2014-07-10 14:50:51 +00:00
|
|
|
|
#include "util.hh"
|
|
|
|
|
#include "affinity.hh"
|
2017-01-17 17:21:02 +00:00
|
|
|
|
#include "sync.hh"
|
2017-03-15 13:40:47 +00:00
|
|
|
|
#include "finally.hh"
|
2018-03-16 15:59:31 +00:00
|
|
|
|
#include "serialise.hh"
|
2014-07-10 14:50:51 +00:00
|
|
|
|
|
2017-01-17 17:21:02 +00:00
|
|
|
|
#include <cctype>
|
2003-09-11 08:31:29 +00:00
|
|
|
|
#include <cerrno>
|
|
|
|
|
#include <cstdio>
|
2008-05-21 11:17:31 +00:00
|
|
|
|
#include <cstdlib>
|
2007-12-14 14:49:35 +00:00
|
|
|
|
#include <cstring>
|
2019-11-06 15:53:02 +00:00
|
|
|
|
#include <climits>
|
2017-01-17 17:21:02 +00:00
|
|
|
|
#include <iostream>
|
|
|
|
|
#include <sstream>
|
|
|
|
|
#include <thread>
|
2017-03-15 13:40:47 +00:00
|
|
|
|
#include <future>
|
2003-06-16 13:33:38 +00:00
|
|
|
|
|
2006-12-02 15:45:51 +00:00
|
|
|
|
#include <fcntl.h>
|
2019-05-11 20:35:53 +00:00
|
|
|
|
#include <grp.h>
|
2017-05-05 14:40:12 +00:00
|
|
|
|
#include <pwd.h>
|
2017-08-25 13:57:49 +00:00
|
|
|
|
#include <sys/ioctl.h>
|
2017-05-05 14:40:12 +00:00
|
|
|
|
#include <sys/types.h>
|
2018-09-25 10:36:11 +00:00
|
|
|
|
#include <sys/socket.h>
|
2017-05-05 14:40:12 +00:00
|
|
|
|
#include <sys/wait.h>
|
2019-05-28 20:35:41 +00:00
|
|
|
|
#include <sys/time.h>
|
2018-09-25 10:36:11 +00:00
|
|
|
|
#include <sys/un.h>
|
2017-05-05 14:40:12 +00:00
|
|
|
|
#include <unistd.h>
|
2006-09-27 21:04:07 +00:00
|
|
|
|
|
2013-03-18 15:13:53 +00:00
|
|
|
|
#ifdef __APPLE__
|
|
|
|
|
#include <sys/syscall.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
2014-08-21 13:31:43 +00:00
|
|
|
|
#ifdef __linux__
|
|
|
|
|
#include <sys/prctl.h>
|
2021-04-07 11:40:13 +00:00
|
|
|
|
#include <sys/resource.h>
|
2014-08-21 13:31:43 +00:00
|
|
|
|
#endif
|
|
|
|
|
|
2003-05-26 13:45:00 +00:00
|
|
|
|
|
2020-06-17 02:19:15 +00:00
|
|
|
|
extern char * * environ __attribute__((weak));
|
2006-12-07 16:40:41 +00:00
|
|
|
|
|
|
|
|
|
|
2006-09-04 21:06:23 +00:00
|
|
|
|
namespace nix {
|
|
|
|
|
|
2019-11-22 15:06:44 +00:00
|
|
|
|
std::optional<std::string> getEnv(const std::string & key)
|
2004-05-12 09:35:51 +00:00
|
|
|
|
{
|
|
|
|
|
char * value = getenv(key.c_str());
|
2019-11-22 15:06:44 +00:00
|
|
|
|
if (!value) return {};
|
|
|
|
|
return std::string(value);
|
2004-05-12 09:35:51 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2016-09-20 13:39:08 +00:00
|
|
|
|
std::map<std::string, std::string> getEnv()
|
|
|
|
|
{
|
|
|
|
|
std::map<std::string, std::string> env;
|
|
|
|
|
for (size_t i = 0; environ[i]; ++i) {
|
|
|
|
|
auto s = environ[i];
|
|
|
|
|
auto eq = strchr(s, '=');
|
|
|
|
|
if (!eq)
|
|
|
|
|
// invalid env, just keep going
|
|
|
|
|
continue;
|
|
|
|
|
env.emplace(std::string(s, eq), std::string(eq + 1));
|
|
|
|
|
}
|
|
|
|
|
return env;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2018-02-26 17:29:40 +00:00
|
|
|
|
void clearEnv()
|
|
|
|
|
{
|
|
|
|
|
for (auto & name : getEnv())
|
|
|
|
|
unsetenv(name.first.c_str());
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-11 18:23:03 +00:00
|
|
|
|
void replaceEnv(std::map<std::string, std::string> newEnv)
|
|
|
|
|
{
|
|
|
|
|
clearEnv();
|
|
|
|
|
for (auto newEnvVar : newEnv)
|
|
|
|
|
{
|
|
|
|
|
setenv(newEnvVar.first.c_str(), newEnvVar.second.c_str(), 1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-26 17:29:40 +00:00
|
|
|
|
|
2020-01-21 15:27:53 +00:00
|
|
|
|
Path absPath(Path path, std::optional<Path> dir, bool resolveSymlinks)
|
2003-05-26 13:45:00 +00:00
|
|
|
|
{
|
2003-06-16 13:33:38 +00:00
|
|
|
|
if (path[0] != '/') {
|
2020-01-08 14:34:06 +00:00
|
|
|
|
if (!dir) {
|
2010-02-10 15:55:50 +00:00
|
|
|
|
#ifdef __GNU__
|
|
|
|
|
/* GNU (aka. GNU/Hurd) doesn't have any limitation on path
|
|
|
|
|
lengths and doesn't define `PATH_MAX'. */
|
|
|
|
|
char *buf = getcwd(NULL, 0);
|
|
|
|
|
if (buf == NULL)
|
|
|
|
|
#else
|
2003-05-26 13:45:00 +00:00
|
|
|
|
char buf[PATH_MAX];
|
|
|
|
|
if (!getcwd(buf, sizeof(buf)))
|
2010-02-10 15:55:50 +00:00
|
|
|
|
#endif
|
2003-06-16 13:33:38 +00:00
|
|
|
|
throw SysError("cannot get cwd");
|
2003-05-26 13:45:00 +00:00
|
|
|
|
dir = buf;
|
2010-02-10 15:55:50 +00:00
|
|
|
|
#ifdef __GNU__
|
|
|
|
|
free(buf);
|
|
|
|
|
#endif
|
2003-05-26 13:45:00 +00:00
|
|
|
|
}
|
2020-01-08 14:34:06 +00:00
|
|
|
|
path = *dir + "/" + path;
|
2003-05-26 13:45:00 +00:00
|
|
|
|
}
|
2020-01-21 15:27:53 +00:00
|
|
|
|
return canonPath(path, resolveSymlinks);
|
2003-07-07 09:25:26 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2006-01-08 17:16:03 +00:00
|
|
|
|
Path canonPath(const Path & path, bool resolveSymlinks)
|
2003-07-07 09:25:26 +00:00
|
|
|
|
{
|
2017-04-13 13:32:43 +00:00
|
|
|
|
assert(path != "");
|
|
|
|
|
|
2003-07-08 19:58:41 +00:00
|
|
|
|
string s;
|
|
|
|
|
|
|
|
|
|
if (path[0] != '/')
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw Error("not an absolute path: '%1%'", path);
|
2003-07-08 19:58:41 +00:00
|
|
|
|
|
|
|
|
|
string::const_iterator i = path.begin(), end = path.end();
|
2006-01-08 17:16:03 +00:00
|
|
|
|
string temp;
|
|
|
|
|
|
|
|
|
|
/* Count the number of times we follow a symlink and stop at some
|
|
|
|
|
arbitrary (but high) limit to prevent infinite loops. */
|
|
|
|
|
unsigned int followCount = 0, maxFollow = 1024;
|
2003-07-08 19:58:41 +00:00
|
|
|
|
|
|
|
|
|
while (1) {
|
|
|
|
|
|
|
|
|
|
/* Skip slashes. */
|
|
|
|
|
while (i != end && *i == '/') i++;
|
|
|
|
|
if (i == end) break;
|
|
|
|
|
|
|
|
|
|
/* Ignore `.'. */
|
|
|
|
|
if (*i == '.' && (i + 1 == end || i[1] == '/'))
|
|
|
|
|
i++;
|
|
|
|
|
|
|
|
|
|
/* If `..', delete the last component. */
|
2013-01-03 12:00:46 +00:00
|
|
|
|
else if (*i == '.' && i + 1 < end && i[1] == '.' &&
|
2003-07-08 19:58:41 +00:00
|
|
|
|
(i + 2 == end || i[2] == '/'))
|
|
|
|
|
{
|
|
|
|
|
if (!s.empty()) s.erase(s.rfind('/'));
|
|
|
|
|
i += 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Normal component; copy it. */
|
|
|
|
|
else {
|
|
|
|
|
s += '/';
|
|
|
|
|
while (i != end && *i != '/') s += *i++;
|
2006-01-08 17:16:03 +00:00
|
|
|
|
|
2021-03-31 02:20:41 +00:00
|
|
|
|
/* If s points to a symlink, resolve it and continue from there */
|
2006-01-08 17:16:03 +00:00
|
|
|
|
if (resolveSymlinks && isLink(s)) {
|
2007-11-29 16:18:24 +00:00
|
|
|
|
if (++followCount >= maxFollow)
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw Error("infinite symlink recursion in path '%1%'", path);
|
2021-03-31 02:20:41 +00:00
|
|
|
|
temp = readLink(s) + string(i, end);
|
|
|
|
|
i = temp.begin();
|
2006-01-08 17:16:03 +00:00
|
|
|
|
end = temp.end();
|
2021-03-31 02:20:41 +00:00
|
|
|
|
if (!temp.empty() && temp[0] == '/') {
|
|
|
|
|
s.clear(); /* restart for symlinks pointing to absolute path */
|
|
|
|
|
} else {
|
|
|
|
|
s = dirOf(s);
|
2021-05-18 21:38:55 +00:00
|
|
|
|
if (s == "/") { // we don’t want trailing slashes here, which dirOf only produces if s = /
|
|
|
|
|
s.clear();
|
|
|
|
|
}
|
2021-03-31 02:20:41 +00:00
|
|
|
|
}
|
2006-01-08 17:16:03 +00:00
|
|
|
|
}
|
2003-07-08 19:58:41 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return s.empty() ? "/" : s;
|
2003-06-16 13:33:38 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-10-07 14:37:41 +00:00
|
|
|
|
Path dirOf(const Path & path)
|
2003-06-16 13:33:38 +00:00
|
|
|
|
{
|
2006-05-11 02:19:43 +00:00
|
|
|
|
Path::size_type pos = path.rfind('/');
|
2003-07-04 12:18:06 +00:00
|
|
|
|
if (pos == string::npos)
|
2018-08-13 09:27:35 +00:00
|
|
|
|
return ".";
|
2006-01-09 14:52:46 +00:00
|
|
|
|
return pos == 0 ? "/" : Path(path, 0, pos);
|
2003-05-26 13:45:00 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2019-12-05 18:11:09 +00:00
|
|
|
|
std::string_view baseNameOf(std::string_view path)
|
2003-05-26 13:45:00 +00:00
|
|
|
|
{
|
2015-07-13 12:25:13 +00:00
|
|
|
|
if (path.empty())
|
2016-01-27 16:18:31 +00:00
|
|
|
|
return "";
|
2015-07-13 12:25:13 +00:00
|
|
|
|
|
2019-12-05 18:11:09 +00:00
|
|
|
|
auto last = path.size() - 1;
|
2015-07-13 12:25:13 +00:00
|
|
|
|
if (path[last] == '/' && last > 0)
|
|
|
|
|
last -= 1;
|
|
|
|
|
|
2019-12-05 18:11:09 +00:00
|
|
|
|
auto pos = path.rfind('/', last);
|
2003-07-04 12:18:06 +00:00
|
|
|
|
if (pos == string::npos)
|
2015-07-13 12:25:13 +00:00
|
|
|
|
pos = 0;
|
|
|
|
|
else
|
|
|
|
|
pos += 1;
|
2016-01-27 16:18:31 +00:00
|
|
|
|
|
2019-12-05 18:11:09 +00:00
|
|
|
|
return path.substr(pos, last - pos + 1);
|
2003-05-26 13:45:00 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2013-07-12 12:01:25 +00:00
|
|
|
|
bool isInDir(const Path & path, const Path & dir)
|
|
|
|
|
{
|
2015-10-21 21:40:35 +00:00
|
|
|
|
return path[0] == '/'
|
|
|
|
|
&& string(path, 0, dir.size()) == dir
|
|
|
|
|
&& path.size() >= dir.size() + 2
|
|
|
|
|
&& path[dir.size()] == '/';
|
2013-07-12 12:01:25 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2018-01-16 17:50:38 +00:00
|
|
|
|
bool isDirOrInDir(const Path & path, const Path & dir)
|
|
|
|
|
{
|
2018-12-13 02:45:50 +00:00
|
|
|
|
return path == dir || isInDir(path, dir);
|
2018-01-16 17:50:38 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2010-12-13 13:32:58 +00:00
|
|
|
|
struct stat lstat(const Path & path)
|
|
|
|
|
{
|
|
|
|
|
struct stat st;
|
|
|
|
|
if (lstat(path.c_str(), &st))
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("getting status of '%1%'", path);
|
2010-12-13 13:32:58 +00:00
|
|
|
|
return st;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-10-07 14:37:41 +00:00
|
|
|
|
bool pathExists(const Path & path)
|
2003-07-08 13:22:08 +00:00
|
|
|
|
{
|
|
|
|
|
int res;
|
|
|
|
|
struct stat st;
|
2004-02-06 10:59:06 +00:00
|
|
|
|
res = lstat(path.c_str(), &st);
|
2003-07-08 13:22:08 +00:00
|
|
|
|
if (!res) return true;
|
2004-08-04 09:25:21 +00:00
|
|
|
|
if (errno != ENOENT && errno != ENOTDIR)
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("getting status of %1%", path);
|
2003-07-08 13:22:08 +00:00
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2004-01-05 16:26:43 +00:00
|
|
|
|
Path readLink(const Path & path)
|
|
|
|
|
{
|
2007-09-17 16:08:24 +00:00
|
|
|
|
checkInterrupt();
|
2018-03-01 21:00:58 +00:00
|
|
|
|
std::vector<char> buf;
|
2017-10-27 16:15:31 +00:00
|
|
|
|
for (ssize_t bufSize = PATH_MAX/4; true; bufSize += bufSize/2) {
|
2018-03-01 21:00:58 +00:00
|
|
|
|
buf.resize(bufSize);
|
|
|
|
|
ssize_t rlSize = readlink(path.c_str(), buf.data(), bufSize);
|
2017-10-27 16:15:31 +00:00
|
|
|
|
if (rlSize == -1)
|
|
|
|
|
if (errno == EINVAL)
|
2017-11-20 16:32:58 +00:00
|
|
|
|
throw Error("'%1%' is not a symlink", path);
|
2017-10-27 16:15:31 +00:00
|
|
|
|
else
|
2017-11-20 16:32:58 +00:00
|
|
|
|
throw SysError("reading symbolic link '%1%'", path);
|
2017-10-27 16:15:31 +00:00
|
|
|
|
else if (rlSize < bufSize)
|
2018-03-01 21:00:58 +00:00
|
|
|
|
return string(buf.data(), rlSize);
|
2017-10-27 16:15:31 +00:00
|
|
|
|
}
|
2004-01-05 16:26:43 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2005-02-01 13:48:46 +00:00
|
|
|
|
bool isLink(const Path & path)
|
|
|
|
|
{
|
2010-12-13 13:32:58 +00:00
|
|
|
|
struct stat st = lstat(path);
|
2005-02-01 13:48:46 +00:00
|
|
|
|
return S_ISLNK(st.st_mode);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
|
|
|
|
DirEntries readDirectory(DIR *dir, const Path & path)
|
2003-11-19 17:27:16 +00:00
|
|
|
|
{
|
2014-08-01 14:37:47 +00:00
|
|
|
|
DirEntries entries;
|
|
|
|
|
entries.reserve(64);
|
2003-11-19 17:27:16 +00:00
|
|
|
|
|
|
|
|
|
struct dirent * dirent;
|
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
|
|
|
|
while (errno = 0, dirent = readdir(dir)) { /* sic */
|
2004-01-15 20:23:55 +00:00
|
|
|
|
checkInterrupt();
|
2003-11-19 17:27:16 +00:00
|
|
|
|
string name = dirent->d_name;
|
|
|
|
|
if (name == "." || name == "..") continue;
|
2016-01-05 13:05:11 +00:00
|
|
|
|
entries.emplace_back(name, dirent->d_ino,
|
|
|
|
|
#ifdef HAVE_STRUCT_DIRENT_D_TYPE
|
|
|
|
|
dirent->d_type
|
|
|
|
|
#else
|
|
|
|
|
DT_UNKNOWN
|
|
|
|
|
#endif
|
|
|
|
|
);
|
2003-11-19 17:27:16 +00:00
|
|
|
|
}
|
2020-04-21 23:07:07 +00:00
|
|
|
|
if (errno) throw SysError("reading directory '%1%'", path);
|
2003-11-19 17:27:16 +00:00
|
|
|
|
|
2014-08-01 14:37:47 +00:00
|
|
|
|
return entries;
|
2003-11-19 17:27:16 +00:00
|
|
|
|
}
|
|
|
|
|
|
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
|
|
|
|
DirEntries readDirectory(const Path & path)
|
|
|
|
|
{
|
|
|
|
|
AutoCloseDir dir(opendir(path.c_str()));
|
2020-05-11 21:52:15 +00:00
|
|
|
|
if (!dir) throw SysError("opening directory '%1%'", path);
|
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
|
|
|
|
|
|
|
|
|
return readDirectory(dir.get(), path);
|
|
|
|
|
}
|
|
|
|
|
|
2003-11-19 17:27:16 +00:00
|
|
|
|
|
2014-10-03 20:37:51 +00:00
|
|
|
|
unsigned char getFileType(const Path & path)
|
|
|
|
|
{
|
|
|
|
|
struct stat st = lstat(path);
|
|
|
|
|
if (S_ISDIR(st.st_mode)) return DT_DIR;
|
|
|
|
|
if (S_ISLNK(st.st_mode)) return DT_LNK;
|
|
|
|
|
if (S_ISREG(st.st_mode)) return DT_REG;
|
|
|
|
|
return DT_UNKNOWN;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2005-02-01 22:07:48 +00:00
|
|
|
|
string readFile(int fd)
|
|
|
|
|
{
|
2020-04-29 16:44:01 +00:00
|
|
|
|
struct stat st;
|
|
|
|
|
if (fstat(fd, &st) == -1)
|
|
|
|
|
throw SysError("statting file");
|
|
|
|
|
|
|
|
|
|
return drainFD(fd, true, st.st_size);
|
2005-02-01 22:07:48 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2020-04-29 16:42:19 +00:00
|
|
|
|
string readFile(const Path & path)
|
2005-02-01 22:07:48 +00:00
|
|
|
|
{
|
2016-06-09 14:15:58 +00:00
|
|
|
|
AutoCloseFD fd = open(path.c_str(), O_RDONLY | O_CLOEXEC);
|
2016-07-11 19:44:44 +00:00
|
|
|
|
if (!fd)
|
2020-05-11 21:52:15 +00:00
|
|
|
|
throw SysError("opening file '%1%'", path);
|
2020-04-29 16:42:19 +00:00
|
|
|
|
return readFile(fd.get());
|
2005-02-01 22:07:48 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2018-03-27 21:12:31 +00:00
|
|
|
|
void readFile(const Path & path, Sink & sink)
|
|
|
|
|
{
|
|
|
|
|
AutoCloseFD fd = open(path.c_str(), O_RDONLY | O_CLOEXEC);
|
2020-06-15 12:12:39 +00:00
|
|
|
|
if (!fd)
|
2020-05-06 20:07:20 +00:00
|
|
|
|
throw SysError("opening file '%s'", path);
|
2018-03-27 21:12:31 +00:00
|
|
|
|
drainFD(fd.get(), sink);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2020-12-02 11:43:52 +00:00
|
|
|
|
void writeFile(const Path & path, std::string_view s, mode_t mode)
|
2005-02-09 09:50:29 +00:00
|
|
|
|
{
|
2017-02-16 14:42:49 +00:00
|
|
|
|
AutoCloseFD fd = open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC, mode);
|
2016-07-11 19:44:44 +00:00
|
|
|
|
if (!fd)
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("opening file '%1%'", path);
|
2020-10-09 14:02:53 +00:00
|
|
|
|
try {
|
|
|
|
|
writeFull(fd.get(), s);
|
|
|
|
|
} catch (Error & e) {
|
|
|
|
|
e.addTrace({}, "writing file '%1%'", path);
|
|
|
|
|
throw;
|
|
|
|
|
}
|
2005-02-09 09:50:29 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2018-03-28 11:32:44 +00:00
|
|
|
|
void writeFile(const Path & path, Source & source, mode_t mode)
|
|
|
|
|
{
|
|
|
|
|
AutoCloseFD fd = open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC, mode);
|
|
|
|
|
if (!fd)
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("opening file '%1%'", path);
|
2018-03-28 11:32:44 +00:00
|
|
|
|
|
2020-12-02 13:10:56 +00:00
|
|
|
|
std::vector<char> buf(64 * 1024);
|
2018-03-28 11:32:44 +00:00
|
|
|
|
|
2020-10-09 14:02:53 +00:00
|
|
|
|
try {
|
|
|
|
|
while (true) {
|
|
|
|
|
try {
|
|
|
|
|
auto n = source.read(buf.data(), buf.size());
|
2020-12-02 13:10:56 +00:00
|
|
|
|
writeFull(fd.get(), {buf.data(), n});
|
2020-10-09 14:02:53 +00:00
|
|
|
|
} catch (EndOfFile &) { break; }
|
|
|
|
|
}
|
|
|
|
|
} catch (Error & e) {
|
|
|
|
|
e.addTrace({}, "writing file '%1%'", path);
|
|
|
|
|
throw;
|
2018-03-28 11:32:44 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2009-03-28 19:29:55 +00:00
|
|
|
|
string readLine(int fd)
|
|
|
|
|
{
|
|
|
|
|
string s;
|
|
|
|
|
while (1) {
|
|
|
|
|
checkInterrupt();
|
|
|
|
|
char ch;
|
2017-08-09 14:22:05 +00:00
|
|
|
|
// FIXME: inefficient
|
2009-03-28 19:29:55 +00:00
|
|
|
|
ssize_t rd = read(fd, &ch, 1);
|
|
|
|
|
if (rd == -1) {
|
|
|
|
|
if (errno != EINTR)
|
|
|
|
|
throw SysError("reading a line");
|
|
|
|
|
} else if (rd == 0)
|
2012-08-01 15:19:24 +00:00
|
|
|
|
throw EndOfFile("unexpected EOF reading a line");
|
2009-03-28 19:29:55 +00:00
|
|
|
|
else {
|
|
|
|
|
if (ch == '\n') return s;
|
|
|
|
|
s += ch;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void writeLine(int fd, string s)
|
|
|
|
|
{
|
|
|
|
|
s += '\n';
|
2014-12-12 13:35:44 +00:00
|
|
|
|
writeFull(fd, s);
|
2009-03-28 19:29:55 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2020-07-30 11:10:49 +00:00
|
|
|
|
static void _deletePath(int parentfd, const Path & path, uint64_t & bytesFreed)
|
2003-06-23 14:40:49 +00:00
|
|
|
|
{
|
2004-01-15 20:23:55 +00:00
|
|
|
|
checkInterrupt();
|
|
|
|
|
|
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
|
|
|
|
string name(baseNameOf(path));
|
|
|
|
|
|
2016-02-24 16:44:12 +00:00
|
|
|
|
struct stat st;
|
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
|
|
|
|
if (fstatat(parentfd, name.c_str(), &st, AT_SYMLINK_NOFOLLOW) == -1) {
|
2016-02-24 16:44:12 +00:00
|
|
|
|
if (errno == ENOENT) return;
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("getting status of '%1%'", path);
|
2016-02-24 16:44:12 +00:00
|
|
|
|
}
|
2003-06-23 14:40:49 +00:00
|
|
|
|
|
2012-08-02 02:34:46 +00:00
|
|
|
|
if (!S_ISDIR(st.st_mode) && st.st_nlink == 1)
|
2019-08-29 12:49:58 +00:00
|
|
|
|
bytesFreed += st.st_size;
|
2005-12-15 21:11:39 +00:00
|
|
|
|
|
2003-06-23 14:40:49 +00:00
|
|
|
|
if (S_ISDIR(st.st_mode)) {
|
2016-07-25 22:00:08 +00:00
|
|
|
|
/* Make the directory accessible. */
|
|
|
|
|
const auto PERM_MASK = S_IRUSR | S_IWUSR | S_IXUSR;
|
|
|
|
|
if ((st.st_mode & PERM_MASK) != PERM_MASK) {
|
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
|
|
|
|
if (fchmodat(parentfd, name.c_str(), st.st_mode | PERM_MASK, 0) == -1)
|
2020-05-11 21:52:15 +00:00
|
|
|
|
throw SysError("chmod '%1%'", path);
|
2013-01-03 12:00:46 +00:00
|
|
|
|
}
|
2003-08-22 20:12:44 +00:00
|
|
|
|
|
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
|
|
|
|
int fd = openat(parentfd, path.c_str(), O_RDONLY);
|
2021-07-20 18:59:45 +00:00
|
|
|
|
if (fd == -1)
|
2020-05-11 21:52:15 +00:00
|
|
|
|
throw SysError("opening directory '%1%'", path);
|
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
|
|
|
|
AutoCloseDir dir(fdopendir(fd));
|
|
|
|
|
if (!dir)
|
2020-05-11 21:52:15 +00:00
|
|
|
|
throw SysError("opening directory '%1%'", path);
|
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
|
|
|
|
for (auto & i : readDirectory(dir.get(), path))
|
|
|
|
|
_deletePath(dirfd(dir.get()), path + "/" + i.name, bytesFreed);
|
2003-06-23 14:40:49 +00:00
|
|
|
|
}
|
|
|
|
|
|
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
|
|
|
|
int flags = S_ISDIR(st.st_mode) ? AT_REMOVEDIR : 0;
|
|
|
|
|
if (unlinkat(parentfd, name.c_str(), flags) == -1) {
|
2016-02-24 16:44:12 +00:00
|
|
|
|
if (errno == ENOENT) return;
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("cannot unlink '%1%'", path);
|
2016-02-24 16:44:12 +00:00
|
|
|
|
}
|
2003-08-22 20:12:44 +00:00
|
|
|
|
}
|
|
|
|
|
|
2020-07-30 11:10:49 +00:00
|
|
|
|
static void _deletePath(const Path & path, uint64_t & bytesFreed)
|
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
|
|
|
|
{
|
|
|
|
|
Path dir = dirOf(path);
|
|
|
|
|
if (dir == "")
|
|
|
|
|
dir = "/";
|
|
|
|
|
|
|
|
|
|
AutoCloseFD dirfd(open(dir.c_str(), O_RDONLY));
|
|
|
|
|
if (!dirfd) {
|
|
|
|
|
if (errno == ENOENT) return;
|
2020-05-11 21:52:15 +00:00
|
|
|
|
throw SysError("opening directory '%1%'", path);
|
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_deletePath(dirfd.get(), path, bytesFreed);
|
|
|
|
|
}
|
|
|
|
|
|
2003-08-22 20:12:44 +00:00
|
|
|
|
|
2004-03-22 21:42:28 +00:00
|
|
|
|
void deletePath(const Path & path)
|
2005-12-15 21:11:39 +00:00
|
|
|
|
{
|
2020-07-30 11:10:49 +00:00
|
|
|
|
uint64_t dummy;
|
2012-08-02 02:34:46 +00:00
|
|
|
|
deletePath(path, dummy);
|
2005-12-15 21:11:39 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2020-07-30 11:10:49 +00:00
|
|
|
|
void deletePath(const Path & path, uint64_t & bytesFreed)
|
2004-03-22 21:42:28 +00:00
|
|
|
|
{
|
2017-07-30 11:27:57 +00:00
|
|
|
|
//Activity act(*logger, lvlDebug, format("recursively deleting path '%1%'") % path);
|
2005-12-15 21:11:39 +00:00
|
|
|
|
bytesFreed = 0;
|
2012-08-02 02:34:46 +00:00
|
|
|
|
_deletePath(path, bytesFreed);
|
2004-03-22 21:42:28 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2008-03-27 13:45:17 +00:00
|
|
|
|
static Path tempName(Path tmpRoot, const Path & prefix, bool includePid,
|
|
|
|
|
int & counter)
|
2003-10-02 11:55:38 +00:00
|
|
|
|
{
|
2019-11-22 15:06:44 +00:00
|
|
|
|
tmpRoot = canonPath(tmpRoot.empty() ? getEnv("TMPDIR").value_or("/tmp") : tmpRoot, true);
|
2008-03-27 13:45:17 +00:00
|
|
|
|
if (includePid)
|
|
|
|
|
return (format("%1%/%2%-%3%-%4%") % tmpRoot % prefix % getpid() % counter++).str();
|
|
|
|
|
else
|
|
|
|
|
return (format("%1%/%2%-%3%") % tmpRoot % prefix % counter++).str();
|
2003-10-02 11:55:38 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2008-03-27 13:45:17 +00:00
|
|
|
|
Path createTempDir(const Path & tmpRoot, const Path & prefix,
|
2012-07-26 19:04:40 +00:00
|
|
|
|
bool includePid, bool useGlobalCounter, mode_t mode)
|
2003-10-02 11:55:38 +00:00
|
|
|
|
{
|
2008-03-27 13:45:17 +00:00
|
|
|
|
static int globalCounter = 0;
|
|
|
|
|
int localCounter = 0;
|
|
|
|
|
int & counter(useGlobalCounter ? globalCounter : localCounter);
|
2013-01-03 12:00:46 +00:00
|
|
|
|
|
2003-10-02 11:55:38 +00:00
|
|
|
|
while (1) {
|
2004-01-15 20:23:55 +00:00
|
|
|
|
checkInterrupt();
|
2013-01-03 12:00:46 +00:00
|
|
|
|
Path tmpDir = tempName(tmpRoot, prefix, includePid, counter);
|
|
|
|
|
if (mkdir(tmpDir.c_str(), mode) == 0) {
|
2016-06-02 16:17:30 +00:00
|
|
|
|
#if __FreeBSD__
|
2013-01-03 12:00:46 +00:00
|
|
|
|
/* Explicitly set the group of the directory. This is to
|
|
|
|
|
work around around problems caused by BSD's group
|
|
|
|
|
ownership semantics (directories inherit the group of
|
|
|
|
|
the parent). For instance, the group of /tmp on
|
|
|
|
|
FreeBSD is "wheel", so all directories created in /tmp
|
|
|
|
|
will be owned by "wheel"; but if the user is not in
|
|
|
|
|
"wheel", then "tar" will fail to unpack archives that
|
|
|
|
|
have the setgid bit set on directories. */
|
|
|
|
|
if (chown(tmpDir.c_str(), (uid_t) -1, getegid()) != 0)
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("setting group of directory '%1%'", tmpDir);
|
2016-06-02 16:17:30 +00:00
|
|
|
|
#endif
|
2013-01-03 12:00:46 +00:00
|
|
|
|
return tmpDir;
|
|
|
|
|
}
|
|
|
|
|
if (errno != EEXIST)
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("creating directory '%1%'", tmpDir);
|
2003-10-02 11:55:38 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2020-03-30 17:14:17 +00:00
|
|
|
|
std::pair<AutoCloseFD, Path> createTempFile(const Path & prefix)
|
|
|
|
|
{
|
|
|
|
|
Path tmpl(getEnv("TMPDIR").value_or("/tmp") + "/" + prefix + ".XXXXXX");
|
|
|
|
|
// Strictly speaking, this is UB, but who cares...
|
2020-08-03 16:33:39 +00:00
|
|
|
|
// FIXME: use O_TMPFILE.
|
2020-03-30 17:14:17 +00:00
|
|
|
|
AutoCloseFD fd(mkstemp((char *) tmpl.c_str()));
|
|
|
|
|
if (!fd)
|
|
|
|
|
throw SysError("creating temporary file '%s'", tmpl);
|
|
|
|
|
return {std::move(fd), tmpl};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2019-10-09 17:21:07 +00:00
|
|
|
|
std::string getUserName()
|
|
|
|
|
{
|
|
|
|
|
auto pw = getpwuid(geteuid());
|
2019-11-22 15:06:44 +00:00
|
|
|
|
std::string name = pw ? pw->pw_name : getEnv("USER").value_or("");
|
2019-10-09 17:21:07 +00:00
|
|
|
|
if (name.empty())
|
|
|
|
|
throw Error("cannot figure out user name");
|
|
|
|
|
return name;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2020-10-09 15:54:59 +00:00
|
|
|
|
Path getHome()
|
|
|
|
|
{
|
|
|
|
|
static Path homeDir = []()
|
|
|
|
|
{
|
|
|
|
|
auto homeDir = getEnv("HOME");
|
|
|
|
|
if (!homeDir) {
|
|
|
|
|
std::vector<char> buf(16384);
|
|
|
|
|
struct passwd pwbuf;
|
|
|
|
|
struct passwd * pw;
|
|
|
|
|
if (getpwuid_r(geteuid(), &pwbuf, buf.data(), buf.size(), &pw) != 0
|
|
|
|
|
|| !pw || !pw->pw_dir || !pw->pw_dir[0])
|
|
|
|
|
throw Error("cannot determine user's home directory");
|
|
|
|
|
homeDir = pw->pw_dir;
|
|
|
|
|
}
|
|
|
|
|
return *homeDir;
|
|
|
|
|
}();
|
|
|
|
|
return homeDir;
|
|
|
|
|
}
|
2017-05-05 14:40:12 +00:00
|
|
|
|
|
|
|
|
|
|
2016-04-20 12:12:38 +00:00
|
|
|
|
Path getCacheDir()
|
|
|
|
|
{
|
2019-11-22 15:06:44 +00:00
|
|
|
|
auto cacheDir = getEnv("XDG_CACHE_HOME");
|
|
|
|
|
return cacheDir ? *cacheDir : getHome() + "/.cache";
|
2016-04-20 12:12:38 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2017-04-20 12:58:16 +00:00
|
|
|
|
Path getConfigDir()
|
|
|
|
|
{
|
2019-11-22 15:06:44 +00:00
|
|
|
|
auto configDir = getEnv("XDG_CONFIG_HOME");
|
|
|
|
|
return configDir ? *configDir : getHome() + "/.config";
|
2017-04-20 12:58:16 +00:00
|
|
|
|
}
|
|
|
|
|
|
2018-10-25 11:00:21 +00:00
|
|
|
|
std::vector<Path> getConfigDirs()
|
|
|
|
|
{
|
|
|
|
|
Path configHome = getConfigDir();
|
2019-11-22 15:06:44 +00:00
|
|
|
|
string configDirs = getEnv("XDG_CONFIG_DIRS").value_or("");
|
2018-10-25 11:00:21 +00:00
|
|
|
|
std::vector<Path> result = tokenizeString<std::vector<string>>(configDirs, ":");
|
|
|
|
|
result.insert(result.begin(), configHome);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-20 12:58:16 +00:00
|
|
|
|
|
2017-04-25 16:56:29 +00:00
|
|
|
|
Path getDataDir()
|
|
|
|
|
{
|
2019-11-22 15:06:44 +00:00
|
|
|
|
auto dataDir = getEnv("XDG_DATA_HOME");
|
|
|
|
|
return dataDir ? *dataDir : getHome() + "/.local/share";
|
2017-04-25 16:56:29 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2007-10-27 00:46:59 +00:00
|
|
|
|
Paths createDirs(const Path & path)
|
2005-03-24 17:46:38 +00:00
|
|
|
|
{
|
2008-06-09 13:52:45 +00:00
|
|
|
|
Paths created;
|
|
|
|
|
if (path == "/") return created;
|
2010-12-13 13:32:58 +00:00
|
|
|
|
|
|
|
|
|
struct stat st;
|
|
|
|
|
if (lstat(path.c_str(), &st) == -1) {
|
2008-06-09 13:52:45 +00:00
|
|
|
|
created = createDirs(dirOf(path));
|
2010-12-13 13:32:58 +00:00
|
|
|
|
if (mkdir(path.c_str(), 0777) == -1 && errno != EEXIST)
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("creating directory '%1%'", path);
|
2010-12-13 13:32:58 +00:00
|
|
|
|
st = lstat(path);
|
2007-10-27 00:46:59 +00:00
|
|
|
|
created.push_back(path);
|
|
|
|
|
}
|
2010-12-13 13:32:58 +00:00
|
|
|
|
|
2014-10-03 14:53:28 +00:00
|
|
|
|
if (S_ISLNK(st.st_mode) && stat(path.c_str(), &st) == -1)
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("statting symlink '%1%'", path);
|
2014-10-03 14:53:28 +00:00
|
|
|
|
|
2020-04-21 23:07:07 +00:00
|
|
|
|
if (!S_ISDIR(st.st_mode)) throw Error("'%1%' is not a directory", path);
|
2013-01-03 12:00:46 +00:00
|
|
|
|
|
2007-10-27 00:46:59 +00:00
|
|
|
|
return created;
|
2005-03-24 17:46:38 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2019-05-28 20:35:41 +00:00
|
|
|
|
void createSymlink(const Path & target, const Path & link,
|
|
|
|
|
std::optional<time_t> mtime)
|
2014-02-27 22:17:53 +00:00
|
|
|
|
{
|
|
|
|
|
if (symlink(target.c_str(), link.c_str()))
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("creating symlink from '%1%' to '%2%'", link, target);
|
2019-05-28 20:35:41 +00:00
|
|
|
|
if (mtime) {
|
|
|
|
|
struct timeval times[2];
|
|
|
|
|
times[0].tv_sec = *mtime;
|
|
|
|
|
times[0].tv_usec = 0;
|
|
|
|
|
times[1].tv_sec = *mtime;
|
|
|
|
|
times[1].tv_usec = 0;
|
|
|
|
|
if (lutimes(link.c_str(), times))
|
|
|
|
|
throw SysError("setting time of symlink '%s'", link);
|
|
|
|
|
}
|
2014-02-27 22:17:53 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2019-05-28 20:35:41 +00:00
|
|
|
|
void replaceSymlink(const Path & target, const Path & link,
|
|
|
|
|
std::optional<time_t> mtime)
|
2015-04-09 09:42:04 +00:00
|
|
|
|
{
|
2017-07-11 21:20:01 +00:00
|
|
|
|
for (unsigned int n = 0; true; n++) {
|
|
|
|
|
Path tmp = canonPath(fmt("%s/.%d_%s", dirOf(link), n, baseNameOf(link)));
|
|
|
|
|
|
|
|
|
|
try {
|
2019-05-28 20:35:41 +00:00
|
|
|
|
createSymlink(target, tmp, mtime);
|
2017-07-11 21:20:01 +00:00
|
|
|
|
} catch (SysError & e) {
|
|
|
|
|
if (e.errNo == EEXIST) continue;
|
|
|
|
|
throw;
|
|
|
|
|
}
|
2015-04-09 09:42:04 +00:00
|
|
|
|
|
2017-07-11 21:20:01 +00:00
|
|
|
|
if (rename(tmp.c_str(), link.c_str()) != 0)
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("renaming '%1%' to '%2%'", tmp, link);
|
2015-04-09 09:42:04 +00:00
|
|
|
|
|
2017-07-11 21:20:01 +00:00
|
|
|
|
break;
|
|
|
|
|
}
|
2015-04-09 09:42:04 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2020-12-02 13:10:56 +00:00
|
|
|
|
void readFull(int fd, char * buf, size_t count)
|
2003-07-20 21:11:43 +00:00
|
|
|
|
{
|
|
|
|
|
while (count) {
|
2004-01-15 20:23:55 +00:00
|
|
|
|
checkInterrupt();
|
2020-12-02 13:10:56 +00:00
|
|
|
|
ssize_t res = read(fd, buf, count);
|
2004-05-11 13:48:25 +00:00
|
|
|
|
if (res == -1) {
|
|
|
|
|
if (errno == EINTR) continue;
|
|
|
|
|
throw SysError("reading from file");
|
|
|
|
|
}
|
2006-12-04 17:17:13 +00:00
|
|
|
|
if (res == 0) throw EndOfFile("unexpected end-of-file");
|
2003-07-20 21:11:43 +00:00
|
|
|
|
count -= res;
|
|
|
|
|
buf += res;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2020-12-02 13:00:43 +00:00
|
|
|
|
void writeFull(int fd, std::string_view s, bool allowInterrupts)
|
2003-07-20 21:11:43 +00:00
|
|
|
|
{
|
2020-12-02 13:00:43 +00:00
|
|
|
|
while (!s.empty()) {
|
2017-04-06 15:18:56 +00:00
|
|
|
|
if (allowInterrupts) checkInterrupt();
|
2020-12-02 13:00:43 +00:00
|
|
|
|
ssize_t res = write(fd, s.data(), s.size());
|
2016-09-16 16:52:42 +00:00
|
|
|
|
if (res == -1 && errno != EINTR)
|
2004-05-11 13:48:25 +00:00
|
|
|
|
throw SysError("writing to file");
|
2020-12-02 13:00:43 +00:00
|
|
|
|
if (res > 0)
|
|
|
|
|
s.remove_prefix(res);
|
2003-07-20 21:11:43 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
2003-10-22 10:48:22 +00:00
|
|
|
|
|
|
|
|
|
|
2020-04-29 16:44:01 +00:00
|
|
|
|
string drainFD(int fd, bool block, const size_t reserveSize)
|
2006-07-20 12:17:25 +00:00
|
|
|
|
{
|
2020-04-29 16:44:01 +00:00
|
|
|
|
StringSink sink(reserveSize);
|
2018-03-20 14:17:59 +00:00
|
|
|
|
drainFD(fd, sink, block);
|
2018-03-16 15:59:31 +00:00
|
|
|
|
return std::move(*sink.s);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2018-03-20 14:17:59 +00:00
|
|
|
|
void drainFD(int fd, Sink & sink, bool block)
|
2018-03-16 15:59:31 +00:00
|
|
|
|
{
|
2018-03-20 14:17:59 +00:00
|
|
|
|
int saved;
|
|
|
|
|
|
|
|
|
|
Finally finally([&]() {
|
|
|
|
|
if (!block) {
|
|
|
|
|
if (fcntl(fd, F_SETFL, saved) == -1)
|
|
|
|
|
throw SysError("making file descriptor blocking");
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (!block) {
|
|
|
|
|
saved = fcntl(fd, F_GETFL);
|
|
|
|
|
if (fcntl(fd, F_SETFL, saved | O_NONBLOCK) == -1)
|
|
|
|
|
throw SysError("making file descriptor non-blocking");
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-27 21:12:31 +00:00
|
|
|
|
std::vector<unsigned char> buf(64 * 1024);
|
2006-07-20 12:17:25 +00:00
|
|
|
|
while (1) {
|
2007-08-12 00:29:28 +00:00
|
|
|
|
checkInterrupt();
|
2018-03-16 15:59:31 +00:00
|
|
|
|
ssize_t rd = read(fd, buf.data(), buf.size());
|
2006-07-20 12:17:25 +00:00
|
|
|
|
if (rd == -1) {
|
2018-03-20 14:17:59 +00:00
|
|
|
|
if (!block && (errno == EAGAIN || errno == EWOULDBLOCK))
|
|
|
|
|
break;
|
2006-07-20 12:17:25 +00:00
|
|
|
|
if (errno != EINTR)
|
|
|
|
|
throw SysError("reading from file");
|
|
|
|
|
}
|
|
|
|
|
else if (rd == 0) break;
|
2020-12-02 13:00:43 +00:00
|
|
|
|
else sink({(char *) buf.data(), (size_t) rd});
|
2006-07-20 12:17:25 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2004-06-22 09:51:44 +00:00
|
|
|
|
|
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
|
|
|
|
|
2015-11-16 10:53:10 +00:00
|
|
|
|
AutoDelete::AutoDelete() : del{false} {}
|
|
|
|
|
|
2007-10-27 00:46:59 +00:00
|
|
|
|
AutoDelete::AutoDelete(const string & p, bool recursive) : path(p)
|
2003-10-22 10:48:22 +00:00
|
|
|
|
{
|
|
|
|
|
del = true;
|
2007-10-27 00:46:59 +00:00
|
|
|
|
this->recursive = recursive;
|
2003-10-22 10:48:22 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
AutoDelete::~AutoDelete()
|
|
|
|
|
{
|
2007-10-27 00:46:59 +00:00
|
|
|
|
try {
|
2008-05-21 11:17:31 +00:00
|
|
|
|
if (del) {
|
2007-10-27 00:46:59 +00:00
|
|
|
|
if (recursive)
|
|
|
|
|
deletePath(path);
|
|
|
|
|
else {
|
|
|
|
|
if (remove(path.c_str()) == -1)
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("cannot unlink '%1%'", path);
|
2007-10-27 00:46:59 +00:00
|
|
|
|
}
|
2008-05-21 11:17:31 +00:00
|
|
|
|
}
|
2007-10-27 00:46:59 +00:00
|
|
|
|
} catch (...) {
|
|
|
|
|
ignoreException();
|
|
|
|
|
}
|
2003-10-22 10:48:22 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void AutoDelete::cancel()
|
|
|
|
|
{
|
|
|
|
|
del = false;
|
|
|
|
|
}
|
|
|
|
|
|
2015-11-16 10:55:55 +00:00
|
|
|
|
void AutoDelete::reset(const Path & p, bool recursive) {
|
2015-11-16 10:54:34 +00:00
|
|
|
|
path = p;
|
2015-11-16 10:53:10 +00:00
|
|
|
|
this->recursive = recursive;
|
|
|
|
|
del = true;
|
|
|
|
|
}
|
|
|
|
|
|
2003-10-22 10:48:22 +00:00
|
|
|
|
|
2004-06-22 09:51:44 +00:00
|
|
|
|
|
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
|
|
|
|
|
2016-07-11 19:44:44 +00:00
|
|
|
|
AutoCloseFD::AutoCloseFD() : fd{-1} {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AutoCloseFD::AutoCloseFD(int fd) : fd{fd} {}
|
2003-10-22 10:48:22 +00:00
|
|
|
|
|
2004-06-22 09:51:44 +00:00
|
|
|
|
|
2021-04-07 10:21:31 +00:00
|
|
|
|
AutoCloseFD::AutoCloseFD(AutoCloseFD && that) : fd{that.fd}
|
2003-10-22 10:48:22 +00:00
|
|
|
|
{
|
2016-07-11 19:44:44 +00:00
|
|
|
|
that.fd = -1;
|
2003-10-22 10:48:22 +00:00
|
|
|
|
}
|
|
|
|
|
|
2004-06-22 09:51:44 +00:00
|
|
|
|
|
2021-04-07 10:21:31 +00:00
|
|
|
|
AutoCloseFD & AutoCloseFD::operator =(AutoCloseFD && that)
|
2005-01-31 10:27:25 +00:00
|
|
|
|
{
|
2016-07-11 19:44:44 +00:00
|
|
|
|
close();
|
|
|
|
|
fd = that.fd;
|
|
|
|
|
that.fd = -1;
|
|
|
|
|
return *this;
|
2005-01-31 10:27:25 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-10-22 10:48:22 +00:00
|
|
|
|
AutoCloseFD::~AutoCloseFD()
|
|
|
|
|
{
|
2004-06-15 13:49:42 +00:00
|
|
|
|
try {
|
|
|
|
|
close();
|
2007-05-01 15:16:17 +00:00
|
|
|
|
} catch (...) {
|
|
|
|
|
ignoreException();
|
2004-06-15 13:49:42 +00:00
|
|
|
|
}
|
2003-10-22 10:48:22 +00:00
|
|
|
|
}
|
|
|
|
|
|
2004-06-22 09:51:44 +00:00
|
|
|
|
|
2016-07-11 19:44:44 +00:00
|
|
|
|
int AutoCloseFD::get() const
|
2003-10-22 10:48:22 +00:00
|
|
|
|
{
|
|
|
|
|
return fd;
|
|
|
|
|
}
|
|
|
|
|
|
2004-06-22 09:51:44 +00:00
|
|
|
|
|
2004-06-15 13:49:42 +00:00
|
|
|
|
void AutoCloseFD::close()
|
|
|
|
|
{
|
|
|
|
|
if (fd != -1) {
|
|
|
|
|
if (::close(fd) == -1)
|
|
|
|
|
/* This should never happen. */
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("closing file descriptor %1%", fd);
|
2021-04-07 10:21:31 +00:00
|
|
|
|
fd = -1;
|
2004-06-15 13:49:42 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2004-06-22 09:51:44 +00:00
|
|
|
|
|
2016-07-11 19:44:44 +00:00
|
|
|
|
AutoCloseFD::operator bool() const
|
2004-06-15 13:49:42 +00:00
|
|
|
|
{
|
|
|
|
|
return fd != -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2016-07-11 19:44:44 +00:00
|
|
|
|
int AutoCloseFD::release()
|
2005-01-27 12:19:25 +00:00
|
|
|
|
{
|
|
|
|
|
int oldFD = fd;
|
|
|
|
|
fd = -1;
|
|
|
|
|
return oldFD;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2004-06-15 13:49:42 +00:00
|
|
|
|
void Pipe::create()
|
|
|
|
|
{
|
|
|
|
|
int fds[2];
|
2016-06-09 14:15:58 +00:00
|
|
|
|
#if HAVE_PIPE2
|
|
|
|
|
if (pipe2(fds, O_CLOEXEC) != 0) throw SysError("creating pipe");
|
|
|
|
|
#else
|
2004-06-15 13:49:42 +00:00
|
|
|
|
if (pipe(fds) != 0) throw SysError("creating pipe");
|
2016-06-09 14:15:58 +00:00
|
|
|
|
closeOnExec(fds[0]);
|
|
|
|
|
closeOnExec(fds[1]);
|
|
|
|
|
#endif
|
2004-06-15 13:49:42 +00:00
|
|
|
|
readSide = fds[0];
|
|
|
|
|
writeSide = fds[1];
|
|
|
|
|
}
|
|
|
|
|
|
2003-10-22 10:48:22 +00:00
|
|
|
|
|
2021-04-07 10:21:31 +00:00
|
|
|
|
void Pipe::close()
|
|
|
|
|
{
|
|
|
|
|
readSide.close();
|
|
|
|
|
writeSide.close();
|
|
|
|
|
}
|
|
|
|
|
|
2004-06-22 09:51:44 +00:00
|
|
|
|
|
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Pid::Pid()
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2014-07-10 14:50:51 +00:00
|
|
|
|
Pid::Pid(pid_t pid)
|
2017-01-19 15:58:39 +00:00
|
|
|
|
: pid(pid)
|
2014-07-10 14:50:51 +00:00
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2004-06-22 09:51:44 +00:00
|
|
|
|
Pid::~Pid()
|
|
|
|
|
{
|
2017-01-19 15:58:39 +00:00
|
|
|
|
if (pid != -1) kill();
|
2004-06-22 09:51:44 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void Pid::operator =(pid_t pid)
|
|
|
|
|
{
|
2017-01-19 15:58:39 +00:00
|
|
|
|
if (this->pid != -1 && this->pid != pid) kill();
|
2004-06-22 09:51:44 +00:00
|
|
|
|
this->pid = pid;
|
2007-03-19 12:48:45 +00:00
|
|
|
|
killSignal = SIGKILL; // reset signal to default
|
2004-06-22 09:51:44 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Pid::operator pid_t()
|
|
|
|
|
{
|
|
|
|
|
return pid;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2017-03-16 09:52:28 +00:00
|
|
|
|
int Pid::kill()
|
2004-06-22 09:51:44 +00:00
|
|
|
|
{
|
2017-01-19 15:58:39 +00:00
|
|
|
|
assert(pid != -1);
|
2012-11-09 17:00:33 +00:00
|
|
|
|
|
2020-05-11 21:52:15 +00:00
|
|
|
|
debug("killing process %1%", pid);
|
2004-06-22 09:51:44 +00:00
|
|
|
|
|
2007-03-19 12:48:45 +00:00
|
|
|
|
/* Send the requested signal to the child. If it has its own
|
|
|
|
|
process group, send the signal to every process in the child
|
|
|
|
|
process group (which hopefully includes *all* its children). */
|
2017-06-12 16:34:48 +00:00
|
|
|
|
if (::kill(separatePG ? -pid : pid, killSignal) != 0) {
|
|
|
|
|
/* On BSDs, killing a process group will return EPERM if all
|
|
|
|
|
processes in the group are zombies (or something like
|
|
|
|
|
that). So try to detect and ignore that situation. */
|
|
|
|
|
#if __FreeBSD__ || __APPLE__
|
|
|
|
|
if (errno != EPERM || ::kill(pid, 0) != 0)
|
|
|
|
|
#endif
|
2020-05-13 15:52:36 +00:00
|
|
|
|
logError(SysError("killing process %d", pid).info());
|
2017-06-12 16:34:48 +00:00
|
|
|
|
}
|
2004-06-25 15:36:09 +00:00
|
|
|
|
|
2017-01-19 15:58:39 +00:00
|
|
|
|
return wait();
|
2004-06-22 09:51:44 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2017-01-19 15:58:39 +00:00
|
|
|
|
int Pid::wait()
|
2004-06-22 09:51:44 +00:00
|
|
|
|
{
|
2013-06-20 09:55:15 +00:00
|
|
|
|
assert(pid != -1);
|
2004-06-22 09:51:44 +00:00
|
|
|
|
while (1) {
|
|
|
|
|
int status;
|
2017-01-19 15:58:39 +00:00
|
|
|
|
int res = waitpid(pid, &status, 0);
|
2004-06-22 09:51:44 +00:00
|
|
|
|
if (res == pid) {
|
|
|
|
|
pid = -1;
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
if (errno != EINTR)
|
|
|
|
|
throw SysError("cannot get child exit status");
|
2006-12-04 17:17:13 +00:00
|
|
|
|
checkInterrupt();
|
2004-06-22 09:51:44 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void Pid::setSeparatePG(bool separatePG)
|
|
|
|
|
{
|
|
|
|
|
this->separatePG = separatePG;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2007-03-19 12:48:45 +00:00
|
|
|
|
void Pid::setKillSignal(int signal)
|
|
|
|
|
{
|
|
|
|
|
this->killSignal = signal;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2016-10-12 13:49:37 +00:00
|
|
|
|
pid_t Pid::release()
|
|
|
|
|
{
|
|
|
|
|
pid_t p = pid;
|
|
|
|
|
pid = -1;
|
|
|
|
|
return p;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2006-12-07 00:16:07 +00:00
|
|
|
|
void killUser(uid_t uid)
|
|
|
|
|
{
|
2020-05-11 21:52:15 +00:00
|
|
|
|
debug("killing all processes running under uid '%1%'", uid);
|
2006-12-07 00:16:07 +00:00
|
|
|
|
|
|
|
|
|
assert(uid != 0); /* just to be safe... */
|
|
|
|
|
|
|
|
|
|
/* The system call kill(-1, sig) sends the signal `sig' to all
|
|
|
|
|
users to which the current process can send signals. So we
|
|
|
|
|
fork a process, switch to uid, and send a mass kill. */
|
|
|
|
|
|
2014-12-10 17:01:01 +00:00
|
|
|
|
ProcessOptions options;
|
|
|
|
|
options.allowVfork = false;
|
|
|
|
|
|
2014-07-10 14:50:51 +00:00
|
|
|
|
Pid pid = startProcess([&]() {
|
2006-12-07 00:16:07 +00:00
|
|
|
|
|
2014-07-10 14:50:51 +00:00
|
|
|
|
if (setuid(uid) == -1)
|
|
|
|
|
throw SysError("setting uid");
|
2006-12-07 00:16:07 +00:00
|
|
|
|
|
2014-07-10 14:50:51 +00:00
|
|
|
|
while (true) {
|
2013-03-18 15:13:53 +00:00
|
|
|
|
#ifdef __APPLE__
|
2014-07-10 14:50:51 +00:00
|
|
|
|
/* OSX's kill syscall takes a third parameter that, among
|
|
|
|
|
other things, determines if kill(-1, signo) affects the
|
|
|
|
|
calling process. In the OSX libc, it's set to true,
|
|
|
|
|
which means "follow POSIX", which we don't want here
|
2013-03-18 15:13:53 +00:00
|
|
|
|
*/
|
2014-07-10 14:50:51 +00:00
|
|
|
|
if (syscall(SYS_kill, -1, SIGKILL, false) == 0) break;
|
2013-03-18 15:13:53 +00:00
|
|
|
|
#else
|
2014-07-10 14:50:51 +00:00
|
|
|
|
if (kill(-1, SIGKILL) == 0) break;
|
2013-03-18 15:13:53 +00:00
|
|
|
|
#endif
|
libutil: EPERM from kill(-1, ...) is fine
I tested a trivial program that called kill(-1, SIGKILL), which was
run as the only process for an unpriveleged user, on Linux and
FreeBSD. On Linux, kill reported success, while on FreeBSD it failed
with EPERM.
POSIX says:
> If pid is -1, sig shall be sent to all processes (excluding an
> unspecified set of system processes) for which the process has
> permission to send that signal.
and
> The kill() function is successful if the process has permission to
> send sig to any of the processes specified by pid. If kill() fails,
> no signal shall be sent.
and
> [EPERM]
> The process does not have permission to send the signal to any
> receiving process.
My reading of this is that kill(-1, ...) may fail with EPERM when
there are no other processes to kill (since the current process is
ignored). Since kill(-1, ...) only attempts to kill processes the
user has permission to kill, it can't mean that we tried to do
something we didn't have permission to kill, so it should be fine to
interpret EPERM the same as success here for any POSIX-compliant
system.
This fixes an issue that Mic92 encountered[1] when he tried to review a
Nixpkgs PR on FreeBSD.
[1]: https://github.com/NixOS/nixpkgs/pull/81459#issuecomment-606073668
2021-02-07 13:56:50 +00:00
|
|
|
|
if (errno == ESRCH || errno == EPERM) break; /* no more processes */
|
2014-07-10 14:50:51 +00:00
|
|
|
|
if (errno != EINTR)
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw SysError("cannot kill processes for uid '%1%'", uid);
|
2006-12-07 00:16:07 +00:00
|
|
|
|
}
|
2014-07-10 14:50:51 +00:00
|
|
|
|
|
2012-11-09 15:42:10 +00:00
|
|
|
|
_exit(0);
|
2014-12-12 12:41:00 +00:00
|
|
|
|
}, options);
|
2013-01-03 12:00:46 +00:00
|
|
|
|
|
2017-01-19 15:58:39 +00:00
|
|
|
|
int status = pid.wait();
|
2010-03-19 11:36:34 +00:00
|
|
|
|
if (status != 0)
|
2020-04-21 23:07:07 +00:00
|
|
|
|
throw Error("cannot kill processes for uid '%1%': %2%", uid, statusToString(status));
|
2006-12-07 00:16:07 +00:00
|
|
|
|
|
|
|
|
|
/* !!! We should really do some check to make sure that there are
|
|
|
|
|
no processes left running under `uid', but there is no portable
|
|
|
|
|
way to do so (I think). The most reliable way may be `ps -eo
|
|
|
|
|
uid | grep -q $uid'. */
|
|
|
|
|
}
|
|
|
|
|
|
2004-06-22 09:51:44 +00:00
|
|
|
|
|
2006-07-20 12:17:25 +00:00
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
|
|
|
|
|
2014-12-10 15:35:42 +00:00
|
|
|
|
/* Wrapper around vfork to prevent the child process from clobbering
|
|
|
|
|
the caller's stack frame in the parent. */
|
2019-05-11 20:35:53 +00:00
|
|
|
|
static pid_t doFork(bool allowVfork, std::function<void()> fun) __attribute__((noinline));
|
|
|
|
|
static pid_t doFork(bool allowVfork, std::function<void()> fun)
|
2014-07-10 14:50:51 +00:00
|
|
|
|
{
|
2014-12-10 15:35:42 +00:00
|
|
|
|
#ifdef __linux__
|
|
|
|
|
pid_t pid = allowVfork ? vfork() : fork();
|
|
|
|
|
#else
|
2014-07-10 14:50:51 +00:00
|
|
|
|
pid_t pid = fork();
|
2014-12-10 15:35:42 +00:00
|
|
|
|
#endif
|
|
|
|
|
if (pid != 0) return pid;
|
|
|
|
|
fun();
|
|
|
|
|
abort();
|
|
|
|
|
}
|
2014-07-10 14:50:51 +00:00
|
|
|
|
|
2014-12-10 15:35:42 +00:00
|
|
|
|
|
|
|
|
|
pid_t startProcess(std::function<void()> fun, const ProcessOptions & options)
|
|
|
|
|
{
|
|
|
|
|
auto wrapper = [&]() {
|
2016-04-25 13:26:07 +00:00
|
|
|
|
if (!options.allowVfork)
|
2020-06-05 15:01:02 +00:00
|
|
|
|
logger = makeSimpleLogger();
|
2014-07-10 14:50:51 +00:00
|
|
|
|
try {
|
2014-08-21 13:31:43 +00:00
|
|
|
|
#if __linux__
|
2014-12-10 15:35:42 +00:00
|
|
|
|
if (options.dieWithParent && prctl(PR_SET_PDEATHSIG, SIGKILL) == -1)
|
2014-08-21 13:31:43 +00:00
|
|
|
|
throw SysError("setting death signal");
|
|
|
|
|
#endif
|
2014-07-10 14:50:51 +00:00
|
|
|
|
restoreAffinity();
|
|
|
|
|
fun();
|
|
|
|
|
} catch (std::exception & e) {
|
2014-07-23 17:11:26 +00:00
|
|
|
|
try {
|
2014-12-10 15:35:42 +00:00
|
|
|
|
std::cerr << options.errorPrefix << e.what() << "\n";
|
2014-07-23 17:11:26 +00:00
|
|
|
|
} catch (...) { }
|
|
|
|
|
} catch (...) { }
|
2014-12-10 15:35:42 +00:00
|
|
|
|
if (options.runExitHandlers)
|
2014-11-19 16:09:27 +00:00
|
|
|
|
exit(1);
|
|
|
|
|
else
|
|
|
|
|
_exit(1);
|
2014-12-10 15:35:42 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
pid_t pid = doFork(options.allowVfork, wrapper);
|
|
|
|
|
if (pid == -1) throw SysError("unable to fork");
|
2014-07-10 14:50:51 +00:00
|
|
|
|
|
|
|
|
|
return pid;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2015-06-09 08:50:55 +00:00
|
|
|
|
std::vector<char *> stringsToCharPtrs(const Strings & ss)
|
2014-12-12 14:01:16 +00:00
|
|
|
|
{
|
2015-06-09 08:50:55 +00:00
|
|
|
|
std::vector<char *> res;
|
|
|
|
|
for (auto & s : ss) res.push_back((char *) s.c_str());
|
2014-12-12 14:01:16 +00:00
|
|
|
|
res.push_back(0);
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-21 08:30:16 +00:00
|
|
|
|
// Output = "standard out" output stream
|
2015-02-04 15:43:32 +00:00
|
|
|
|
string runProgram(Path program, bool searchPath, const Strings & args,
|
2019-02-12 12:43:32 +00:00
|
|
|
|
const std::optional<std::string> & input)
|
2017-11-01 17:43:11 +00:00
|
|
|
|
{
|
|
|
|
|
RunOptions opts(program, args);
|
|
|
|
|
opts.searchPath = searchPath;
|
2019-03-21 08:30:16 +00:00
|
|
|
|
// This allows you to refer to a program with a pathname relative to the
|
|
|
|
|
// PATH variable.
|
2017-11-01 17:43:11 +00:00
|
|
|
|
opts.input = input;
|
|
|
|
|
|
|
|
|
|
auto res = runProgram(opts);
|
|
|
|
|
|
|
|
|
|
if (!statusOk(res.first))
|
|
|
|
|
throw ExecError(res.first, fmt("program '%1%' %2%", program, statusToString(res.first)));
|
|
|
|
|
|
|
|
|
|
return res.second;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-21 08:30:16 +00:00
|
|
|
|
// Output = error code + "standard out" output stream
|
2018-03-16 15:59:31 +00:00
|
|
|
|
std::pair<int, std::string> runProgram(const RunOptions & options_)
|
|
|
|
|
{
|
|
|
|
|
RunOptions options(options_);
|
|
|
|
|
StringSink sink;
|
2018-03-19 16:09:52 +00:00
|
|
|
|
options.standardOut = &sink;
|
2018-03-16 15:59:31 +00:00
|
|
|
|
|
|
|
|
|
int status = 0;
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
runProgram2(options);
|
|
|
|
|
} catch (ExecError & e) {
|
|
|
|
|
status = e.status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return {status, std::move(*sink.s)};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void runProgram2(const RunOptions & options)
|
2006-07-20 12:17:25 +00:00
|
|
|
|
{
|
2007-08-12 00:29:28 +00:00
|
|
|
|
checkInterrupt();
|
2012-11-09 15:58:51 +00:00
|
|
|
|
|
2018-03-19 16:09:52 +00:00
|
|
|
|
assert(!(options.standardIn && options.input));
|
2018-03-16 15:59:31 +00:00
|
|
|
|
|
|
|
|
|
std::unique_ptr<Source> source_;
|
2018-03-19 16:09:52 +00:00
|
|
|
|
Source * source = options.standardIn;
|
2018-03-16 15:59:31 +00:00
|
|
|
|
|
|
|
|
|
if (options.input) {
|
|
|
|
|
source_ = std::make_unique<StringSource>(*options.input);
|
|
|
|
|
source = source_.get();
|
|
|
|
|
}
|
|
|
|
|
|
2006-07-20 12:17:25 +00:00
|
|
|
|
/* Create a pipe. */
|
2015-05-13 07:37:56 +00:00
|
|
|
|
Pipe out, in;
|
2018-03-19 16:09:52 +00:00
|
|
|
|
if (options.standardOut) out.create();
|
2018-03-16 15:59:31 +00:00
|
|
|
|
if (source) in.create();
|
2006-07-20 12:17:25 +00:00
|
|
|
|
|
2019-07-11 18:23:03 +00:00
|
|
|
|
ProcessOptions processOptions;
|
|
|
|
|
// vfork implies that the environment of the main process and the fork will
|
|
|
|
|
// be shared (technically this is undefined, but in practice that's the
|
|
|
|
|
// case), so we can't use it if we alter the environment
|
|
|
|
|
if (options.environment)
|
|
|
|
|
processOptions.allowVfork = false;
|
|
|
|
|
|
2006-07-20 12:17:25 +00:00
|
|
|
|
/* Fork. */
|
2014-07-10 14:50:51 +00:00
|
|
|
|
Pid pid = startProcess([&]() {
|
2019-07-11 18:23:03 +00:00
|
|
|
|
if (options.environment)
|
|
|
|
|
replaceEnv(*options.environment);
|
2018-03-19 16:09:52 +00:00
|
|
|
|
if (options.standardOut && dup2(out.writeSide.get(), STDOUT_FILENO) == -1)
|
2014-07-10 14:50:51 +00:00
|
|
|
|
throw SysError("dupping stdout");
|
2019-07-11 18:23:03 +00:00
|
|
|
|
if (options.mergeStderrToStdout)
|
|
|
|
|
if (dup2(STDOUT_FILENO, STDERR_FILENO) == -1)
|
|
|
|
|
throw SysError("cannot dup stdout into stderr");
|
2018-03-16 15:59:31 +00:00
|
|
|
|
if (source && dup2(in.readSide.get(), STDIN_FILENO) == -1)
|
2017-03-15 13:40:47 +00:00
|
|
|
|
throw SysError("dupping stdin");
|
2006-07-20 12:17:25 +00:00
|
|
|
|
|
2019-05-12 21:03:01 +00:00
|
|
|
|
if (options.chdir && chdir((*options.chdir).c_str()) == -1)
|
|
|
|
|
throw SysError("chdir failed");
|
2019-05-11 20:35:53 +00:00
|
|
|
|
if (options.gid && setgid(*options.gid) == -1)
|
|
|
|
|
throw SysError("setgid failed");
|
|
|
|
|
/* Drop all other groups if we're setgid. */
|
|
|
|
|
if (options.gid && setgroups(0, 0) == -1)
|
|
|
|
|
throw SysError("setgroups failed");
|
|
|
|
|
if (options.uid && setuid(*options.uid) == -1)
|
|
|
|
|
throw SysError("setuid failed");
|
|
|
|
|
|
2017-11-01 17:43:11 +00:00
|
|
|
|
Strings args_(options.args);
|
|
|
|
|
args_.push_front(options.program);
|
2014-12-12 14:01:16 +00:00
|
|
|
|
|
2021-04-07 11:10:02 +00:00
|
|
|
|
restoreProcessContext();
|
2017-02-01 12:00:21 +00:00
|
|
|
|
|
2017-11-01 17:43:11 +00:00
|
|
|
|
if (options.searchPath)
|
|
|
|
|
execvp(options.program.c_str(), stringsToCharPtrs(args_).data());
|
2019-03-21 08:30:16 +00:00
|
|
|
|
// This allows you to refer to a program with a pathname relative
|
|
|
|
|
// to the PATH variable.
|
2014-07-10 14:50:51 +00:00
|
|
|
|
else
|
2017-11-01 17:43:11 +00:00
|
|
|
|
execv(options.program.c_str(), stringsToCharPtrs(args_).data());
|
2006-07-20 12:17:25 +00:00
|
|
|
|
|
2017-11-01 17:43:11 +00:00
|
|
|
|
throw SysError("executing '%1%'", options.program);
|
2019-07-11 18:23:03 +00:00
|
|
|
|
}, processOptions);
|
2006-07-20 12:17:25 +00:00
|
|
|
|
|
2021-04-07 10:21:31 +00:00
|
|
|
|
out.writeSide.close();
|
2015-02-04 15:43:32 +00:00
|
|
|
|
|
2017-03-13 13:56:33 +00:00
|
|
|
|
std::thread writerThread;
|
|
|
|
|
|
2017-03-15 13:40:47 +00:00
|
|
|
|
std::promise<void> promise;
|
|
|
|
|
|
|
|
|
|
Finally doJoin([&]() {
|
|
|
|
|
if (writerThread.joinable())
|
|
|
|
|
writerThread.join();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
2018-03-16 15:59:31 +00:00
|
|
|
|
if (source) {
|
2021-04-07 10:21:31 +00:00
|
|
|
|
in.readSide.close();
|
2017-03-13 13:56:33 +00:00
|
|
|
|
writerThread = std::thread([&]() {
|
2017-03-15 13:40:47 +00:00
|
|
|
|
try {
|
2020-12-02 13:10:56 +00:00
|
|
|
|
std::vector<char> buf(8 * 1024);
|
2018-03-16 15:59:31 +00:00
|
|
|
|
while (true) {
|
|
|
|
|
size_t n;
|
|
|
|
|
try {
|
|
|
|
|
n = source->read(buf.data(), buf.size());
|
|
|
|
|
} catch (EndOfFile &) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
2020-12-02 13:10:56 +00:00
|
|
|
|
writeFull(in.writeSide.get(), {buf.data(), n});
|
2018-03-16 15:59:31 +00:00
|
|
|
|
}
|
2017-03-15 13:40:47 +00:00
|
|
|
|
promise.set_value();
|
|
|
|
|
} catch (...) {
|
|
|
|
|
promise.set_exception(std::current_exception());
|
|
|
|
|
}
|
2021-04-07 10:21:31 +00:00
|
|
|
|
in.writeSide.close();
|
2017-03-13 13:56:33 +00:00
|
|
|
|
});
|
2015-02-04 15:43:32 +00:00
|
|
|
|
}
|
2006-07-20 12:17:25 +00:00
|
|
|
|
|
2018-03-19 16:09:52 +00:00
|
|
|
|
if (options.standardOut)
|
|
|
|
|
drainFD(out.readSide.get(), *options.standardOut);
|
2006-07-20 12:17:25 +00:00
|
|
|
|
|
|
|
|
|
/* Wait for the child to finish. */
|
2017-01-19 15:58:39 +00:00
|
|
|
|
int status = pid.wait();
|
2006-07-20 12:17:25 +00:00
|
|
|
|
|
2017-03-15 13:40:47 +00:00
|
|
|
|
/* Wait for the writer thread to finish. */
|
2018-03-16 15:59:31 +00:00
|
|
|
|
if (source) promise.get_future().get();
|
2017-03-13 13:56:33 +00:00
|
|
|
|
|
2018-03-16 15:59:31 +00:00
|
|
|
|
if (status)
|
|
|
|
|
throw ExecError(status, fmt("program '%1%' %2%", options.program, statusToString(status)));
|
2006-07-20 12:17:25 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2008-08-02 12:54:35 +00:00
|
|
|
|
void closeMostFDs(const set<int> & exceptions)
|
|
|
|
|
{
|
2017-08-09 14:22:05 +00:00
|
|
|
|
#if __linux__
|
|
|
|
|
try {
|
|
|
|
|
for (auto & s : readDirectory("/proc/self/fd")) {
|
|
|
|
|
auto fd = std::stoi(s.name);
|
|
|
|
|
if (!exceptions.count(fd)) {
|
|
|
|
|
debug("closing leaked FD %d", fd);
|
|
|
|
|
close(fd);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
} catch (SysError &) {
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2008-08-02 12:54:35 +00:00
|
|
|
|
int maxFD = 0;
|
|
|
|
|
maxFD = sysconf(_SC_OPEN_MAX);
|
|
|
|
|
for (int fd = 0; fd < maxFD; ++fd)
|
2017-08-09 14:22:05 +00:00
|
|
|
|
if (!exceptions.count(fd))
|
2008-08-02 12:54:35 +00:00
|
|
|
|
close(fd); /* ignore result */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2012-03-05 19:29:00 +00:00
|
|
|
|
void closeOnExec(int fd)
|
|
|
|
|
{
|
|
|
|
|
int prev;
|
|
|
|
|
if ((prev = fcntl(fd, F_GETFD, 0)) == -1 ||
|
|
|
|
|
fcntl(fd, F_SETFD, prev | FD_CLOEXEC) == -1)
|
|
|
|
|
throw SysError("setting close-on-exec flag");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2004-06-22 09:51:44 +00:00
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
|
|
|
|
|
2017-01-17 17:21:02 +00:00
|
|
|
|
bool _isInterrupted = false;
|
2004-01-15 20:23:55 +00:00
|
|
|
|
|
2017-04-21 14:28:10 +00:00
|
|
|
|
static thread_local bool interruptThrown = false;
|
2017-09-08 13:31:24 +00:00
|
|
|
|
thread_local std::function<bool()> interruptCheck;
|
2017-04-21 14:28:10 +00:00
|
|
|
|
|
|
|
|
|
void setInterruptThrown()
|
|
|
|
|
{
|
|
|
|
|
interruptThrown = true;
|
|
|
|
|
}
|
2016-03-29 13:08:24 +00:00
|
|
|
|
|
2004-01-15 20:23:55 +00:00
|
|
|
|
void _interrupted()
|
|
|
|
|
{
|
2004-05-11 13:48:25 +00:00
|
|
|
|
/* Block user interrupts while an exception is being handled.
|
|
|
|
|
Throwing an exception while another exception is being handled
|
|
|
|
|
kills the program! */
|
2020-06-17 02:15:47 +00:00
|
|
|
|
if (!interruptThrown && !std::uncaught_exceptions()) {
|
2016-03-29 13:08:24 +00:00
|
|
|
|
interruptThrown = true;
|
2006-12-04 17:17:13 +00:00
|
|
|
|
throw Interrupted("interrupted by the user");
|
2004-05-11 13:48:25 +00:00
|
|
|
|
}
|
2004-01-15 20:23:55 +00:00
|
|
|
|
}
|
2004-06-20 13:37:51 +00:00
|
|
|
|
|
|
|
|
|
|
2004-06-22 09:51:44 +00:00
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
|
|
|
|
|
2019-12-16 18:11:47 +00:00
|
|
|
|
template<class C> C tokenizeString(std::string_view s, const string & separators)
|
2005-09-22 15:43:22 +00:00
|
|
|
|
{
|
2012-09-19 19:43:23 +00:00
|
|
|
|
C result;
|
2005-09-22 15:43:22 +00:00
|
|
|
|
string::size_type pos = s.find_first_not_of(separators, 0);
|
|
|
|
|
while (pos != string::npos) {
|
|
|
|
|
string::size_type end = s.find_first_of(separators, pos + 1);
|
|
|
|
|
if (end == string::npos) end = s.size();
|
|
|
|
|
string token(s, pos, end - pos);
|
2012-11-26 14:39:10 +00:00
|
|
|
|
result.insert(result.end(), token);
|
2005-09-22 15:43:22 +00:00
|
|
|
|
pos = s.find_first_not_of(separators, end);
|
|
|
|
|
}
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
2019-12-16 18:11:47 +00:00
|
|
|
|
template Strings tokenizeString(std::string_view s, const string & separators);
|
|
|
|
|
template StringSet tokenizeString(std::string_view s, const string & separators);
|
|
|
|
|
template vector<string> tokenizeString(std::string_view s, const string & separators);
|
2012-09-19 19:43:23 +00:00
|
|
|
|
|
2005-09-22 15:43:22 +00:00
|
|
|
|
|
2021-01-20 23:49:29 +00:00
|
|
|
|
string chomp(std::string_view s)
|
2012-08-01 15:19:24 +00:00
|
|
|
|
{
|
|
|
|
|
size_t i = s.find_last_not_of(" \n\r\t");
|
2012-08-01 21:21:47 +00:00
|
|
|
|
return i == string::npos ? "" : string(s, 0, i + 1);
|
2012-08-01 15:19:24 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2015-04-09 09:42:04 +00:00
|
|
|
|
string trim(const string & s, const string & whitespace)
|
|
|
|
|
{
|
|
|
|
|
auto i = s.find_first_not_of(whitespace);
|
|
|
|
|
if (i == string::npos) return "";
|
|
|
|
|
auto j = s.find_last_not_of(whitespace);
|
|
|
|
|
return string(s, i, j == string::npos ? j : j - i + 1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2020-11-10 13:59:03 +00:00
|
|
|
|
string replaceStrings(std::string_view s,
|
2015-06-17 14:20:11 +00:00
|
|
|
|
const std::string & from, const std::string & to)
|
|
|
|
|
{
|
2020-11-10 13:59:03 +00:00
|
|
|
|
string res(s);
|
|
|
|
|
if (from.empty()) return res;
|
2015-06-17 14:20:11 +00:00
|
|
|
|
size_t pos = 0;
|
|
|
|
|
while ((pos = res.find(from, pos)) != std::string::npos) {
|
|
|
|
|
res.replace(pos, from.size(), to);
|
|
|
|
|
pos += to.size();
|
|
|
|
|
}
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2018-03-29 22:56:13 +00:00
|
|
|
|
std::string rewriteStrings(const std::string & _s, const StringMap & rewrites)
|
|
|
|
|
{
|
|
|
|
|
auto s = _s;
|
|
|
|
|
for (auto & i : rewrites) {
|
|
|
|
|
if (i.first == i.second) continue;
|
|
|
|
|
size_t j = 0;
|
|
|
|
|
while ((j = s.find(i.first, j)) != string::npos)
|
|
|
|
|
s.replace(j, i.first.size(), i.second);
|
|
|
|
|
}
|
|
|
|
|
return s;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2004-06-22 08:50:25 +00:00
|
|
|
|
string statusToString(int status)
|
|
|
|
|
{
|
|
|
|
|
if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
|
|
|
|
|
if (WIFEXITED(status))
|
2004-06-22 17:04:10 +00:00
|
|
|
|
return (format("failed with exit code %1%") % WEXITSTATUS(status)).str();
|
2007-12-14 14:49:35 +00:00
|
|
|
|
else if (WIFSIGNALED(status)) {
|
2013-01-03 12:00:46 +00:00
|
|
|
|
int sig = WTERMSIG(status);
|
2007-12-14 14:49:35 +00:00
|
|
|
|
#if HAVE_STRSIGNAL
|
|
|
|
|
const char * description = strsignal(sig);
|
|
|
|
|
return (format("failed due to signal %1% (%2%)") % sig % description).str();
|
|
|
|
|
#else
|
|
|
|
|
return (format("failed due to signal %1%") % sig).str();
|
|
|
|
|
#endif
|
2013-01-03 12:00:46 +00:00
|
|
|
|
}
|
2004-06-22 08:50:25 +00:00
|
|
|
|
else
|
|
|
|
|
return "died abnormally";
|
|
|
|
|
} else return "succeeded";
|
|
|
|
|
}
|
2004-06-22 11:03:41 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
bool statusOk(int status)
|
|
|
|
|
{
|
|
|
|
|
return WIFEXITED(status) && WEXITSTATUS(status) == 0;
|
|
|
|
|
}
|
2004-09-10 13:32:08 +00:00
|
|
|
|
|
|
|
|
|
|
2020-06-12 21:12:36 +00:00
|
|
|
|
bool hasPrefix(std::string_view s, std::string_view prefix)
|
2016-04-29 19:04:40 +00:00
|
|
|
|
{
|
2017-05-01 15:28:19 +00:00
|
|
|
|
return s.compare(0, prefix.size(), prefix) == 0;
|
2016-04-29 19:04:40 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2019-12-05 18:11:09 +00:00
|
|
|
|
bool hasSuffix(std::string_view s, std::string_view suffix)
|
2008-08-25 13:31:57 +00:00
|
|
|
|
{
|
2019-12-05 18:11:09 +00:00
|
|
|
|
return s.size() >= suffix.size()
|
|
|
|
|
&& s.substr(s.size() - suffix.size()) == suffix;
|
2008-08-25 13:31:57 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2016-09-14 12:42:15 +00:00
|
|
|
|
std::string toLower(const std::string & s)
|
|
|
|
|
{
|
|
|
|
|
std::string r(s);
|
|
|
|
|
for (auto & c : r)
|
|
|
|
|
c = std::tolower(c);
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2017-10-25 11:01:50 +00:00
|
|
|
|
std::string shellEscape(const std::string & s)
|
|
|
|
|
{
|
|
|
|
|
std::string r = "'";
|
|
|
|
|
for (auto & i : s)
|
|
|
|
|
if (i == '\'') r += "'\\''"; else r += i;
|
|
|
|
|
r += '\'';
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2007-05-01 15:16:17 +00:00
|
|
|
|
void ignoreException()
|
|
|
|
|
{
|
|
|
|
|
try {
|
|
|
|
|
throw;
|
|
|
|
|
} catch (std::exception & e) {
|
2020-04-21 23:07:07 +00:00
|
|
|
|
printError("error (ignored): %1%", e.what());
|
2007-05-01 15:16:17 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-02 00:19:01 +00:00
|
|
|
|
bool shouldANSI()
|
|
|
|
|
{
|
2021-07-02 15:33:54 +00:00
|
|
|
|
return isatty(STDERR_FILENO)
|
|
|
|
|
&& getEnv("TERM").value_or("dumb") != "dumb"
|
|
|
|
|
&& !getEnv("NO_COLOR").has_value();
|
2021-07-02 00:19:01 +00:00
|
|
|
|
}
|
2012-11-15 14:01:02 +00:00
|
|
|
|
|
2018-03-15 15:08:07 +00:00
|
|
|
|
std::string filterANSIEscapes(const std::string & s, bool filterAll, unsigned int width)
|
2018-02-07 14:19:10 +00:00
|
|
|
|
{
|
|
|
|
|
std::string t, e;
|
|
|
|
|
size_t w = 0;
|
|
|
|
|
auto i = s.begin();
|
|
|
|
|
|
|
|
|
|
while (w < (size_t) width && i != s.end()) {
|
|
|
|
|
|
|
|
|
|
if (*i == '\e') {
|
|
|
|
|
std::string e;
|
|
|
|
|
e += *i++;
|
|
|
|
|
char last = 0;
|
|
|
|
|
|
|
|
|
|
if (i != s.end() && *i == '[') {
|
|
|
|
|
e += *i++;
|
|
|
|
|
// eat parameter bytes
|
|
|
|
|
while (i != s.end() && *i >= 0x30 && *i <= 0x3f) e += *i++;
|
|
|
|
|
// eat intermediate bytes
|
|
|
|
|
while (i != s.end() && *i >= 0x20 && *i <= 0x2f) e += *i++;
|
|
|
|
|
// eat final byte
|
|
|
|
|
if (i != s.end() && *i >= 0x40 && *i <= 0x7e) e += last = *i++;
|
|
|
|
|
} else {
|
|
|
|
|
if (i != s.end() && *i >= 0x40 && *i <= 0x5f) e += *i++;
|
2014-08-20 14:01:16 +00:00
|
|
|
|
}
|
2018-02-07 14:19:10 +00:00
|
|
|
|
|
2018-03-15 15:08:07 +00:00
|
|
|
|
if (!filterAll && last == 'm')
|
2018-02-07 14:19:10 +00:00
|
|
|
|
t += e;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
else if (*i == '\t') {
|
|
|
|
|
i++; t += ' '; w++;
|
|
|
|
|
while (w < (size_t) width && w % 8) {
|
|
|
|
|
t += ' '; w++;
|
2014-08-20 14:01:16 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
2018-02-07 14:19:10 +00:00
|
|
|
|
|
|
|
|
|
else if (*i == '\r')
|
|
|
|
|
// do nothing for now
|
2018-02-19 15:32:11 +00:00
|
|
|
|
i++;
|
2018-02-07 14:19:10 +00:00
|
|
|
|
|
|
|
|
|
else {
|
2020-11-16 15:26:29 +00:00
|
|
|
|
w++;
|
|
|
|
|
// Copy one UTF-8 character.
|
|
|
|
|
if ((*i & 0xe0) == 0xc0) {
|
|
|
|
|
t += *i++;
|
|
|
|
|
if (i != s.end() && ((*i & 0xc0) == 0x80)) t += *i++;
|
|
|
|
|
} else if ((*i & 0xf0) == 0xe0) {
|
|
|
|
|
t += *i++;
|
|
|
|
|
if (i != s.end() && ((*i & 0xc0) == 0x80)) {
|
|
|
|
|
t += *i++;
|
|
|
|
|
if (i != s.end() && ((*i & 0xc0) == 0x80)) t += *i++;
|
|
|
|
|
}
|
|
|
|
|
} else if ((*i & 0xf8) == 0xf0) {
|
|
|
|
|
t += *i++;
|
|
|
|
|
if (i != s.end() && ((*i & 0xc0) == 0x80)) {
|
|
|
|
|
t += *i++;
|
|
|
|
|
if (i != s.end() && ((*i & 0xc0) == 0x80)) {
|
|
|
|
|
t += *i++;
|
|
|
|
|
if (i != s.end() && ((*i & 0xc0) == 0x80)) t += *i++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else
|
|
|
|
|
t += *i++;
|
2018-02-07 14:19:10 +00:00
|
|
|
|
}
|
2014-08-20 14:01:16 +00:00
|
|
|
|
}
|
2018-02-07 14:19:10 +00:00
|
|
|
|
|
2014-08-20 14:01:16 +00:00
|
|
|
|
return t;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2015-02-09 14:09:39 +00:00
|
|
|
|
static char base64Chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
|
|
|
|
|
|
|
|
|
|
|
2020-06-12 21:12:36 +00:00
|
|
|
|
string base64Encode(std::string_view s)
|
2015-02-09 14:09:39 +00:00
|
|
|
|
{
|
|
|
|
|
string res;
|
|
|
|
|
int data = 0, nbits = 0;
|
|
|
|
|
|
|
|
|
|
for (char c : s) {
|
|
|
|
|
data = data << 8 | (unsigned char) c;
|
|
|
|
|
nbits += 8;
|
|
|
|
|
while (nbits >= 6) {
|
|
|
|
|
nbits -= 6;
|
|
|
|
|
res.push_back(base64Chars[data >> nbits & 0x3f]);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (nbits) res.push_back(base64Chars[data << (6 - nbits) & 0x3f]);
|
|
|
|
|
while (res.size() % 4) res.push_back('=');
|
|
|
|
|
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2020-06-12 21:12:36 +00:00
|
|
|
|
string base64Decode(std::string_view s)
|
2015-02-09 14:09:39 +00:00
|
|
|
|
{
|
|
|
|
|
bool init = false;
|
|
|
|
|
char decode[256];
|
|
|
|
|
if (!init) {
|
|
|
|
|
// FIXME: not thread-safe.
|
|
|
|
|
memset(decode, -1, sizeof(decode));
|
|
|
|
|
for (int i = 0; i < 64; i++)
|
|
|
|
|
decode[(int) base64Chars[i]] = i;
|
|
|
|
|
init = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
string res;
|
|
|
|
|
unsigned int d = 0, bits = 0;
|
|
|
|
|
|
|
|
|
|
for (char c : s) {
|
|
|
|
|
if (c == '=') break;
|
|
|
|
|
if (c == '\n') continue;
|
|
|
|
|
|
|
|
|
|
char digit = decode[(unsigned char) c];
|
|
|
|
|
if (digit == -1)
|
2020-07-01 21:32:06 +00:00
|
|
|
|
throw Error("invalid character in Base64 string: '%c'", c);
|
2015-02-09 14:09:39 +00:00
|
|
|
|
|
|
|
|
|
bits += 6;
|
|
|
|
|
d = d << 6 | digit;
|
|
|
|
|
if (bits >= 8) {
|
|
|
|
|
res.push_back(d >> (bits - 8) & 0xff);
|
|
|
|
|
bits -= 8;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2020-08-20 10:21:46 +00:00
|
|
|
|
std::string stripIndentation(std::string_view s)
|
|
|
|
|
{
|
|
|
|
|
size_t minIndent = 10000;
|
|
|
|
|
size_t curIndent = 0;
|
|
|
|
|
bool atStartOfLine = true;
|
|
|
|
|
|
|
|
|
|
for (auto & c : s) {
|
|
|
|
|
if (atStartOfLine && c == ' ')
|
|
|
|
|
curIndent++;
|
|
|
|
|
else if (c == '\n') {
|
|
|
|
|
if (atStartOfLine)
|
|
|
|
|
minIndent = std::max(minIndent, curIndent);
|
|
|
|
|
curIndent = 0;
|
|
|
|
|
atStartOfLine = true;
|
|
|
|
|
} else {
|
|
|
|
|
if (atStartOfLine) {
|
|
|
|
|
minIndent = std::min(minIndent, curIndent);
|
|
|
|
|
atStartOfLine = false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
std::string res;
|
|
|
|
|
|
|
|
|
|
size_t pos = 0;
|
|
|
|
|
while (pos < s.size()) {
|
|
|
|
|
auto eol = s.find('\n', pos);
|
|
|
|
|
if (eol == s.npos) eol = s.size();
|
|
|
|
|
if (eol - pos > minIndent)
|
|
|
|
|
res.append(s.substr(pos + minIndent, eol - pos - minIndent));
|
|
|
|
|
res.push_back('\n');
|
|
|
|
|
pos = eol + 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
|
|
|
|
|
2017-08-25 13:57:49 +00:00
|
|
|
|
static Sync<std::pair<unsigned short, unsigned short>> windowSize{{0, 0}};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void updateWindowSize()
|
|
|
|
|
{
|
|
|
|
|
struct winsize ws;
|
2019-11-03 21:46:59 +00:00
|
|
|
|
if (ioctl(2, TIOCGWINSZ, &ws) == 0) {
|
2017-08-25 13:57:49 +00:00
|
|
|
|
auto windowSize_(windowSize.lock());
|
|
|
|
|
windowSize_->first = ws.ws_row;
|
|
|
|
|
windowSize_->second = ws.ws_col;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
std::pair<unsigned short, unsigned short> getWindowSize()
|
|
|
|
|
{
|
|
|
|
|
return *windowSize.lock();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2017-01-17 17:21:02 +00:00
|
|
|
|
static Sync<std::list<std::function<void()>>> _interruptCallbacks;
|
|
|
|
|
|
|
|
|
|
static void signalHandlerThread(sigset_t set)
|
|
|
|
|
{
|
|
|
|
|
while (true) {
|
|
|
|
|
int signal = 0;
|
|
|
|
|
sigwait(&set, &signal);
|
|
|
|
|
|
2017-01-25 12:37:02 +00:00
|
|
|
|
if (signal == SIGINT || signal == SIGTERM || signal == SIGHUP)
|
|
|
|
|
triggerInterrupt();
|
2017-08-25 13:57:49 +00:00
|
|
|
|
|
|
|
|
|
else if (signal == SIGWINCH) {
|
|
|
|
|
updateWindowSize();
|
|
|
|
|
}
|
2017-01-25 12:37:02 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void triggerInterrupt()
|
|
|
|
|
{
|
2017-04-06 15:18:56 +00:00
|
|
|
|
_isInterrupted = true;
|
2017-01-25 12:37:02 +00:00
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
auto interruptCallbacks(_interruptCallbacks.lock());
|
|
|
|
|
for (auto & callback : *interruptCallbacks) {
|
|
|
|
|
try {
|
|
|
|
|
callback();
|
|
|
|
|
} catch (...) {
|
|
|
|
|
ignoreException();
|
2017-01-17 17:21:02 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-01 12:00:21 +00:00
|
|
|
|
static sigset_t savedSignalMask;
|
|
|
|
|
|
2017-01-17 17:21:02 +00:00
|
|
|
|
void startSignalHandlerThread()
|
|
|
|
|
{
|
2017-08-25 13:57:49 +00:00
|
|
|
|
updateWindowSize();
|
|
|
|
|
|
2017-02-01 12:00:21 +00:00
|
|
|
|
if (sigprocmask(SIG_BLOCK, nullptr, &savedSignalMask))
|
2021-03-26 15:14:38 +00:00
|
|
|
|
throw SysError("querying signal mask");
|
2017-02-01 12:00:21 +00:00
|
|
|
|
|
2017-01-17 17:21:02 +00:00
|
|
|
|
sigset_t set;
|
|
|
|
|
sigemptyset(&set);
|
|
|
|
|
sigaddset(&set, SIGINT);
|
|
|
|
|
sigaddset(&set, SIGTERM);
|
|
|
|
|
sigaddset(&set, SIGHUP);
|
2017-02-01 12:00:21 +00:00
|
|
|
|
sigaddset(&set, SIGPIPE);
|
2017-08-25 13:57:49 +00:00
|
|
|
|
sigaddset(&set, SIGWINCH);
|
2017-01-17 17:21:02 +00:00
|
|
|
|
if (pthread_sigmask(SIG_BLOCK, &set, nullptr))
|
|
|
|
|
throw SysError("blocking signals");
|
|
|
|
|
|
|
|
|
|
std::thread(signalHandlerThread, set).detach();
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-07 11:10:02 +00:00
|
|
|
|
static void restoreSignals()
|
2017-02-01 12:00:21 +00:00
|
|
|
|
{
|
|
|
|
|
if (sigprocmask(SIG_SETMASK, &savedSignalMask, nullptr))
|
|
|
|
|
throw SysError("restoring signals");
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-07 11:40:13 +00:00
|
|
|
|
#if __linux__
|
|
|
|
|
rlim_t savedStackSize = 0;
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
void setStackSize(size_t stackSize)
|
|
|
|
|
{
|
|
|
|
|
#if __linux__
|
|
|
|
|
struct rlimit limit;
|
|
|
|
|
if (getrlimit(RLIMIT_STACK, &limit) == 0 && limit.rlim_cur < stackSize) {
|
|
|
|
|
savedStackSize = limit.rlim_cur;
|
|
|
|
|
limit.rlim_cur = stackSize;
|
|
|
|
|
setrlimit(RLIMIT_STACK, &limit);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-07 11:10:02 +00:00
|
|
|
|
void restoreProcessContext()
|
|
|
|
|
{
|
|
|
|
|
restoreSignals();
|
|
|
|
|
|
|
|
|
|
restoreAffinity();
|
2021-04-07 11:40:13 +00:00
|
|
|
|
|
|
|
|
|
#if __linux__
|
|
|
|
|
if (savedStackSize) {
|
|
|
|
|
struct rlimit limit;
|
|
|
|
|
if (getrlimit(RLIMIT_STACK, &limit) == 0) {
|
|
|
|
|
limit.rlim_cur = savedStackSize;
|
|
|
|
|
setrlimit(RLIMIT_STACK, &limit);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2021-04-07 11:10:02 +00:00
|
|
|
|
}
|
|
|
|
|
|
2017-01-17 17:21:02 +00:00
|
|
|
|
/* RAII helper to automatically deregister a callback. */
|
|
|
|
|
struct InterruptCallbackImpl : InterruptCallback
|
|
|
|
|
{
|
|
|
|
|
std::list<std::function<void()>>::iterator it;
|
|
|
|
|
~InterruptCallbackImpl() override
|
|
|
|
|
{
|
|
|
|
|
_interruptCallbacks.lock()->erase(it);
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
std::unique_ptr<InterruptCallback> createInterruptCallback(std::function<void()> callback)
|
|
|
|
|
{
|
|
|
|
|
auto interruptCallbacks(_interruptCallbacks.lock());
|
|
|
|
|
interruptCallbacks->push_back(callback);
|
|
|
|
|
|
|
|
|
|
auto res = std::make_unique<InterruptCallbackImpl>();
|
|
|
|
|
res->it = interruptCallbacks->end();
|
|
|
|
|
res->it--;
|
|
|
|
|
|
2017-01-24 09:55:28 +00:00
|
|
|
|
return std::unique_ptr<InterruptCallback>(res.release());
|
2017-01-17 17:21:02 +00:00
|
|
|
|
}
|
|
|
|
|
|
2018-09-25 10:36:11 +00:00
|
|
|
|
|
|
|
|
|
AutoCloseFD createUnixDomainSocket(const Path & path, mode_t mode)
|
|
|
|
|
{
|
2019-11-05 09:25:09 +00:00
|
|
|
|
AutoCloseFD fdSocket = socket(PF_UNIX, SOCK_STREAM
|
|
|
|
|
#ifdef SOCK_CLOEXEC
|
|
|
|
|
| SOCK_CLOEXEC
|
|
|
|
|
#endif
|
|
|
|
|
, 0);
|
2018-09-25 10:36:11 +00:00
|
|
|
|
if (!fdSocket)
|
|
|
|
|
throw SysError("cannot create Unix domain socket");
|
|
|
|
|
|
|
|
|
|
closeOnExec(fdSocket.get());
|
|
|
|
|
|
|
|
|
|
struct sockaddr_un addr;
|
|
|
|
|
addr.sun_family = AF_UNIX;
|
2020-07-24 09:19:17 +00:00
|
|
|
|
if (path.size() + 1 >= sizeof(addr.sun_path))
|
2018-09-25 10:36:11 +00:00
|
|
|
|
throw Error("socket path '%1%' is too long", path);
|
|
|
|
|
strcpy(addr.sun_path, path.c_str());
|
|
|
|
|
|
|
|
|
|
unlink(path.c_str());
|
|
|
|
|
|
|
|
|
|
if (bind(fdSocket.get(), (struct sockaddr *) &addr, sizeof(addr)) == -1)
|
|
|
|
|
throw SysError("cannot bind to socket '%1%'", path);
|
|
|
|
|
|
|
|
|
|
if (chmod(path.c_str(), mode) == -1)
|
|
|
|
|
throw SysError("changing permissions on '%1%'", path);
|
|
|
|
|
|
|
|
|
|
if (listen(fdSocket.get(), 5) == -1)
|
|
|
|
|
throw SysError("cannot listen on socket '%1%'", path);
|
|
|
|
|
|
|
|
|
|
return fdSocket;
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-06 08:40:49 +00:00
|
|
|
|
|
|
|
|
|
string showBytes(uint64_t bytes)
|
|
|
|
|
{
|
|
|
|
|
return fmt("%.2f MiB", bytes / (1024.0 * 1024.0));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-04-07 11:10:02 +00:00
|
|
|
|
// FIXME: move to libstore/build
|
2020-10-11 16:38:46 +00:00
|
|
|
|
void commonChildInit(Pipe & logPipe)
|
|
|
|
|
{
|
|
|
|
|
const static string pathNullDevice = "/dev/null";
|
2021-04-07 11:10:02 +00:00
|
|
|
|
restoreProcessContext();
|
2020-10-11 16:38:46 +00:00
|
|
|
|
|
|
|
|
|
/* Put the child in a separate session (and thus a separate
|
|
|
|
|
process group) so that it has no controlling terminal (meaning
|
|
|
|
|
that e.g. ssh cannot open /dev/tty) and it doesn't receive
|
|
|
|
|
terminal signals. */
|
|
|
|
|
if (setsid() == -1)
|
|
|
|
|
throw SysError("creating a new session");
|
|
|
|
|
|
|
|
|
|
/* Dup the write side of the logger pipe into stderr. */
|
|
|
|
|
if (dup2(logPipe.writeSide.get(), STDERR_FILENO) == -1)
|
|
|
|
|
throw SysError("cannot pipe standard error into log file");
|
|
|
|
|
|
|
|
|
|
/* Dup stderr to stdout. */
|
|
|
|
|
if (dup2(STDERR_FILENO, STDOUT_FILENO) == -1)
|
|
|
|
|
throw SysError("cannot dup stderr into stdout");
|
|
|
|
|
|
|
|
|
|
/* Reroute stdin to /dev/null. */
|
|
|
|
|
int fdDevNull = open(pathNullDevice.c_str(), O_RDWR);
|
|
|
|
|
if (fdDevNull == -1)
|
|
|
|
|
throw SysError("cannot open '%1%'", pathNullDevice);
|
|
|
|
|
if (dup2(fdDevNull, STDIN_FILENO) == -1)
|
|
|
|
|
throw SysError("cannot dup null device into stdin");
|
|
|
|
|
close(fdDevNull);
|
|
|
|
|
}
|
|
|
|
|
|
2006-09-04 21:06:23 +00:00
|
|
|
|
}
|