Mercurial > hg > octave-lojdl > gnulib-hg
changeset 12040:e8108d5c7ca7
unlink: new module, for Solaris 9 bug
unlink("file/") mistakenly succeeded. This patch favors, but
does not enforce, GNU semantics that unlink("link-to-dir/")
flat-out fails rather than attempting to unlink "dir".
* modules/unlink: New file.
* lib/unlink.c: Likewise.
* m4/unlink.m4 (gl_FUNC_UNLINK): Likewise.
* m4/unistd_h.m4 (gl_UNISTD_H_DEFAULTS): Add witnesses.
* modules/unistd (Makefile.am): Use them.
* lib/unistd.in.h (stat): Declare replacement.
* MODULES.html.sh (systems lacking POSIX:2008): Mention module.
* doc/posix-functions/unlink.texi (unlink): Likewise.
* modules/unlink-tests: New test.
* tests/test-unlink.c: Likewise.
Signed-off-by: Eric Blake <ebb9@byu.net>
author | Eric Blake <ebb9@byu.net> |
---|---|
date | Wed, 16 Sep 2009 17:13:20 -0600 |
parents | eacd308b94de |
children | 73e9ab6e2c90 |
files | ChangeLog MODULES.html.sh doc/posix-functions/unlink.texi lib/unistd.in.h lib/unlink.c m4/unistd_h.m4 m4/unlink.m4 modules/unistd modules/unlink modules/unlink-tests tests/test-unlink.c |
diffstat | 11 files changed, 307 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,17 @@ 2009-09-19 Eric Blake <ebb9@byu.net> + unlink: new module, for Solaris 9 bug + * modules/unlink: New file. + * lib/unlink.c: Likewise. + * m4/unlink.m4 (gl_FUNC_UNLINK): Likewise. + * m4/unistd_h.m4 (gl_UNISTD_H_DEFAULTS): Add witnesses. + * modules/unistd (Makefile.am): Use them. + * lib/unistd.in.h (stat): Declare replacement. + * MODULES.html.sh (systems lacking POSIX:2008): Mention module. + * doc/posix-functions/unlink.texi (unlink): Likewise. + * modules/unlink-tests: New test. + * tests/test-unlink.c: Likewise. + lstat: fix Solaris 9 bug * lib/lstat.c (lstat): Also check for trailing slash on non-symlink, non-directories. Use stat module to simplify logic.
--- a/MODULES.html.sh +++ b/MODULES.html.sh @@ -2359,6 +2359,7 @@ func_module sys_wait func_module tsearch func_module unistd + func_module unlink func_module utime func_module vasnprintf-posix func_module vasprintf-posix
--- a/doc/posix-functions/unlink.texi +++ b/doc/posix-functions/unlink.texi @@ -4,15 +4,28 @@ POSIX specification: @url{http://www.opengroup.org/onlinepubs/9699919799/functions/unlink.html} -Gnulib module: --- +Gnulib module: unlink Portability problems fixed by Gnulib: @itemize +@item +Some systems mistakenly succeed on @code{unlink("file/")}: +Solaris 9. @end itemize Portability problems not fixed by Gnulib: @itemize @item +Some systems allow a superuser to unlink directories, even though this +can cause file system corruption. The error given if a process is not +permitted to unlink directories varies across implementations; it is +not always the POSIX value of @code{EPERM}. Meanwhile, if a process +has the ability to unlink directories, POSIX requires that +@code{unlink("symlink-to-dir/")} remove @file{dir} and leave +@file{symlink-to-dir} dangling; this behavior is counter-intuitive. +The gnulib module unlinkdir can help determine whether code must be +cautious of unlinking directories. +@item Removing an open file is non-portable: On Unix this allows the programs that have the file already open to continue working with it; the file's storage is only freed when the no process has the file open any more. On Windows,
--- a/lib/unistd.in.h +++ b/lib/unistd.in.h @@ -164,6 +164,21 @@ #endif +#if @GNULIB_UNLINK@ +# if @REPLACE_UNLINK@ +# undef unlink +# define unlink rpl_unlink +extern int unlink (char const *file); +# endif +#elif defined GNULIB_POSIXCHECK +# undef unlink +# define unlink(n) \ + (GL_LINK_WARNING ("unlink is not portable - " \ + "use gnulib module unlink for portability"), \ + unlink (n)) +#endif + + #if @GNULIB_UNLINKAT@ # if !@HAVE_UNLINKAT@ extern int unlinkat (int fd, char const *file, int flag);
new file mode 100644 --- /dev/null +++ b/lib/unlink.c @@ -0,0 +1,85 @@ +/* Work around unlink bugs. + + Copyright (C) 2009 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +#include <config.h> + +#include <unistd.h> + +#include <errno.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> + +#undef unlink + +/* Remove file NAME. + Return 0 if successful, -1 if not. */ + +int +rpl_unlink (char const *name) +{ + /* Work around Solaris 9 bug where unlink("file/") succeeds. */ + size_t len = strlen (name); + int result = 0; + if (len && ISSLASH (name[len - 1])) + { + /* We can't unlink(2) something if it doesn't exist. If it does + exist, then it resolved to a directory, due to the trailing + slash, and POSIX requires that the unlink attempt to remove + that directory (which would leave the symlink dangling). + Unfortunately, Solaris 9 is one of the platforms where the + root user can unlink directories, and we don't want to + cripple this behavior on real directories, even if it is + seldom needed (at any rate, it's nicer to let coreutils' + unlink(1) give the correct errno for non-root users). But we + don't know whether name was an actual directory, or a symlink + to a directory; and due to the bug of ignoring trailing + slash, Solaris 9 would end up successfully unlinking the + symlink instead of the directory. Technically, we could use + realpath to find the canonical directory name to attempt + deletion on. But that is a lot of work for a corner case; so + we instead just use an lstat on the shortened name, and + reject symlinks with trailing slashes. The root user of + unlink(1) will just have to live with the rule that they + can't delete a directory via a symlink. */ + struct stat st; + result = lstat (name, &st); + if (result == 0) + { + /* Trailing NUL will overwrite the trailing slash. */ + char *short_name = malloc (len); + if (!short_name) + { + errno = EPERM; + return -1; + } + memcpy (short_name, name, len); + while (len && ISSLASH (short_name[len - 1])) + short_name[--len] = '\0'; + if (len && (lstat (short_name, &st) || S_ISLNK (st.st_mode))) + { + free (short_name); + errno = EPERM; + return -1; + } + free (short_name); + } + } + if (!result) + result = unlink (name); + return result; +}
--- a/m4/unistd_h.m4 +++ b/m4/unistd_h.m4 @@ -1,4 +1,4 @@ -# unistd_h.m4 serial 27 +# unistd_h.m4 serial 28 dnl Copyright (C) 2006-2009 Free Software Foundation, Inc. dnl This file is free software; the Free Software Foundation dnl gives unlimited permission to copy and/or distribute it, @@ -61,6 +61,7 @@ GNULIB_SYMLINKAT=0; AC_SUBST([GNULIB_SYMLINKAT]) GNULIB_UNISTD_H_GETOPT=0; AC_SUBST([GNULIB_UNISTD_H_GETOPT]) GNULIB_UNISTD_H_SIGPIPE=0; AC_SUBST([GNULIB_UNISTD_H_SIGPIPE]) + GNULIB_UNLINK=0; AC_SUBST([GNULIB_UNLINK]) GNULIB_UNLINKAT=0; AC_SUBST([GNULIB_UNLINKAT]) GNULIB_WRITE=0; AC_SUBST([GNULIB_WRITE]) dnl Assume proper GNU behavior unless another module says otherwise. @@ -99,6 +100,7 @@ REPLACE_LINK=0; AC_SUBST([REPLACE_LINK]) REPLACE_LSEEK=0; AC_SUBST([REPLACE_LSEEK]) REPLACE_RMDIR=0; AC_SUBST([REPLACE_RMDIR]) + REPLACE_UNLINK=0; AC_SUBST([REPLACE_UNLINK]) REPLACE_WRITE=0; AC_SUBST([REPLACE_WRITE]) UNISTD_H_HAVE_WINSOCK2_H=0; AC_SUBST([UNISTD_H_HAVE_WINSOCK2_H]) UNISTD_H_HAVE_WINSOCK2_H_AND_USE_SOCKETS=0;
new file mode 100644 --- /dev/null +++ b/m4/unlink.m4 @@ -0,0 +1,27 @@ +# unlink.m4 serial 1 +dnl Copyright (C) 2009 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +AC_DEFUN([gl_FUNC_UNLINK], +[ + AC_REQUIRE([gl_AC_DOS]) + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + dnl Detect Solaris 9 bug. + AC_CACHE_CHECK([whether unlink honors trailing slashes], + [gl_cv_func_unlink_works], + [touch conftest.file + AC_RUN_IFELSE( + [AC_LANG_PROGRAM( + [[#include <stdio.h> + #include <errno.h> +]], [[return !unlink ("conftest.file/") || errno != ENOTDIR;]])], + [gl_cv_func_unlink_works=yes], [gl_cv_func_unlink_works=no], + [gl_cv_func_unlink_works="guessing no"]) + rm -f conftest.file]) + if test x"$gl_cv_func_unlink_works" != xyes; then + REPLACE_UNLINK=1 + AC_LIBOBJ([unlink]) + fi +])
--- a/modules/unistd +++ b/modules/unistd @@ -54,6 +54,7 @@ -e 's|@''GNULIB_SYMLINKAT''@|$(GNULIB_SYMLINKAT)|g' \ -e 's|@''GNULIB_UNISTD_H_GETOPT''@|$(GNULIB_UNISTD_H_GETOPT)|g' \ -e 's|@''GNULIB_UNISTD_H_SIGPIPE''@|$(GNULIB_UNISTD_H_SIGPIPE)|g' \ + -e 's|@''GNULIB_UNLINK''@|$(GNULIB_UNLINK)|g' \ -e 's|@''GNULIB_UNLINKAT''@|$(GNULIB_UNLINKAT)|g' \ -e 's|@''GNULIB_WRITE''@|$(GNULIB_WRITE)|g' \ -e 's|@''HAVE_DUP2''@|$(HAVE_DUP2)|g' \ @@ -91,6 +92,7 @@ -e 's|@''REPLACE_LINK''@|$(REPLACE_LINK)|g' \ -e 's|@''REPLACE_LSEEK''@|$(REPLACE_LSEEK)|g' \ -e 's|@''REPLACE_RMDIR''@|$(REPLACE_RMDIR)|g' \ + -e 's|@''REPLACE_UNLINK''@|$(REPLACE_UNLINK)|g' \ -e 's|@''REPLACE_WRITE''@|$(REPLACE_WRITE)|g' \ -e 's|@''UNISTD_H_HAVE_WINSOCK2_H''@|$(UNISTD_H_HAVE_WINSOCK2_H)|g' \ -e 's|@''UNISTD_H_HAVE_WINSOCK2_H_AND_USE_SOCKETS''@|$(UNISTD_H_HAVE_WINSOCK2_H_AND_USE_SOCKETS)|g' \
new file mode 100644 --- /dev/null +++ b/modules/unlink @@ -0,0 +1,26 @@ +Description: +unlink(): remove a file. + +Files: +lib/unlink.c +m4/dos.m4 +m4/unlink.m4 + +Depends-on: +lstat +unistd + +configure.ac: +gl_FUNC_UNLINK +gl_UNISTD_MODULE_INDICATOR([unlink]) + +Makefile.am: + +Include: +<unistd.h> + +License: +LGPL + +Maintainer: +Eric Blake
new file mode 100644 --- /dev/null +++ b/modules/unlink-tests @@ -0,0 +1,12 @@ +Files: +tests/test-unlink.c + +Depends-on: +unlinkdir + +configure.ac: +AC_CHECK_FUNCS_ONCE([symlink]) + +Makefile.am: +TESTS += test-unlink +check_PROGRAMS += test-unlink
new file mode 100644 --- /dev/null +++ b/tests/test-unlink.c @@ -0,0 +1,110 @@ +/* Tests of unlink. + Copyright (C) 2009 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* Written by Eric Blake <ebb9@byu.net>, 2009. */ + +#include <config.h> + +#include <unistd.h> + +#include <fcntl.h> +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> + +#include "unlinkdir.h" + +#if !HAVE_SYMLINK +# define symlink(a,b) (-1) +#endif + +#define ASSERT(expr) \ + do \ + { \ + if (!(expr)) \ + { \ + fprintf (stderr, "%s:%d: assertion failed\n", __FILE__, __LINE__); \ + fflush (stderr); \ + abort (); \ + } \ + } \ + while (0) + +#define BASE "test-unlink.t" + +int +main () +{ + /* Remove any leftovers from a previous partial run. */ + ASSERT (system ("rm -rf " BASE "*") == 0); + + /* Setup. */ + ASSERT (mkdir (BASE "dir", 0700) == 0); + ASSERT (close (creat (BASE "dir/file", 0600)) == 0); + + /* Basic error conditions. */ + errno = 0; + ASSERT (unlink ("") == -1); + ASSERT (errno == ENOENT); + errno = 0; + ASSERT (unlink (BASE "nosuch") == -1); + ASSERT (errno == ENOENT); + errno = 0; + ASSERT (unlink (BASE "nosuch/") == -1); + ASSERT (errno == ENOENT); + /* Resulting errno after directories is rather varied across + implementations (EPERM, EINVAL, EACCES, EBUSY, EISDIR, ENOTSUP); + however, we must be careful to not attempt unlink on a directory + unless we know it must fail. */ + if (cannot_unlink_dir ()) + { + ASSERT (unlink (".") == -1); + ASSERT (unlink ("..") == -1); + ASSERT (unlink ("/") == -1); + ASSERT (unlink (BASE "dir") == -1); + ASSERT (mkdir (BASE "dir1", 0700) == 0); + ASSERT (unlink (BASE "dir1") == -1); + ASSERT (rmdir (BASE "dir1") == 0); + } + errno = 0; + ASSERT (unlink (BASE "dir/file/") == -1); + ASSERT (errno == ENOTDIR); + + /* Test symlink behavior. Specifying trailing slash will attempt + unlink of a directory, so only attempt it if we know it must + fail. */ + if (symlink (BASE "dir", BASE "link") != 0) + { + ASSERT (unlink (BASE "dir/file") == 0); + ASSERT (rmdir (BASE "dir") == 0); + fputs ("skipping test: symlinks not supported on this filesystem\n", + stderr); + return 77; + } + if (cannot_unlink_dir ()) + ASSERT (unlink (BASE "link/") == -1); + ASSERT (unlink (BASE "link") == 0); + ASSERT (symlink (BASE "dir/file", BASE "link") == 0); + /* Order here proves unlink of a symlink does not follow through to + the file. */ + ASSERT (unlink (BASE "link") == 0); + ASSERT (unlink (BASE "dir/file") == 0); + ASSERT (rmdir (BASE "dir") == 0); + + return 0; +}