Changeset 42712 in vbox for trunk

Timestamp:

Aug 9, 2012 2:36:02 PM (12 years ago)

Author:

vboxsync

Message:

Runtime: add RTFileCreateTemp, RTFileCreateTempSecure and RTDirCreateTempSecure (the last two are not yet implemented).

Location:

trunk

Files:

• include/iprt/dir.h (modified) (1 diff)
• include/iprt/file.h (modified) (1 diff)
• include/iprt/mangling.h (modified) (2 diffs)
• src/VBox/Runtime/generic/createtemp-generic.cpp (modified) (4 diffs)
• src/VBox/Runtime/testcase/tstRTTemp.cpp (modified) (5 diffs)

trunk/include/iprt/dir.h

@@ -98 +98 @@
  */
 RTDECL(int) RTDirCreateTemp(char *pszTemplate, RTFMODE fMode);
+
+/**
+ * Secure version of @a RTDirCreateTemp with a fixed mode of 0700.
+ *
+ * This function behaves in the same way as @a RTDirCreateTemp with two
+ * additional points.  Firstly the mode is fixed to 0700.  Secondly it will
+ * fail if it is not possible to perform the operation securely.  Possible
+ * reasons include that the directory could be removed by another unprivileged
+ * user before it is used (e.g. if is created in a non-sticky /tmp directory)
+ * or that the path contains symbolic links which another unprivileged user
+ * could manipulate; however the exact criteria will be specified on a
+ * platform-by-platform basis as platform support is added.
+ * @see RTPathIsSecure for the current list of criteria.
+ * @returns iprt status code.
+ * @returns VERR_NOT_SUPPORTED if the interface can not be supported on the
+ *                             current platform at this time.
+ * @returns VERR_INSECURE      if the directory could not be created securely.
+ * @param   pszTemplate        The directory name template on input. The
+ *                             actual directory name on success. Empty string
+ *                             on failure.
+ */
+RTDECL(int) RTDirCreateTempSecure(char *pszTemplate);
 
 /**

trunk/include/iprt/file.h

@@ -587 +587 @@
 
 
+/**
+ * Creates a new file with a unique name using the given template.
+ *
+ * One or more trailing X'es in the template will be replaced by random alpha
+ * numeric characters until a RTFileOpen with RTFILE_O_CREATE succeeds or we
+ * run out of patience.
+ * For instance:
+ *          "/tmp/myprog-XXXXXX"
+ *
+ * As an alternative to trailing X'es, it is possible to put 3 or more X'es
+ * somewhere inside the file name. In the following string only the last
+ * bunch of X'es will be modified:
+ *          "/tmp/myprog-XXX-XXX.tmp"
+ *
+ * @returns iprt status code.
+ * @param   pszTemplate     The file name template on input. The actual file
+ *                          name on success. Empty string on failure.
+ * @param   fMode           The mode to create the file with.  Use 0600 unless
+ *                          you have reason not to.
+ */
+RTDECL(int) RTFileCreateTemp(char *pszTemplate, RTFMODE fMode);
+
+/**
+ * Secure version of @a RTFileCreateTemp with a fixed mode of 0600.
+ *
+ * This function behaves in the same way as @a RTFileCreateTemp with two
+ * additional points.  Firstly the mode is fixed to 0600.  Secondly it will
+ * fail if it is not possible to perform the operation securely.  Possible
+ * reasons include that the file could be removed by another unprivileged
+ * user before it is used (e.g. if is created in a non-sticky /tmp directory)
+ * or that the path contains symbolic links which another unprivileged user
+ * could manipulate; however the exact criteria will be specified on a
+ * platform-by-platform basis as platform support is added.
+ * @see RTPathIsSecure for the current list of criteria.
+ * @returns iprt status code.
+ * @returns VERR_NOT_SUPPORTED if the interface can not be supported on the
+ *                             current platform at this time.
+ * @returns VERR_INSECURE      if the file could not be created securely.
+ * @param   pszTemplate        The file name template on input. The actual
+ *                             file name on success. Empty string on failure.
+ */
+RTDECL(int) RTFileCreateTempSecure(char *pszTemplate);
+
+
 /** @page   pg_rt_filelock      RT File locking API description
  *

trunk/include/iprt/mangling.h

@@ -390 +390 @@
 # define RTDirCreateFullPath                            RT_MANGLER(RTDirCreateFullPath)
 # define RTDirCreateTemp                                RT_MANGLER(RTDirCreateTemp)
+# define RTDirCreateTempSecure                          RT_MANGLER(RTDirCreateTempSecure)
 # define RTDirCreateUniqueNumbered                      RT_MANGLER(RTDirCreateUniqueNumbered)
 # define RTDirExists                                    RT_MANGLER(RTDirExists)
@@ -478 +479 @@
 # define RTFileCopyByHandlesEx                          RT_MANGLER(RTFileCopyByHandlesEx)
 # define RTFileCopyEx                                   RT_MANGLER(RTFileCopyEx)
+# define RTFileCreateTemp                               RT_MANGLER(RTFileCreateTemp)
+# define RTFileCreateTempSecure                         RT_MANGLER(RTFileCreateTempSecure)
 # define RTFileDelete                                   RT_MANGLER(RTFileDelete)
 # define RTFileExists                                   RT_MANGLER(RTFileExists)

trunk/src/VBox/Runtime/generic/createtemp-generic.cpp

@@ -1 +1 @@
 /* $Id$ */
 /** @file
- * IPRT - RTDirCreateTemp, generic implementation.
+ * IPRT - temporary file and directory creation, generic implementation.
  */
 
 /*
- * Copyright (C) 2009 Oracle Corporation
+ * Copyright (C) 2009-2012 Oracle Corporation
  *
  * This file is part of VirtualBox Open Source Edition (OSE), as
@@ -34 +34 @@
 #include <iprt/assert.h>
 #include <iprt/err.h>
+#include <iprt/file.h>
 #include <iprt/path.h>
 #include <iprt/rand.h>
@@ -108 +109 @@
 RTDECL(int) RTDirCreateTemp(char *pszTemplate, RTFMODE fMode)
 {
-    char       *pszX = NULL;  /* Initialise to make gcc happy. */
+    char       *pszX = NULL;
     unsigned    cXes = 0;
     int rc = rtCreateTempValidateTemplate(pszTemplate, &pszX, &cXes);
@@ -139 +140 @@
 RT_EXPORT_SYMBOL(RTDirCreateTemp);
 
+
+/** @todo Test case for this once it is implemented. */
+RTDECL(int) RTDirCreateTempSecure(char *pszTemplate)
+{
+    size_t cchDir;
+    char chOld;
+    int rc;
+    /* bool fSafe; */
+
+    /* Temporarily convert pszTemplate to a path. */
+    RTPathParse(pszTemplate, &cchDir, NULL, NULL);
+    chOld = pszTemplate[cchDir];
+    pszTemplate[cchDir] = '\0';
+    /** @todo Implement this. */
+    rc = /* RTPathIsSecure(pszTemplate, &fSafe) */ VERR_NOT_SUPPORTED;
+    pszTemplate[cchDir] = chOld;
+    if (RT_SUCCESS(rc) /* && fSafe */)
+        return RTDirCreateTemp(pszTemplate, 0700);
+    else
+    {
+        *pszTemplate = '\0';
+        /** @todo Replace VERR_PERMISSION_DENIED.  VERR_INSECURE? */
+        return RT_FAILURE(rc) ? rc : VERR_PERMISSION_DENIED;
+    }
+}
+RT_EXPORT_SYMBOL(RTDirCreateTempSecure);
+
+
+RTDECL(int) RTFileCreateTemp(char *pszTemplate, RTFMODE fMode)
+{
+    char       *pszX = NULL;
+    unsigned    cXes = 0;
+    RTFILE      hFile;
+    int rc = rtCreateTempValidateTemplate(pszTemplate, &pszX, &cXes);
+    if (RT_FAILURE(rc))
+    {
+        *pszTemplate = '\0';
+        return rc;
+    }
+    /*
+     * Try ten thousand times.
+     */
+    int i = 10000;
+    while (i-- > 0)
+    {
+        uint64_t fOpen =   RTFILE_O_WRITE | RTFILE_O_DENY_ALL
+                         | RTFILE_O_CREATE | RTFILE_O_NOT_CONTENT_INDEXED
+                         | fMode << RTFILE_O_CREATE_MODE_SHIFT;
+        rtCreateTempFillTemplate(pszX, cXes);
+        rc = RTFileOpen(&hFile, pszTemplate, fOpen);
+        if (RT_SUCCESS(rc))
+        {
+            RTFileClose(hFile);
+            return rc;
+        }
+        /** @todo Anything else to consider? */
+        if (rc != VERR_ALREADY_EXISTS)
+        {
+            *pszTemplate = '\0';
+            return rc;
+        }
+    }
+
+    /* we've given up. */
+    *pszTemplate = '\0';
+    return VERR_ALREADY_EXISTS;
+}
+RT_EXPORT_SYMBOL(RTFileCreateTemp);
+
+
+/** @todo Test case for this once it is implemented. */
+RTDECL(int) RTFileCreateTempSecure(char *pszTemplate)
+{
+    size_t cchDir;
+    char chOld;
+    int rc;
+    /* bool fSafe; */
+
+    /* Temporarily convert pszTemplate to a path. */
+    RTPathParse(pszTemplate, &cchDir, NULL, NULL);
+    chOld = pszTemplate[cchDir];
+    pszTemplate[cchDir] = '\0';
+    /** @todo Implement this. */
+    rc = /* RTPathIsSecure(pszTemplate, &fSafe) */ VERR_NOT_SUPPORTED;
+    pszTemplate[cchDir] = chOld;
+    if (RT_SUCCESS(rc) /* && fSafe */)
+        return RTFileCreateTemp(pszTemplate, 0600);
+    else
+    {
+        *pszTemplate = '\0';
+        /** @todo Replace VERR_PERMISSION_DENIED.  VERR_INSECURE? */
+        return RT_FAILURE(rc) ? rc : VERR_PERMISSION_DENIED;
+    }
+}
+RT_EXPORT_SYMBOL(RTFileCreateTempSecure);

trunk/src/VBox/Runtime/testcase/tstRTTemp.cpp

@@ -48 +48 @@
 
 
-static void tstDirCreateTemp(const char *pszSubTest, const char *pszTemplate, unsigned cTimes, bool fSkipXCheck)
+static void tstObjectCreateTemp(const char *pszSubTest, const char *pszTemplate, bool fFile, RTFMODE fMode, unsigned cTimes, bool fSkipXCheck)
 {
     RTTestISub(pszSubTest);
+    const char *pcszAPI = fFile ? "RTFileCreateTemp" : "RTDirCreateTemp";
 
     /* Allocate the result array. */
@@ -62 +63 @@
         int rc;
         char szName[RTPATH_MAX];
+        RTFMODE fModeFinal;
         RTTESTI_CHECK_RC(rc = RTPathAppend(strcpy(szName, g_szTempPath), sizeof(szName), pszTemplate), VINF_SUCCESS);
         if (RT_FAILURE(rc))
@@ -70 +72 @@
             break;
 
-        rc = RTDirCreateTemp(papszNames[i], 0700);
+        rc =   fFile
+             ? RTFileCreateTemp(papszNames[i], fMode)
+             : RTDirCreateTemp(papszNames[i], fMode);
         if (rc != VINF_SUCCESS)
         {
-            RTTestIFailed("RTDirCreateTemp(%s) call #%u -> %Rrc\n", szName, i, rc);
+            RTTestIFailed("%s(%s, %#o) call #%u -> %Rrc\n", pcszAPI, szName, (int)fMode, i, rc);
             RTStrFree(papszNames[i]);
             papszNames[i] = NULL;
             break;
         }
-        RTTestIPrintf(RTTESTLVL_DEBUG, "%s\n", papszNames[i]);
-        RTTESTI_CHECK_MSG(strlen(szName) == strlen(papszNames[i]), ("szName   %s\nReturned %s\n", szName, papszNames[i]));
+        RTTESTI_CHECK_RC_OK(rc = RTPathGetMode(papszNames[i], &fModeFinal));
+        if (RT_SUCCESS(rc))
+        {
+            fModeFinal &= (RTFS_UNIX_IRWXU | RTFS_UNIX_IRWXO);
+            RTTESTI_CHECK_MSG((fModeFinal & ~fMode) == 0,
+                              ("%s: szName   %s\nfModeFinal ~= %#o, expected %#o\n",
+                               pcszAPI, szName, fModeFinal, (int)fMode));
+        }
+        RTTestIPrintf(RTTESTLVL_DEBUG, "%s: %s\n", pcszAPI, papszNames[i]);
+        RTTESTI_CHECK_MSG(strlen(szName) == strlen(papszNames[i]), ("%s: szName   %s\nReturned %s\n", pcszAPI, szName, papszNames[i]));
         if (!fSkipXCheck)
-            RTTESTI_CHECK_MSG(strchr(RTPathFilename(papszNames[i]), 'X') == NULL, ("szName   %s\nReturned %s\n", szName, papszNames[i]));
+            RTTESTI_CHECK_MSG(strchr(RTPathFilename(papszNames[i]), 'X') == NULL, ("%s: szName   %s\nReturned %s\n", pcszAPI, szName, papszNames[i]));
     }
 
@@ -87 +99 @@
     while (i-- > 0)
     {
-        RTTESTI_CHECK_RC(RTDirRemove(papszNames[i]), VINF_SUCCESS);
+        if (fFile)
+            RTTESTI_CHECK_RC(RTFileDelete(papszNames[i]), VINF_SUCCESS);
+        else
+            RTTESTI_CHECK_RC(RTDirRemove(papszNames[i]), VINF_SUCCESS);
         RTStrFree(papszNames[i]);
     }
     RTMemTmpFree(papszNames);
+}
+
+
+static void tstFileCreateTemp(const char *pszSubTest, const char *pszTemplate, RTFMODE fMode, unsigned cTimes, bool fSkipXCheck)
+{
+    tstObjectCreateTemp(pszSubTest, pszTemplate, true /* fFile */, fMode,
+                        cTimes, fSkipXCheck);
+}
+
+
+static void tstDirCreateTemp(const char *pszSubTest, const char *pszTemplate, RTFMODE fMode, unsigned cTimes, bool fSkipXCheck)
+{
+    tstObjectCreateTemp(pszSubTest, pszTemplate, false /* fFile */, fMode,
+                        cTimes, fSkipXCheck);
+}
+
+
+static void tstBothCreateTemp(const char *pszSubTest, const char *pszTemplate, RTFMODE fMode, unsigned cTimes, bool fSkipXCheck)
+{
+    char pszSubTestLong[128];
+    
+    RTStrPrintf(pszSubTestLong, sizeof(pszSubTestLong), "RTFileCreateTemp %s",
+                pszSubTest);
+    tstFileCreateTemp(pszSubTestLong, pszTemplate, fMode, cTimes,
+                      fSkipXCheck);
+    RTStrPrintf(pszSubTestLong, sizeof(pszSubTestLong), "RTDirCreateTemp %s",
+                pszSubTest);
+    tstDirCreateTemp(pszSubTestLong, pszTemplate, fMode, cTimes, fSkipXCheck);
 }
 
@@ -110 +153 @@
 
     /*
-     * Create N temporary directories using RTDirCreateTemp.
+     * Create N temporary files and directories using RT(File|Dir)CreateTemp.
      */
-    tstDirCreateTemp("RTDirCreateTemp #1 (standard)",   "rtRTTemp-XXXXXX",              128, false /*fSkipXCheck*/);
-    tstDirCreateTemp("RTDirCreateTemp #2 (long)",       "rtRTTemp-XXXXXXXXXXXXXXXXX",   128, false /*fSkipXCheck*/);
-    tstDirCreateTemp("RTDirCreateTemp #3 (short)",      "rtRTTemp-XX",                  128, false /*fSkipXCheck*/);
-    tstDirCreateTemp("RTDirCreateTemp #4 (very short)", "rtRTTemp-X",                 26+10, false /*fSkipXCheck*/);
-    tstDirCreateTemp("RTDirCreateTemp #5 (in-name)",    "rtRTTemp-XXXt",                  2, false /*fSkipXCheck*/);
-    tstDirCreateTemp("RTDirCreateTemp #6 (in-name)",    "XXX-rtRTTemp",                   2, false /*fSkipXCheck*/);
-    tstDirCreateTemp("RTDirCreateTemp #7 (in-name)",    "rtRTTemp-XXXXXXXXX.tmp",       128, false /*fSkipXCheck*/);
-    tstDirCreateTemp("RTDirCreateTemp #8 (in-name)",    "rtRTTemp-XXXXXXX-X.tmp",       128, true /*fSkipXCheck*/);
-    tstDirCreateTemp("RTDirCreateTemp #9 (in-name)",    "rtRTTemp-XXXXXX-XX.tmp",       128, true /*fSkipXCheck*/);
+    tstBothCreateTemp("#1 (standard)",   "rtRTTemp-XXXXXX",              0700, 128, false /*fSkipXCheck*/);
+    tstBothCreateTemp("#2 (long)",       "rtRTTemp-XXXXXXXXXXXXXXXXX",   0700, 128, false /*fSkipXCheck*/);
+    tstBothCreateTemp("#3 (short)",      "rtRTTemp-XX",                  0777, 128, false /*fSkipXCheck*/);
+    tstBothCreateTemp("#4 (very short)", "rtRTTemp-X",                 0100, 26+10, false /*fSkipXCheck*/);
+    tstBothCreateTemp("#5 (in-name)",    "rtRTTemp-XXXt",                  0301, 2, false /*fSkipXCheck*/);
+    tstBothCreateTemp("#6 (in-name)",    "XXX-rtRTTemp",                   0355, 2, false /*fSkipXCheck*/);
+    tstBothCreateTemp("#7 (in-name)",    "rtRTTemp-XXXXXXXXX.tmp",       0755, 128, false /*fSkipXCheck*/);
+    tstBothCreateTemp("#8 (in-name)",    "rtRTTemp-XXXXXXX-X.tmp",       0700, 128, true /*fSkipXCheck*/);
+    tstBothCreateTemp("#9 (in-name)",    "rtRTTemp-XXXXXX-XX.tmp",       0700, 128, true /*fSkipXCheck*/);
 
     /*