diff options
author | garga <garga@FreeBSD.org> | 2015-07-06 13:01:01 +0000 |
---|---|---|
committer | garga <garga@FreeBSD.org> | 2015-07-06 13:01:01 +0000 |
commit | c49abb198d367256a94da48fed297b82b5a11ad9 (patch) | |
tree | 405345f80080e535bfc241ee0b84241f929bdfc2 /usr.sbin | |
parent | 998834455cb651366ad087f0f5206af8a1b7823f (diff) | |
download | FreeBSD-src-c49abb198d367256a94da48fed297b82b5a11ad9.zip FreeBSD-src-c49abb198d367256a94da48fed297b82b5a11ad9.tar.gz |
MFC r285050, r285053, r285059:
When passwd or group information is changed (by pw, vipw, chpass, ...)
temporary file is created and then a rename() call move it to official file.
This operation didn't have any check to make sure data was written to disk
and if a power cycle happens system could end up with a 0 length passwd
or group database.
There is a pfSense bug with more information about it:
https://redmine.pfsense.org/issues/4523
The following changes were made to protect passwd and group operations:
* lib/libutil/gr_util.c:
- Replace mkstemp() by mkostemp() with O_SYNC flag to create temp file
- After rename(), fsync() call on directory for faster result
* lib/libutil/pw_util.c
- Replace mkstemp() by mkostemp() with O_SYNC flag to create temp file
* usr.sbin/pwd_mkdb/pwd_mkdb.c
- Added O_SYNC flag on dbopen() calls
- After rename(), fsync() call on directory for faster result
* lib/libutil/pw_util.3
- pw_lock() returns a file descriptor to master password file on success
Differential Revision: https://reviews.freebsd.org/D2978
Approved by: re (kib), bapt (implicit agreed)
Sponsored by: Netgate
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/pwd_mkdb/pwd_mkdb.c | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/usr.sbin/pwd_mkdb/pwd_mkdb.c b/usr.sbin/pwd_mkdb/pwd_mkdb.c index 0ba68a5..c75804a 100644 --- a/usr.sbin/pwd_mkdb/pwd_mkdb.c +++ b/usr.sbin/pwd_mkdb/pwd_mkdb.c @@ -51,6 +51,7 @@ __FBSDID("$FreeBSD$"); #include <err.h> #include <errno.h> #include <fcntl.h> +#include <libgen.h> #include <limits.h> #include <pwd.h> #include <signal.h> @@ -224,14 +225,14 @@ main(int argc, char *argv[]) clean = FILE_INSECURE; cp(buf2, buf, PERM_INSECURE); dp = dbopen(buf, - O_RDWR|O_EXCL, PERM_INSECURE, DB_HASH, &openinfo); + O_RDWR|O_EXCL|O_SYNC, PERM_INSECURE, DB_HASH, &openinfo); if (dp == NULL) error(buf); clean = FILE_SECURE; cp(sbuf2, sbuf, PERM_SECURE); sdp = dbopen(sbuf, - O_RDWR|O_EXCL, PERM_SECURE, DB_HASH, &openinfo); + O_RDWR|O_EXCL|O_SYNC, PERM_SECURE, DB_HASH, &openinfo); if (sdp == NULL) error(sbuf); @@ -288,13 +289,13 @@ main(int argc, char *argv[]) method = 0; } else { dp = dbopen(buf, - O_RDWR|O_CREAT|O_EXCL, PERM_INSECURE, DB_HASH, &openinfo); + O_RDWR|O_CREAT|O_EXCL|O_SYNC, PERM_INSECURE, DB_HASH, &openinfo); if (dp == NULL) error(buf); clean = FILE_INSECURE; sdp = dbopen(sbuf, - O_RDWR|O_CREAT|O_EXCL, PERM_SECURE, DB_HASH, &openinfo); + O_RDWR|O_CREAT|O_EXCL|O_SYNC, PERM_SECURE, DB_HASH, &openinfo); if (sdp == NULL) error(sbuf); clean = FILE_SECURE; @@ -714,13 +715,27 @@ void mv(char *from, char *to) { char buf[MAXPATHLEN]; + char *to_dir; + int to_dir_fd = -1; - if (rename(from, to)) { + /* + * Make sure file is safe on disk. To improve performance we will call + * fsync() to the directory where file lies + */ + if (rename(from, to) != 0 || + (to_dir = dirname(to)) == NULL || + (to_dir_fd = open(to_dir, O_RDONLY|O_DIRECTORY)) == -1 || + fsync(to_dir_fd) != 0) { int sverrno = errno; (void)snprintf(buf, sizeof(buf), "%s to %s", from, to); errno = sverrno; + if (to_dir_fd != -1) + close(to_dir_fd); error(buf); } + + if (to_dir_fd != -1) + close(to_dir_fd); } void |