOOP && x->unlink_dest_after_failed_open)
1996 /* leave new_dst=false so we unlink later. */;
1997 else if (errno != ENOENT)
1998 {
1999 error (0, errno, _("cannot stat %s"), quoteaf (dst_name));
2000 return false;
2001 }
2002 else
2003 new_dst = true;
2004 }
2005 }
2006
2007 if (rename_errno == EEXIST)
2008 {
2009 bool return_now = false;
2010
2011 if (x->interactive != I_ALWAYS_NO
2012 && ! same_file_ok (src_name, &src_sb, dst_name, &dst_sb,
2013 x, &return_now))
2014 {
2015 error (0, 0, _("%s and %s are the same file"),
2016 quoteaf_n (0, src_name), quoteaf_n (1, dst_name));
2017 return false;
2018 }
2019
2020 if (x->update && !S_ISDIR (src_mode))
2021 {
2022 /* When preserving timestamps (but not moving within a file
2023 system), don't worry if the destination timestamp is
2024 less than the source merely because of timestamp
2025 truncation. */
2026 int options = ((x->preserve_timestamps
2027 && ! (x->move_mode
2028 && dst_sb.st_dev == src_sb.st_dev))
2029 ? UTIMECMP_TRUNCATE_SOURCE
2030 : 0);
2031
2032 if (0 <= utimecmp (dst_name, &dst_sb, &src_sb, options))
2033 {
2034 /* We're using --update and the destination is not older
2035 than the source, so do not copy or move. Pretend the
2036 rename succeeded, so the caller (if it's mv) doesn't
2037 end up removing the source file. */
2038 if (rename_succeeded)
2039 *rename_succeeded = true;
2040
2041 /* However, we still must record that we've processed
2042 this src/dest pair, in case this source file is
2043 hard-linked to another one. In that case, we'll use
2044 the mapping information to link the corresponding
2045 destination names. */
2046 earlier_file = remember_copied (dst_name, src_sb.st_ino,
2047 src_sb.st_dev);
2048 if (earlier_file)
2049 {
2050 /* Note we currently replace DST_NAME unconditionally,
2051 even if it was a newer separate file. */
2052 if (! create_hard_link (earlier_file, dst_name, true,
2053 x->verbose, dereference))
2054 {
2055 goto un_backup;
2056 }
2057 }
2058
2059 return true;
2060 }
2061 }
2062
2063 /* When there is an existing destination file, we may end up
2064 returning early, and hence not copying/moving the file.
2065 This may be due to an interactive 'negative' reply to the
2066 prompt about the existing file. It may also be due to the
2067 use of the --no-clobber option.
2068
2069 cp and mv treat -i and -f differently. */
2070 if (x->move_mode)
2071 {
2072 if (abandon_move (x, dst_name, &dst_sb))
2073 {
2074 /* Pretend the rename succeeded, so the caller (mv)
2075 doesn't end up removing the source file. */
2076 if (rename_succeeded)
2077 *rename_succeeded = true;
2078 return true;
2079 }
2080 }
2081 else
2082 {
2083 if (! S_ISDIR (src_mode)
2084 && (x->interactive == I_ALWAYS_NO
2085 || (x->interactive == I_ASK_USER
2086 && ! overwrite_ok (x, dst_name, &dst_sb))))
2087 return true;
2088 }
2089
2090 if (return_now)
2091 return true;
2092
2093 if (!S_ISDIR (dst_sb.st_mode))
2094 {
2095 if (S_ISDIR (src_mode))
2096 {
2097 if (x->move_mode && x->backup_type != no_backups)
2098 {
2099 /* Moving a directory onto an existing
2100 non-directory is ok only with --backup. */
2101 }
2102 else
2103 {
2104 error (0, 0,
2105 _("cannot overwrite non-directory %s with directory %s"),
2106 quoteaf_n (0, dst_name), quoteaf_n (1, src_name));
2107 return false;
2108 }
2109 }
2110
2111 /* Don't let the user destroy their data, even if they try hard:
2112 This mv command must fail (likewise for cp):
2113 rm -rf a b c; mkdir a b c; touch a/f b/f; mv a/f b/f c
2114 Otherwise, the contents of b/f would be lost.
2115 In the case of 'cp', b/f would be lost if the user simulated
2116 a move using cp and rm.
2117 Note that it works fine if you use --backup=numbered. */
2118 if (command_line_arg
2119 && x->backup_type != numbered_backups
2120 && seen_file (x->dest_info, dst_name, &dst_sb))
2121 {
2122 error (0, 0,
2123 _("will not overwrite just-created %s with %s"),
2124 quoteaf_n (0, dst_name), quoteaf_n (1, src_name));
2125 return false;
2126 }
2127 }
2128
2129 if (!S_ISDIR (src_mode))
2130 {
2131 if (S_ISDIR (dst_sb.st_mode))
2132 {
2133 if (x->move_mode && x->backup_type != no_backups)
2134 {
2135 /* Moving a non-directory onto an existing
2136 directory is ok only with --backup. */
2137 }
2138 else
2139 {
2140 error (0, 0,
2141 _("cannot overwrite directory %s with non-directory"),
2142 quoteaf (dst_name));
2143 return false;
2144 }
2145 }
2146 }
2147
2148 if (x->move_mode)
2149 {
2150 /* Don't allow user to move a directory onto a non-directory. */
2151 if (S_ISDIR (src_sb.st_mode) && !S_ISDIR (dst_sb.st_mode)
2152 && x->backup_type == no_backups)
2153 {
2154 error (0, 0,
2155 _("cannot move directory onto non-directory: %s -> %s"),
2156 quotef_n (0, src_name), quotef_n (0, dst_name));
2157 return false;
2158 }
2159 }
2160
2161 char const *srcbase;
2162 if (x->backup_type != no_backups
2163 /* Don't try to back up a destination if the last
2164 component of src_name is "." or "..". */
2165 && ! dot_or_dotdot (srcbase = last_component (src_name))
2166 /* Create a backup of each destination directory in move mode,
2167 but not in copy mode. FIXME: it might make sense to add an
2168 option to suppress backup creation also for move mode.
2169 That would let one use mv to merge new content into an
2170 existing hierarchy. */
2171 && (x->move_mode || ! S_ISDIR (dst_sb.st_mode)))
2172 {
2173 /* Fail if creating the backup file would likely destroy
2174 the source file. Otherwise, the commands:
2175 cd /tmp; rm -f a a~; : > a; echo A > a~; cp --b=simple a~ a
2176 would leave two zero-length files: a and a~. */
2177 if (x->backup_type != numbered_backups
2178 && source_is_dst_backup (srcbase, &src_sb, dst_name))
2179 {
2180 const char *fmt;
2181 fmt = (x->move_mode
2182 ? _("backing up %s might destroy source; %s not moved")
2183 : _("backing up %s might destroy source; %s not copied"));
2184 error (0, 0, fmt,
2185 quoteaf_n (0, dst_name),
2186 quoteaf_n (1, src_name));
2187 return false;
2188 }
2189
2190 char *tmp_backup = backup_file_rename (AT_FDCWD, dst_name,
2191 x->backup_type);
2192
2193 /* FIXME: use fts:
2194 Using alloca for a file name that may be arbitrarily
2195 long is not recommended. In fact, even forming such a name
2196 should be discouraged. Eventually, this code will be rewritten
2197 to use fts, so using alloca here will be less of a problem. */
2198 if (tmp_backup)
2199 {
2200 ASSIGN_STRDUPA (dst_backup, tmp_backup);
2201 free (tmp_backup);
2202 }
2203 else if (errno != ENOENT)
2204 {
2205 error (0, errno, _("cannot backup %s"), quoteaf (dst_name));
2206 return false;
2207 }
2208 new_dst = true;
2209 }
2210 else if (! S_ISDIR (dst_sb.st_mode)
2211 /* Never unlink dst_name when in move mode. */
2212 && ! x->move_mode
2213 && (x->unlink_dest_before_opening
2214 || (x->preserve_links && 1 < dst_sb.st_nlink)
2215 || (x->dereference == DEREF_NEVER
2216 && ! S_ISREG (src_sb.st_mode))
2217 ))
2218 {
2219 if (unlink (dst_name) != 0 && errno != ENOENT)
2220 {
2221 error (0, errno, _("cannot remove %s"), quoteaf (dst_name));
2222 return false;
2223 }
2224 new_dst = true;
2225 if (x->verbose)
2226 printf (_("removed %s\n"), quoteaf (dst_name));
2227 }
2228 }
2229 }
2230
2231 /* Ensure we don't try to copy through a symlink that was
2232 created by a prior call to this function. */
2233 if (command_line_arg
2234 && x->dest_info
2235 && ! x->move_mode
2236 && x->backup_type == no_backups)
2237 {
2238 bool lstat_ok = true;
2239 struct stat tmp_buf;
2240 struct stat *dst_lstat_sb;
2241
2242 /* If we called lstat above, good: use that data.
2243 Otherwise, call lstat here, in case dst_name is a symlink. */
2244 if (have_dst_lstat)
2245 dst_lstat_sb = &dst_sb;
2246 else
2247 {
2248 if (lstat (dst_name, &tmp_buf) == 0)
2249 dst_lstat_sb = &tmp_buf;
2250 else
2251 lstat_ok = false;
2252 }
2253
2254 /* Never copy through a symlink we've just created. */
2255 if (lstat_ok
2256 && S_ISLNK (dst_lstat_sb->st_mode)
2257 && seen_file (x->dest_info, dst_name, dst_lstat_sb))
2258 {
2259 error (0, 0,
2260 _("will not copy %s through just-created symlink %s"),
2261 quoteaf_n (0, src_name), quoteaf_n (1, dst_name));
2262 return false;
2263 }
2264 }
2265
2266 /* If the source is a directory, we don't always create the destination
2267 directory. So --verbose should not announce anything until we're
2268 sure we'll create a directory. Also don't announce yet when moving
2269 so we can distinguish renames versus copies. */
2270 if (x->verbose && !x->move_mode && !S_ISDIR (src_mode))
2271 emit_verbose (src_name, dst_name, dst_backup);
2272
2273 /* Associate the destination file name with the source device and inode
2274 so that if we encounter a matching dev/ino pair in the source tree
2275 we can arrange to create a hard link between the corresponding names
2276 in the destination tree.
2277
2278 When using the --link (-l) option, there is no need to take special
2279 measures, because (barring race conditions) files that are hard-linked
2280 in the source tree will also be hard-linked in the destination tree.
2281
2282 Sometimes, when preserving links, we have to record dev/ino even
2283 though st_nlink == 1:
2284 - when in move_mode, since we may be moving a group of N hard-linked
2285 files (via two or more command line arguments) to a different
2286 partition; the links may be distributed among the command line
2287 arguments (possibly hierarchies) so that the link count of
2288 the final, once-linked source file is reduced to 1 when it is
2289 considered below. But in this case (for mv) we don't need to
2290 incur the expense of recording the dev/ino => name mapping; all we
2291 really need is a lookup, to see if the dev/ino pair has already
2292 been copied.
2293 - when using -H and processing a command line argument;
2294 that command line argument could be a symlink pointing to another
2295 command line argument. With 'cp -H --preserve=link', we hard-link
2296 those two destination files.
2297 - likewise for -L except that it applies to all files, not just
2298 command line arguments.
2299
2300 Also, with --recursive, record dev/ino of each command-line directory.
2301 We'll use that info to detect this problem: cp -R dir dir. */
2302
2303 if (rename_errno == 0)
2304 earlier_file = NULL;
2305 else if (x->recursive && S_ISDIR (src_mode))
2306 {
2307 if (command_line_arg)
2308 earlier_file = remember_copied (dst_name, src_sb.st_ino, src_sb.st_dev);
2309 else
2310 earlier_file = src_to_dest_lookup (src_sb.st_ino, src_sb.st_dev);
2311 }
2312 else if (x->move_mode && src_sb.st_nlink == 1)
2313 {
2314 earlier_file = src_to_dest_lookup (src_sb.st_ino, src_sb.st_dev);
2315 }
2316 else if (x->preserve_links
2317 && !x->hard_link
2318 && (1 < src_sb.st_nlink
2319 || (command_line_arg
2320 && x->dereference == DEREF_COMMAND_LINE_ARGUMENTS)
2321 || x->dereference == DEREF_ALWAYS))
2322 {
2323 earlier_file = remember_copied (dst_name, src_sb.st_ino, src_sb.st_dev);
2324 }
2325
2326 /* Did we copy this inode somewhere else (in this command line argument)
2327 and therefore this is a second hard link to the inode? */
2328
2329 if (earlier_file)
2330 {
2331 /* Avoid damaging the destination file system by refusing to preserve
2332 hard-linked directories (which are found at least in Netapp snapshot
2333 directories). */
2334 if (S_ISDIR (src_mode))
2335 {
2336 /* If src_name and earlier_file refer to the same directory entry,
2337 then warn about copying a directory into itself. */
2338 if (same_name (src_name, earlier_file))
2339 {
2340 error (0, 0, _("cannot copy a directory, %s, into itself, %s"),
2341 quoteaf_n (0, top_level_src_name),
2342 quoteaf_n (1, top_level_dst_name));
2343 *copy_into_self = true;
2344 goto un_backup;
2345 }
2346 else if (same_name (dst_name, earlier_file))
2347 {
2348 error (0, 0, _("warning: source directory %s "
2349 "specified more than once"),
2350 quoteaf (top_level_src_name));
2351 /* In move mode, if a previous rename succeeded, then
2352 we won't be in this path as the source is missing. If the
2353 rename previously failed, then that has been handled, so
2354 pretend this attempt succeeded so the source isn't removed. */
2355 if (x->move_mode && rename_succeeded)
2356 *rename_succeeded = true;
2357 /* We only do backups in move mode, and for non directories.
2358 So just ignore this repeated entry. */
2359 return true;
2360 }
2361 else if (x->dereference == DEREF_ALWAYS
2362 || (command_line_arg
2363 && x->dereference == DEREF_COMMAND_LINE_ARGUMENTS))
2364 {
2365 /* This happens when e.g., encountering a directory for the
2366 second or subsequent time via symlinks when cp is invoked
2367 with -R and -L. E.g.,
2368 rm -rf a b c d; mkdir a b c d; ln -s ../c a; ln -s ../c b;
2369 cp -RL a b d
2370 */
2371 }
2372 else
2373 {
2374 error (0, 0, _("will not create hard link %s to directory %s"),
2375 quoteaf_n (0, dst_name), quoteaf_n (1, earlier_file));
2376 goto un_backup;
2377 }
2378 }
2379 else
2380 {
2381 if (! create_hard_link (earlier_file, dst_name, true, x->verbose,
2382 dereference))
2383 goto un_backup;
2384
2385 return true;
2386 }
2387 }
2388
2389 if (x->move_mode)
2390 {
2391 if (rename_errno == EEXIST)
2392 rename_errno = rename (src_name, dst_name) == 0 ? 0 : errno;
2393
2394 if (rename_errno == 0)
2395 {
2396 if (x->verbose)
2397 {
2398 printf (_("renamed "));
2399 emit_verbose (src_name, dst_name, dst_backup);
2400 }
2401
2402 if (x->set_security_context)
2403 {
2404 /* -Z failures are only warnings currently. */
2405 (void) set_file_security_ctx (dst_name, false, true, x);
2406 }
2407
2408 if (rename_succeeded)
2409 *rename_succeeded = true;
2410
2411 if (command_line_arg && !x->last_file)
2412 {
2413 /* Record destination dev/ino/name, so that if we are asked
2414 to overwrite that file again, we can detect it and fail. */
2415 /* It's fine to use the _source_ stat buffer (src_sb) to get the
2416 _destination_ dev/ino, since the rename above can't have
2417 changed those, and 'mv' always uses lstat.
2418 We could limit it further by operating
2419 only on non-directories. */
2420 record_file (x->dest_info, dst_name, &src_sb);
2421 }
2422
2423 return true;
2424 }
2425
2426 /* FIXME: someday, consider what to do when moving a directory into
2427 itself but when source and destination are on different devices. */
2428
2429 /* This happens when attempting to rename a directory to a
2430 subdirectory of itself. */
2431 if (rename_errno == EINVAL)
2432 {
2433 /* FIXME: this is a little fragile in that it relies on rename(2)
2434 failing with a specific errno value. Expect problems on
2435 non-POSIX systems. */
2436 error (0, 0, _("cannot move %s to a subdirectory of itself, %s"),
2437 quoteaf_n (0, top_level_src_name),
2438 quoteaf_n (1, top_level_dst_name));
2439
2440 /* Note that there is no need to call forget_created here,
2441 (compare with the other calls in this file) since the
2442 destination directory didn't exist before. */
2443
2444 *copy_into_self = true;
2445 /* FIXME-cleanup: Don't return true here; adjust mv.c accordingly.
2446 The only caller that uses this code (mv.c) ends up setting its
2447 exit status to nonzero when copy_into_self is nonzero. */
2448 return true;
2449 }
2450
2451 /* WARNING: there probably exist systems for which an inter-device
2452 rename fails with a value of errno not handled here.
2453 If/as those are reported, add them to the condition below.
2454 If this happens to you, please do the following and send the output
2455 to the bug-reporting address (e.g., in the output of cp --help):
2456 touch k; perl -e 'rename "k","/tmp/k" or print "$!(",$!+0,")\n"'
2457 where your current directory is on one partition and /tmp is the other.
2458 Also, please try to find the E* errno macro name corresponding to
2459 the diagnostic and parenthesized integer, and include that in your
2460 e-mail. One way to do that is to run a command like this
2461 find /usr/include/. -type f \
2462 | xargs grep 'define.*\<E[A-Z]*\>.*\<18\>' /dev/null
2463 where you'd replace '18' with the integer in parentheses that
2464 was output from the perl one-liner above.
2465 If necessary, of course, change '/tmp' to some other directory. */
2466 if (rename_errno != EXDEV)
2467 {
2468 /* There are many ways this can happen due to a race condition.
2469 When something happens between the initial follow_fstatat and the
2470 subsequent rename, we can get many different types of errors.
2471 For example, if the destination is initially a non-directory
2472 or non-existent, but it is created as a directory, the rename
2473 fails. If two 'mv' commands try to rename the same file at
2474 about the same time, one will succeed and the other will fail.
2475 If the permissions on the directory containing the source or
2476 destination file are made too restrictive, the rename will
2477 fail. Etc. */
2478 error (0, rename_errno,
2479 _("cannot move %s to %s"),
2480 quoteaf_n (0, src_name), quoteaf_n (1, dst_name));
2481 forget_created (src_sb.st_ino, src_sb.st_dev);
2482 return false;
2483 }
2484
2485 /* The rename attempt has failed. Remove any existing destination
2486 file so that a cross-device 'mv' acts as if it were really using
2487 the rename syscall. Note both src and dst must both be directories
2488 or not, and this is enforced above. Therefore we check the src_mode
2489 and operate on dst_name here as a tighter constraint and also because
2490 src_mode is readily available here. */
2491 if ((S_ISDIR (src_mode) ? rmdir (dst_name) : unlink (dst_name)) != 0
2492 && errno != ENOENT)
2493 {
2494 error (0, errno,
2495 _("inter-device move failed: %s to %s; unable to remove target"),
2496 quoteaf_n (0, src_name), quoteaf_n (1, dst_name));
2497 forget_created (src_sb.st_ino, src_sb.st_dev);
2498 return false;
2499 }
2500
2501 if (x->verbose && !S_ISDIR (src_mode))
2502 {
2503 printf (_("copied "));
2504 emit_verbose (src_name, dst_name, dst_backup);
2505 }
2506 new_dst = true;
2507 }
2508
2509 /* If the ownership might change, or if it is a directory (whose
2510 special mode bits may change after the directory is created),
2511 omit some permissions at first, so unauthorized users cannot nip
2512 in before the file is ready. */
2513 dst_mode_bits = (x->set_mode ? x->mode : src_mode) & CHMOD_MODE_BITS;
2514 omitted_permissions =
2515 (dst_mode_bits
2516 & (x->preserve_ownership ? S_IRWXG | S_IRWXO
2517 : S_ISDIR (src_mode) ? S_IWGRP | S_IWOTH
2518 : 0));
2519
2520 delayed_ok = true;
2521
2522 /* If required, set the default security context for new files.
2523 Also for existing files this is used as a reference
2524 when copying the context with --preserve=context.
2525 FIXME: Do we need to consider dst_mode_bits here? */
2526 if (! set_process_security_ctx (src_name, dst_name, src_mode, new_dst, x))
2527 return false;
2528
2529 if (S_ISDIR (src_mode))
2530 {
2531 struct dir_list *dir;
2532
2533 /* If this directory has been copied before during the
2534 recursion, there is a symbolic link to an ancestor
2535 directory of the symbolic link. It is impossible to
2536 continue to copy this, unless we've got an infinite disk. */
2537
2538 if (is_ancestor (&src_sb, ancestors))
2539 {
2540 error (0, 0, _("cannot copy cyclic symbolic link %s"),
2541 quoteaf (src_name));
2542 goto un_backup;
2543 }
2544
2545 /* Insert the current directory in the list of parents. */
2546
2547 dir = alloca (sizeof *dir);
2548 dir->parent = ancestors;
2549 dir->ino = src_sb.st_ino;
2550 dir->dev = src_sb.st_dev;
2551
2552 if (new_dst || !S_ISDIR (dst_sb.st_mode))
2553 {
2554 /* POSIX says mkdir's behavior is implementation-defined when
2555 (src_mode & ~S_IRWXUGO) != 0. However, common practice is
2556 to ask mkdir to copy all the CHMOD_MODE_BITS, letting mkdir
2557 decide what to do with S_ISUID | S_ISGID | S_ISVTX. */
2558 if (mkdir (dst_name, dst_mode_bits & ~omitted_permissions) != 0)
2559 {
2560 error (0, errno, _("cannot create directory %s"),
2561 quoteaf (dst_name));
2562 goto un_backup;
2563 }
2564
2565 /* We need search and write permissions to the new directory
2566 for writing the directory's contents. Check if these
2567 permissions are there. */
2568
2569 if (lstat (dst_name, &dst_sb) != 0)
2570 {
2571 error (0, errno, _("cannot stat %s"), quoteaf (dst_name));
2572 goto un_backup;
2573 }
2574 else if ((dst_sb.st_mode & S_IRWXU) != S_IRWXU)
2575 {
2576 /* Make the new directory searchable and writable. */
2577
2578 dst_mode = dst_sb.st_mode;
2579 restore_dst_mode = true;
2580
2581 if (lchmod (dst_name, dst_mode | S_IRWXU) != 0)
2582 {
2583 error (0, errno, _("setting permissions for %s"),
2584 quoteaf (dst_name));
2585 goto un_backup;
2586 }
2587 }
2588
2589 /* Record the created directory's inode and device numbers into
2590 the search structure, so that we can avoid copying it again.
2591 Do this only for the first directory that is created for each
2592 source command line argument. */
2593 if (!*first_dir_created_per_command_line_arg)
2594 {
2595 remember_copied (dst_name, dst_sb.st_ino, dst_sb.st_dev);
2596 *first_dir_created_per_command_line_arg = true;
2597 }
2598
2599 if (x->verbose)
2600 {
2601 if (x->move_mode)
2602 printf (_("created directory %s\n"), quoteaf (dst_name));
2603 else
2604 emit_verbose (src_name, dst_name, NULL);
2605 }
2606 }
2607 else
2608 {
2609 omitted_permissions = 0;
2610
2611 /* For directories, the process global context could be reset for
2612 descendents, so use it to set the context for existing dirs here.
2613 This will also give earlier indication of failure to set ctx. */
2614 if (x->set_security_context || x->preserve_security_context)
2615 if (! set_file_security_ctx (dst_name, x->preserve_security_context,
2616 false, x))
2617 {
2618 if (x->require_preserve_context)
2619 goto un_backup;
2620 }
2621 }
2622
2623 /* Decide whether to copy the contents of the directory. */
2624 if (x->one_file_system && parent && parent->st_dev != src_sb.st_dev)
2625 {
2626 /* Here, we are crossing a file system boundary and cp's -x option
2627 is in effect: so don't copy the contents of this directory. */
2628 }
2629 else
2630 {
2631 /* Copy the contents of the directory. Don't just return if
2632 this fails -- otherwise, the failure to read a single file
2633 in a source directory would cause the containing destination
2634 directory not to have owner/perms set properly. */
2635 delayed_ok = copy_dir (src_name, dst_name, new_dst, &src_sb, dir, x,
2636 first_dir_created_per_command_line_arg,
2637 copy_into_self);
2638 }
2639 }
2640 else if (x->symbolic_link)
2641 {
2642 dest_is_symlink = true;
2643 if (*src_name != '/')
2644 {
2645 /* Check that DST_NAME denotes a file in the current directory. */
2646 struct stat dot_sb;
2647 struct stat dst_parent_sb;
2648 char *dst_parent;
2649 bool in_current_dir;
2650
2651 dst_parent = dir_name (dst_name);
2652
2653 in_current_dir = (STREQ (".", dst_parent)
2654 /* If either stat call fails, it's ok not to report
2655 the failure and say dst_name is in the current
2656 directory. Other things will fail later. */
2657 || stat (".", &dot_sb) != 0
2658 || stat (dst_parent, &dst_parent_sb) != 0
2659 || SAME_INODE (dot_sb, dst_parent_sb));
2660 free (dst_parent);
2661
2662 if (! in_current_dir)
2663 {
2664 error (0, 0,
2665 _("%s: can make relative symbolic links only in current directory"),
2666 quotef (dst_name));
2667 goto un_backup;
2668 }
2669 }
2670
2671 int err = force_symlinkat (src_name, AT_FDCWD, dst_name,
2672 x->unlink_dest_after_failed_open, -1);
2673 if (0 < err)
2674 {
2675 error (0, err, _("cannot create symbolic link %s to %s"),
2676 quoteaf_n (0, dst_name), quoteaf_n (1, src_name));
2677 goto un_backup;
2678 }
2679 }
2680
2681 /* POSIX 2008 states that it is implementation-defined whether
2682 link() on a symlink creates a hard-link to the symlink, or only
2683 to the referent (effectively dereferencing the symlink) (POSIX
2684 2001 required the latter behavior, although many systems provided
2685 the former). Yet cp, invoked with '--link --no-dereference',
2686 should not follow the link. We can approximate the desired
2687 behavior by skipping this hard-link creating block and instead
2688 copying the symlink, via the 'S_ISLNK'- copying code below.
2689
2690 Note gnulib's linkat module, guarantees that the symlink is not
2691 dereferenced. However its emulation currently doesn't maintain
2692 timestamps or ownership so we only call it when we know the
2693 emulation will not be needed. */
2694 else if (x->hard_link
2695 && !(! CAN_HARDLINK_SYMLINKS && S_ISLNK (src_mode)
2696 && x->dereference == DEREF_NEVER))
2697 {
2698 bool replace = (x->unlink_dest_after_failed_open
2699 || x->interactive == I_ASK_USER);
2700 if (! create_hard_link (src_name, dst_name, replace, false, dereference))
2701 goto un_backup;
2702 }
2703 else if (S_ISREG (src_mode)
2704 || (x->copy_as_regular && !S_ISLNK (src_mode)))
2705 {
2706 copied_as_regular = true;
2707 /* POSIX says the permission bits of the source file must be
2708 used as the 3rd argument in the open call. Historical
2709 practice passed all the source mode bits to 'open', but the extra
2710 bits were ignored, so it should be the same either way.
2711
2712 This call uses DST_MODE_BITS, not SRC_MODE. These are
2713 normally the same, and the exception (where x->set_mode) is
2714 used only by 'install', which POSIX does not specify and
2715 where DST_MODE_BITS is what's wanted. */
2716 if (! copy_reg (src_name, dst_name, x, dst_mode_bits & S_IRWXUGO,
2717 omitted_permissions, &new_dst, &src_sb))
2718 goto un_backup;
2719 }
2720 else if (S_ISFIFO (src_mode))
2721 {
2722 /* Use mknod, rather than mkfifo, because the former preserves
2723 the special mode bits of a fifo on Solaris 10, while mkfifo
2724 does not. But fall back on mkfifo, because on some BSD systems,
2725 mknod always fails when asked to create a FIFO. */
2726 if (mknod (dst_name, src_mode & ~omitted_permissions, 0) != 0)
2727 if (mkfifo (dst_name, src_mode & ~S_IFIFO & ~omitted_permissions) != 0)
2728 {
2729 error (0, errno, _("cannot create fifo %s"), quoteaf (dst_name));
2730 goto un_backup;
2731 }
2732 }
2733 else if (S_ISBLK (src_mode) || S_ISCHR (src_mode) || S_ISSOCK (src_mode))
2734 {
2735 if (mknod (dst_name, src_mode & ~omitted_permissions, src_sb.st_rdev)
2736 != 0)
2737 {
2738 error (0, errno, _("cannot create special file %s"),
2739 quoteaf (dst_name));
2740 goto un_backup;
2741 }
2742 }
2743 else if (S_ISLNK (src_mode))
2744 {
2745 char *src_link_val = areadlink_with_size (src_name, src_sb.st_size);
2746 dest_is_symlink = true;
2747 if (src_link_val == NULL)
2748 {
2749 error (0, errno, _("cannot read symbolic link %s"),
2750 quoteaf (src_name));
2751 goto un_backup;
2752 }
2753
2754 int symlink_err = force_symlinkat (src_link_val, AT_FDCWD, dst_name,
2755 x->unlink_dest_after_failed_open, -1);
2756 if (0 < symlink_err && x->update && !new_dst && S_ISLNK (dst_sb.st_mode)
2757 && dst_sb.st_size == strlen (src_link_val))
2758 {
2759 /* See if the destination is already the desired symlink.
2760 FIXME: This behavior isn't documented, and seems wrong
2761 in some cases, e.g., if the destination symlink has the
2762 wrong ownership, permissions, or timestamps. */
2763 char *dest_link_val =
2764 areadlink_with_size (dst_name, dst_sb.st_size);
2765 if (dest_link_val)
2766 {
2767 if (STREQ (dest_link_val, src_link_val))
2768 symlink_err = 0;
2769 free (dest_link_val);
2770 }
2771 }
2772 free (src_link_val);
2773 if (0 < symlink_err)
2774 {
2775 error (0, symlink_err, _("cannot create symbolic link %s"),
2776 quoteaf (dst_name));
2777 goto un_backup;
2778 }
2779
2780 if (x->preserve_security_context)
2781 restore_default_fscreatecon_or_die ();
2782
2783 if (x->preserve_ownership)
2784 {
2785 /* Preserve the owner and group of the just-'copied'
2786 symbolic link, if possible. */
2787 if (HAVE_LCHOWN
2788 && lchown (dst_name, src_sb.st_uid, src_sb.st_gid) != 0
2789 && ! chown_failure_ok (x))
2790 {
2791 error (0, errno, _("failed to preserve ownership for %s"),
2792 dst_name);
2793 if (x->require_preserve)
2794 goto un_backup;
2795 }
2796 else
2797 {
2798 /* Can't preserve ownership of symlinks.
2799 FIXME: maybe give a warning or even error for symlinks
2800 in directories with the sticky bit set -- there, not
2801 preserving owner/group is a potential security problem. */
2802 }
2803 }
2804 }
2805 else
2806 {
2807 error (0, 0, _("%s has unknown file type"), quoteaf (src_name));
2808 goto un_backup;
2809 }
2810
2811 /* With -Z or --preserve=context, set the context for existing files.
2812 Note this is done already for copy_reg() for reasons described therein. */
2813 if (!new_dst && !x->copy_as_regular && !S_ISDIR (src_mode)
2814 && (x->set_security_context || x->preserve_security_context))
2815 {
2816 if (! set_file_security_ctx (dst_name, x->preserve_security_context,
2817 false, x))
2818 {
2819 if (x->require_preserve_context)
2820 goto un_backup;
2821 }
2822 }
2823
2824 if (command_line_arg && x->dest_info)
2825 {
2826 /* Now that the destination file is very likely to exist,
2827 add its info to the set. */
2828 struct stat sb;
2829 if (lstat (dst_name, &sb) == 0)
2830 record_file (x->dest_info, dst_name, &sb);
2831 }
2832
2833 /* If we've just created a hard-link due to cp's --link option,
2834 we're done. */
2835 if (x->hard_link && ! S_ISDIR (src_mode)
2836 && !(! CAN_HARDLINK_SYMLINKS && S_ISLNK (src_mode)
2837 && x->dereference == DEREF_NEVER))
2838 return delayed_ok;
2839
2840 if (copied_as_regular)
2841 return delayed_ok;
2842
2843 /* POSIX says that 'cp -p' must restore the following:
2844 - permission bits
2845 - setuid, setgid bits
2846 - owner and group
2847 If it fails to restore any of those, we may give a warning but
2848 the destination must not be removed.
2849 FIXME: implement the above. */
2850
2851 /* Adjust the times (and if possible, ownership) for the copy.
2852 chown turns off set[ug]id bits for non-root,
2853 so do the chmod last. */
2854
2855 if (x->preserve_timestamps)
2856 {
2857 struct timespec timespec[2];
2858 timespec[0] = get_stat_atime (&src_sb);
2859 timespec[1] = get_stat_mtime (&src_sb);
2860
2861 if ((dest_is_symlink
2862 ? utimens_symlink (dst_name, timespec)
2863 : utimens (dst_name, timespec))
2864 != 0)
2865 {
2866 error (0, errno, _("preserving times for %s"), quoteaf (dst_name));
2867 if (x->require_preserve)
2868 return false;
2869 }
2870 }
2871
2872 /* Avoid calling chown if we know it's not necessary. */
2873 if (!dest_is_symlink && x->preserve_ownership
2874 && (new_dst || !SAME_OWNER_AND_GROUP (src_sb, dst_sb)))
2875 {
2876 switch (set_owner (x, dst_name, -1, &src_sb, new_dst, &dst_sb))
2877 {
2878 case -1:
2879 return false;
2880
2881 case 0:
2882 src_mode &= ~ (S_ISUID | S_ISGID | S_ISVTX);
2883 break;
2884 }
2885 }
2886
2887 /* Set xattrs after ownership as changing owners will clear capabilities. */
2888 if (x->preserve_xattr && ! copy_attr (src_name, -1, dst_name, -1, x)
2889 && x->require_preserve_xattr)
2890 return false;
2891
2892 /* The operations beyond this point may dereference a symlink. */
2893 if (dest_is_symlink)
2894 return delayed_ok;
2895
2896 set_author (dst_name, -1, &src_sb);
2897
2898 if (x->preserve_mode || x->move_mode)
2899 {
2900 if (copy_acl (src_name, -1, dst_name, -1, src_mode) != 0
2901 && x->require_preserve)
2902 return false;
2903 }
2904 else if (x->set_mode)
2905 {
2906 if (set_acl (dst_name, -1, x->mode) != 0)
2907 return false;
2908 }
2909 else if (x->explicit_no_preserve_mode && new_dst)
2910 {
2911 int default_permissions = S_ISDIR (src_mode) || S_ISSOCK (src_mode)
2912 ? S_IRWXUGO : MODE_RW_UGO;
2913 if (set_acl (dst_name, -1, default_permissions & ~cached_umask ()) != 0)
2914 return false;
2915 }
2916 else
2917 {
2918 if (omitted_permissions)
2919 {
2920 omitted_permissions &= ~ cached_umask ();
2921
2922 if (omitted_permissions && !restore_dst_mode)
2923 {
2924 /* Permissions were deliberately omitted when the file
2925 was created due to security concerns. See whether
2926 they need to be re-added now. It'd be faster to omit
2927 the lstat, but deducing the current destination mode
2928 is tricky in the presence of implementation-defined
2929 rules for special mode bits. */
2930 if (new_dst && lstat (dst_name, &dst_sb) != 0)
2931 {
2932 error (0, errno, _("cannot stat %s"), quoteaf (dst_name));
2933 return false;
2934 }
2935 dst_mode = dst_sb.st_mode;
2936 if (omitted_permissions & ~dst_mode)
2937 restore_dst_mode = true;
2938 }
2939 }
2940
2941 if (restore_dst_mode)
2942 {
2943 if (lchmod (dst_name, dst_mode | omitted_permissions) != 0)
2944 {
2945 error (0, errno, _("preserving permissions for %s"),
2946 quoteaf (dst_name));
2947 if (x->require_preserve)
2948 return false;
2949 }
2950 }
2951 }
2952
2953 return delayed_ok;
2954
2955 un_backup:
2956
2957 if (x->preserve_security_context)
2958 restore_default_fscreatecon_or_die ();
2959
2960 /* We have failed to create the destination file.
2961 If we've just added a dev/ino entry via the remember_copied
2962 call above (i.e., unless we've just failed to create a hard link),
2963 remove the entry associating the source dev/ino with the
2964 destination file name, so we don't try to 'preserve' a link
2965 to a file we didn't create. */
2966 if (earlier_file == NULL)
2967 forget_created (src_sb.st_ino, src_sb.st_dev);
2968
2969 if (dst_backup)
2970 {
2971 if (rename (dst_backup, dst_name) != 0)
2972 error (0, errno, _("cannot un-backup %s"), quoteaf (dst_name));
2973 else
2974 {
2975 if (x->verbose)
2976 printf (_("%s -> %s (unbackup)\n"),
2977 quoteaf_n (0, dst_backup), quoteaf_n (1, dst_name));
2978 }
2979 }
2980 return false;
2981 }
2982
2983 static bool _GL_ATTRIBUTE_PURE
valid_options(const struct cp_options * co)2984 valid_options (const struct cp_options *co)
2985 {
2986 assert (co != NULL);
2987 assert (VALID_BACKUP_TYPE (co->backup_type));
2988 assert (VALID_SPARSE_MODE (co->sparse_mode));
2989 assert (VALID_REFLINK_MODE (co->reflink_mode));
2990 assert (!(co->hard_link && co->symbolic_link));
2991 assert (!
2992 (co->reflink_mode == REFLINK_ALWAYS
2993 && co->sparse_mode != SPARSE_AUTO));
2994 return true;
2995 }
2996
2997 /* Copy the file SRC_NAME to the file DST_NAME. The files may be of
2998 any type. NONEXISTENT_DST should be true if the file DST_NAME
2999 is known not to exist (e.g., because its parent directory was just
3000 created); NONEXISTENT_DST should be false if DST_NAME might already
3001 exist. OPTIONS is ... FIXME-describe
3002 Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
3003 same as) DST_NAME; otherwise, set clear it.
3004 Return true if successful. */
3005
3006 extern bool
copy(char const * src_name,char const * dst_name,bool nonexistent_dst,const struct cp_options * options,bool * copy_into_self,bool * rename_succeeded)3007 copy (char const *src_name, char const *dst_name,
3008 bool nonexistent_dst, const struct cp_options *options,
3009 bool *copy_into_self, bool *rename_succeeded)
3010 {
3011 assert (valid_options (options));
3012
3013 /* Record the file names: they're used in case of error, when copying
3014 a directory into itself. I don't like to make these tools do *any*
3015 extra work in the common case when that work is solely to handle
3016 exceptional cases, but in this case, I don't see a way to derive the
3017 top level source and destination directory names where they're used.
3018 An alternative is to use COPY_INTO_SELF and print the diagnostic
3019 from every caller -- but I don't want to do that. */
3020 top_level_src_name = src_name;
3021 top_level_dst_name = dst_name;
3022
3023 bool first_dir_created_per_command_line_arg = false;
3024 return copy_internal (src_name, dst_name, nonexistent_dst, NULL, NULL,
3025 options, true,
3026 &first_dir_created_per_command_line_arg,
3027 copy_into_self, rename_succeeded);
3028 }
3029
3030 /* Set *X to the default options for a value of type struct cp_options. */
3031
3032 extern void
cp_options_default(struct cp_options * x)3033 cp_options_default (struct cp_options *x)
3034 {
3035 memset (x, 0, sizeof *x);
3036 #ifdef PRIV_FILE_CHOWN
3037 {
3038 priv_set_t *pset = priv_allocset ();
3039 if (!pset)
3040 xalloc_die ();
3041 if (getppriv (PRIV_EFFECTIVE, pset) == 0)
3042 {
3043 x->chown_privileges = priv_ismember (pset, PRIV_FILE_CHOWN);
3044 x->owner_privileges = priv_ismember (pset, PRIV_FILE_OWNER);
3045 }
3046 priv_freeset (pset);
3047 }
3048 #else
3049 x->chown_privileges = x->owner_privileges = (geteuid () == ROOT_UID);
3050 #endif
3051 x->rename_errno = -1;
3052 }
3053
3054 /* Return true if it's OK for chown to fail, where errno is
3055 the error number that chown failed with and X is the copying
3056 option set. */
3057
3058 extern bool
chown_failure_ok(struct cp_options const * x)3059 chown_failure_ok (struct cp_options const *x)
3060 {
3061 /* If non-root uses -p, it's ok if we can't preserve ownership.
3062 But root probably wants to know, e.g. if NFS disallows it,
3063 or if the target system doesn't support file ownership. */
3064
3065 return ((errno == EPERM || errno == EINVAL) && !x->chown_privileges);
3066 }
3067
3068 /* Similarly, return true if it's OK for chmod and similar operations
3069 to fail, where errno is the error number that chmod failed with and
3070 X is the copying option set. */
3071
3072 static bool
owner_failure_ok(struct cp_options const * x)3073 owner_failure_ok (struct cp_options const *x)
3074 {
3075 return ((errno == EPERM || errno == EINVAL) && !x->owner_privileges);
3076 }
3077
3078 /* Return the user's umask, caching the result.
3079
3080 FIXME: If the destination's parent directory has has a default ACL,
3081 some operating systems (e.g., GNU/Linux's "POSIX" ACLs) use that
3082 ACL's mask rather than the process umask. Currently, the callers
3083 of cached_umask incorrectly assume that this situation cannot occur. */
3084 extern mode_t
cached_umask(void)3085 cached_umask (void)
3086 {
3087 static mode_t mask = (mode_t) -1;
3088 if (mask == (mode_t) -1)
3089 {
3090 mask = umask (0);
3091 umask (mask);
3092 }
3093 return mask;
3094 }
3095