1 /* $OpenBSD: receiver.c,v 1.29 2021/08/29 13:43:46 claudio Exp $ */ 2 3 /* 4 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> 5 * Copyright (c) 2019 Florian Obser <florian@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 #include <sys/mman.h> 20 #include <sys/stat.h> 21 22 #include <assert.h> 23 #include <err.h> 24 #include <errno.h> 25 #include <fcntl.h> 26 #include <inttypes.h> 27 #include <math.h> 28 #include <poll.h> 29 #include <stdio.h> 30 #include <stdlib.h> 31 #include <string.h> 32 #include <time.h> 33 #include <unistd.h> 34 35 #include "extern.h" 36 37 enum pfdt { 38 PFD_SENDER_IN = 0, /* input from the sender */ 39 PFD_UPLOADER_IN, /* uploader input from a local file */ 40 PFD_DOWNLOADER_IN, /* downloader input from a local file */ 41 PFD_SENDER_OUT, /* output to the sender */ 42 PFD__MAX 43 }; 44 45 int 46 rsync_set_metadata(struct sess *sess, int newfile, 47 int fd, const struct flist *f, const char *path) 48 { 49 uid_t uid = (uid_t)-1; 50 gid_t gid = (gid_t)-1; 51 mode_t mode; 52 struct timespec ts[2]; 53 54 /* Conditionally adjust file modification time. */ 55 56 if (sess->opts->preserve_times) { 57 ts[0].tv_nsec = UTIME_NOW; 58 ts[1].tv_sec = f->st.mtime; 59 ts[1].tv_nsec = 0; 60 if (futimens(fd, ts) == -1) { 61 ERR("%s: futimens", path); 62 return 0; 63 } 64 LOG4("%s: updated date", f->path); 65 } 66 67 /* 68 * Conditionally adjust identifiers. 69 * If we have an EPERM, report it but continue on: this just 70 * means that we're mapping into an unknown (or disallowed) 71 * group identifier. 72 */ 73 if (getuid() == 0 && sess->opts->preserve_uids) 74 uid = f->st.uid; 75 if (sess->opts->preserve_gids) 76 gid = f->st.gid; 77 78 mode = f->st.mode; 79 if (uid != (uid_t)-1 || gid != (gid_t)-1) { 80 if (fchown(fd, uid, gid) == -1) { 81 if (errno != EPERM) { 82 ERR("%s: fchown", path); 83 return 0; 84 } 85 if (getuid() == 0) 86 WARNX("%s: identity unknown or not available " 87 "to user.group: %u.%u", f->path, uid, gid); 88 } else 89 LOG4("%s: updated uid and/or gid", f->path); 90 mode &= ~(S_ISTXT | S_ISUID | S_ISGID); 91 } 92 93 /* Conditionally adjust file permissions. */ 94 95 if (newfile || sess->opts->preserve_perms) { 96 if (fchmod(fd, mode) == -1) { 97 ERR("%s: fchmod", path); 98 return 0; 99 } 100 LOG4("%s: updated permissions", f->path); 101 } 102 103 return 1; 104 } 105 106 int 107 rsync_set_metadata_at(struct sess *sess, int newfile, int rootfd, 108 const struct flist *f, const char *path) 109 { 110 uid_t uid = (uid_t)-1; 111 gid_t gid = (gid_t)-1; 112 mode_t mode; 113 struct timespec ts[2]; 114 115 /* Conditionally adjust file modification time. */ 116 117 if (sess->opts->preserve_times) { 118 ts[0].tv_nsec = UTIME_NOW; 119 ts[1].tv_sec = f->st.mtime; 120 ts[1].tv_nsec = 0; 121 if (utimensat(rootfd, path, ts, AT_SYMLINK_NOFOLLOW) == -1) { 122 ERR("%s: utimensat", path); 123 return 0; 124 } 125 LOG4("%s: updated date", f->path); 126 } 127 128 /* 129 * Conditionally adjust identifiers. 130 * If we have an EPERM, report it but continue on: this just 131 * means that we're mapping into an unknown (or disallowed) 132 * group identifier. 133 */ 134 if (getuid() == 0 && sess->opts->preserve_uids) 135 uid = f->st.uid; 136 if (sess->opts->preserve_gids) 137 gid = f->st.gid; 138 139 mode = f->st.mode; 140 if (uid != (uid_t)-1 || gid != (gid_t)-1) { 141 if (fchownat(rootfd, path, uid, gid, AT_SYMLINK_NOFOLLOW) == -1) { 142 if (errno != EPERM) { 143 ERR("%s: fchownat", path); 144 return 0; 145 } 146 if (getuid() == 0) 147 WARNX("%s: identity unknown or not available " 148 "to user.group: %u.%u", f->path, uid, gid); 149 } else 150 LOG4("%s: updated uid and/or gid", f->path); 151 mode &= ~(S_ISTXT | S_ISUID | S_ISGID); 152 } 153 154 /* Conditionally adjust file permissions. */ 155 156 if (newfile || sess->opts->preserve_perms) { 157 if (fchmodat(rootfd, path, mode, AT_SYMLINK_NOFOLLOW) == -1) { 158 ERR("%s: fchmodat", path); 159 return 0; 160 } 161 LOG4("%s: updated permissions", f->path); 162 } 163 164 return 1; 165 } 166 167 /* 168 * Pledges: unveil, unix, rpath, cpath, wpath, stdio, fattr, chown. 169 * Pledges (dry-run): -unix, -cpath, -wpath, -fattr, -chown. 170 */ 171 int 172 rsync_receiver(struct sess *sess, int fdin, int fdout, const char *root) 173 { 174 struct flist *fl = NULL, *dfl = NULL; 175 size_t i, flsz = 0, dflsz = 0; 176 char *tofree; 177 int rc = 0, dfd = -1, phase = 0, c; 178 int32_t ioerror; 179 struct pollfd pfd[PFD__MAX]; 180 struct download *dl = NULL; 181 struct upload *ul = NULL; 182 mode_t oumask; 183 184 if (pledge("stdio unix rpath wpath cpath dpath fattr chown getpw unveil", NULL) == -1) 185 err(ERR_IPC, "pledge"); 186 187 /* Client sends exclusions. */ 188 if (!sess->opts->server) 189 send_rules(sess, fdout); 190 191 /* Server receives exclusions if delete is on. */ 192 if (sess->opts->server && sess->opts->del) 193 recv_rules(sess, fdin); 194 195 /* 196 * Start by receiving the file list and our mystery number. 197 * These we're going to be touching on our local system. 198 */ 199 200 if (!flist_recv(sess, fdin, &fl, &flsz)) { 201 ERRX1("flist_recv"); 202 goto out; 203 } 204 205 /* The IO error is sent after the file list. */ 206 207 if (!io_read_int(sess, fdin, &ioerror)) { 208 ERRX1("io_read_int"); 209 goto out; 210 } else if (ioerror != 0) { 211 ERRX1("io_error is non-zero"); 212 goto out; 213 } 214 215 if (flsz == 0 && !sess->opts->server) { 216 WARNX("receiver has empty file list: exiting"); 217 rc = 1; 218 goto out; 219 } else if (!sess->opts->server) 220 LOG1("Transfer starting: %zu files", flsz); 221 222 LOG2("%s: receiver destination", root); 223 224 /* 225 * Create the path for our destination directory, if we're not 226 * in dry-run mode (which would otherwise crash w/the pledge). 227 * This uses our current umask: we might set the permissions on 228 * this directory in post_dir(). 229 */ 230 231 if (!sess->opts->dry_run) { 232 if ((tofree = strdup(root)) == NULL) 233 err(ERR_NOMEM, NULL); 234 if (mkpath(tofree) < 0) 235 err(ERR_FILE_IO, "%s: mkpath", tofree); 236 free(tofree); 237 } 238 239 /* 240 * Disable umask() so we can set permissions fully. 241 * Then open the directory iff we're not in dry_run. 242 */ 243 244 oumask = umask(0); 245 246 if (!sess->opts->dry_run) { 247 dfd = open(root, O_RDONLY | O_DIRECTORY, 0); 248 if (dfd == -1) 249 err(ERR_FILE_IO, "%s: open", root); 250 } 251 252 /* 253 * Begin by conditionally getting all files we have currently 254 * available in our destination. 255 */ 256 257 if (sess->opts->del && 258 sess->opts->recursive && 259 !flist_gen_dels(sess, root, &dfl, &dflsz, fl, flsz)) { 260 ERRX1("flist_gen_local"); 261 goto out; 262 } 263 264 /* 265 * Make our entire view of the file-system be limited to what's 266 * in the root directory. 267 * This prevents us from accidentally (or "under the influence") 268 * writing into other parts of the file-system. 269 */ 270 271 if (unveil(root, "rwc") == -1) 272 err(ERR_IPC, "%s: unveil", root); 273 if (unveil(NULL, NULL) == -1) 274 err(ERR_IPC, "unveil"); 275 276 /* If we have a local set, go for the deletion. */ 277 278 if (!flist_del(sess, dfd, dfl, dflsz)) { 279 ERRX1("flist_del"); 280 goto out; 281 } 282 283 /* Initialise poll events to listen from the sender. */ 284 285 pfd[PFD_SENDER_IN].fd = fdin; 286 pfd[PFD_UPLOADER_IN].fd = -1; 287 pfd[PFD_DOWNLOADER_IN].fd = -1; 288 pfd[PFD_SENDER_OUT].fd = fdout; 289 290 pfd[PFD_SENDER_IN].events = POLLIN; 291 pfd[PFD_UPLOADER_IN].events = POLLIN; 292 pfd[PFD_DOWNLOADER_IN].events = POLLIN; 293 pfd[PFD_SENDER_OUT].events = POLLOUT; 294 295 ul = upload_alloc(root, dfd, fdout, CSUM_LENGTH_PHASE1, fl, flsz, 296 oumask); 297 298 if (ul == NULL) { 299 ERRX1("upload_alloc"); 300 goto out; 301 } 302 303 dl = download_alloc(sess, fdin, fl, flsz, dfd); 304 if (dl == NULL) { 305 ERRX1("download_alloc"); 306 goto out; 307 } 308 309 LOG2("%s: ready for phase 1 data", root); 310 311 for (;;) { 312 if ((c = poll(pfd, PFD__MAX, poll_timeout)) == -1) { 313 ERR("poll"); 314 goto out; 315 } else if (c == 0) { 316 ERRX("poll: timeout"); 317 goto out; 318 } 319 320 for (i = 0; i < PFD__MAX; i++) 321 if (pfd[i].revents & (POLLERR|POLLNVAL)) { 322 ERRX("poll: bad fd"); 323 goto out; 324 } else if (pfd[i].revents & POLLHUP) { 325 ERRX("poll: hangup"); 326 goto out; 327 } 328 329 /* 330 * If we have a read event and we're multiplexing, we 331 * might just have error messages in the pipe. 332 * It's important to flush these out so that we don't 333 * clog the pipe. 334 * Unset our polling status if there's nothing that 335 * remains in the pipe. 336 */ 337 338 if (sess->mplex_reads && 339 (pfd[PFD_SENDER_IN].revents & POLLIN)) { 340 if (!io_read_flush(sess, fdin)) { 341 ERRX1("io_read_flush"); 342 goto out; 343 } else if (sess->mplex_read_remain == 0) 344 pfd[PFD_SENDER_IN].revents &= ~POLLIN; 345 } 346 347 348 /* 349 * We run the uploader if we have files left to examine 350 * (i < flsz) or if we have a file that we've opened and 351 * is read to mmap. 352 */ 353 354 if ((pfd[PFD_UPLOADER_IN].revents & POLLIN) || 355 (pfd[PFD_SENDER_OUT].revents & POLLOUT)) { 356 c = rsync_uploader(ul, 357 &pfd[PFD_UPLOADER_IN].fd, 358 sess, &pfd[PFD_SENDER_OUT].fd); 359 if (c < 0) { 360 ERRX1("rsync_uploader"); 361 goto out; 362 } 363 } 364 365 /* 366 * We need to run the downloader when we either have 367 * read events from the sender or an asynchronous local 368 * open is ready. 369 * XXX: we don't disable PFD_SENDER_IN like with the 370 * uploader because we might stop getting error 371 * messages, which will otherwise clog up the pipes. 372 */ 373 374 if ((pfd[PFD_SENDER_IN].revents & POLLIN) || 375 (pfd[PFD_DOWNLOADER_IN].revents & POLLIN)) { 376 c = rsync_downloader(dl, sess, 377 &pfd[PFD_DOWNLOADER_IN].fd); 378 if (c < 0) { 379 ERRX1("rsync_downloader"); 380 goto out; 381 } else if (c == 0) { 382 assert(phase == 0); 383 phase++; 384 LOG2("%s: receiver ready for phase 2 data", root); 385 break; 386 } 387 388 /* 389 * FIXME: if we have any errors during the 390 * download, most notably files getting out of 391 * sync between the send and the receiver, then 392 * here we should bump our checksum length and 393 * go into the second phase. 394 */ 395 } 396 } 397 398 /* Properly close us out by progressing through the phases. */ 399 400 if (phase == 1) { 401 if (!io_write_int(sess, fdout, -1)) { 402 ERRX1("io_write_int"); 403 goto out; 404 } 405 if (!io_read_int(sess, fdin, &ioerror)) { 406 ERRX1("io_read_int"); 407 goto out; 408 } 409 if (ioerror != -1) { 410 ERRX("expected phase ack"); 411 goto out; 412 } 413 } 414 415 /* 416 * Now all of our transfers are complete, so we can fix up our 417 * directory permissions. 418 */ 419 420 if (!rsync_uploader_tail(ul, sess)) { 421 ERRX1("rsync_uploader_tail"); 422 goto out; 423 } 424 425 /* Process server statistics and say good-bye. */ 426 427 if (!sess_stats_recv(sess, fdin)) { 428 ERRX1("sess_stats_recv"); 429 goto out; 430 } 431 if (!io_write_int(sess, fdout, -1)) { 432 ERRX1("io_write_int"); 433 goto out; 434 } 435 436 LOG2("receiver finished updating"); 437 rc = 1; 438 out: 439 if (dfd != -1) 440 close(dfd); 441 upload_free(ul); 442 download_free(dl); 443 flist_free(fl, flsz); 444 flist_free(dfl, dflsz); 445 return rc; 446 } 447