nginx: src/core/ngx_open_file

comparison src/core/ngx_open_file_cache.c @ 5356:acd51b0f6fd4

Disable symlinks: use O_PATH to open path components. It was introduced in Linux 2.6.39, glibc 2.14 and allows to obtain file descriptors without actually opening files. Thus made it possible to traverse path with openat() syscalls without the need to have read permissions for path components. It is effectively emulates O_SEARCH which is missing on Linux. O_PATH is used in combination with O_RDONLY. The last one is ignored if O_PATH is used, but it allows nginx to not fail when it was built on modern system (i.e. glibc 2.14+) and run with a kernel older than 2.6.39. Then O_PATH is unknown to the kernel and ignored, while O_RDONLY is used. Sadly, fstat() is not working with O_PATH descriptors till Linux 3.6. As a workaround we fallback to fstatat() with the AT_EMPTY_PATH flag that was introduced at the same time as O_PATH.

author	Valentin Bartenev <vbart@nginx.com>
date	Mon, 02 Sep 2013 08:07:59 +0400
parents	6b479db5b52b
children	659464c695b7

comparison

equal deleted inserted replaced

-:32847478c2c1
+:acd51b0f6fd4
 static void ngx_open_file_cache_cleanup(void *data);
 #if (NGX_HAVE_OPENAT)
 static ngx_fd_t ngx_openat_file_owner(ngx_fd_t at_fd, const u_char *name,
 ngx_int_t mode, ngx_int_t create, ngx_int_t access, ngx_log_t *log);
+#if (NGX_HAVE_O_PATH)
+static ngx_int_t ngx_file_o_path_info(ngx_fd_t fd, ngx_file_info_t *fi,
+ngx_log_t *log);
+#endif
 #endif
 static ngx_fd_t ngx_open_file_wrapper(ngx_str_t *name,
 ngx_open_file_info_t *of, ngx_int_t mode, ngx_int_t create,
 ngx_int_t access, ngx_log_t *log);
 static ngx_int_t ngx_file_info_wrapper(ngx_str_t *name,
 {
 err = ngx_errno;
 goto failed;
 }
+#if (NGX_HAVE_O_PATH)
+if (ngx_file_o_path_info(fd, &fi, log) == NGX_ERROR) {
+err = ngx_errno;
+goto failed;
+}
+#else
 if (ngx_fd_info(fd, &fi) == NGX_FILE_ERROR) {
 err = ngx_errno;
 goto failed;
 }
+#endif
 if (fi.st_uid != atfi.st_uid) {
 err = NGX_ELOOP;
 goto failed;
 }
 ngx_set_errno(err);
 return NGX_INVALID_FILE;
 }
+#if (NGX_HAVE_O_PATH)
+static ngx_int_t
+ngx_file_o_path_info(ngx_fd_t fd, ngx_file_info_t *fi, ngx_log_t *log)
+{
+static ngx_uint_t  use_fstat = 1;
+/*
+* In Linux 2.6.39 the O_PATH flag was introduced that allows to obtain
+* a descriptor without actually opening file or directory.  It requires
+* less permissions for path components, but till Linux 3.6 fstat() returns
+* EBADF on such descriptors, and fstatat() with the AT_EMPTY_PATH flag
+* should be used instead.
+*
+* Three scenarios are handled in this function:
+*
+* 1) The kernel is newer than 3.6 or fstat() with O_PATH support was
+*    backported by vendor.  Then fstat() is used.
+*
+* 2) The kernel is newer than 2.6.39 but older than 3.6.  In this case
+*    the first call of fstat() returns EBADF and we fallback to fstatat()
+*    with AT_EMPTY_PATH which was introduced at the same time as O_PATH.
+*
+* 3) The kernel is older than 2.6.39 but nginx was build with O_PATH
+*    support.  Since descriptors are opened with O_PATH|O_RDONLY flags
+*    and O_PATH is ignored by the kernel then the O_RDONLY flag is
+*    actually used.  In this case fstat() just works.
+*/
+if (use_fstat) {
+if (ngx_fd_info(fd, fi) != NGX_FILE_ERROR) {
+return NGX_OK;
+}
+if (ngx_errno != NGX_EBADF) {
+return NGX_ERROR;
+}
+ngx_log_error(NGX_LOG_NOTICE, log, 0,
+"fstat(O_PATH) failed with EBADF, "
+"switching to fstatat(AT_EMPTY_PATH)");
+use_fstat = 0;
+return ngx_file_o_path_info(fd, fi, log);
+}
+if (ngx_file_at_info(fd, "", fi, AT_EMPTY_PATH) != NGX_FILE_ERROR) {
+return NGX_OK;
+}
+return NGX_ERROR;
+}
 #endif
+#endif /* NGX_HAVE_OPENAT */
 static ngx_fd_t
 ngx_open_file_wrapper(ngx_str_t *name, ngx_open_file_info_t *of,
 ngx_int_t mode, ngx_int_t create, ngx_int_t access, ngx_log_t *log)

Mercurial > hg > nginx

comparison src/core/ngx_open_file_cache.c @ 5356:acd51b0f6fd4