From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mira@nena.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 6114461682
 for <pbs-devel@lists.proxmox.com>; Tue, 18 Aug 2020 13:53:07 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 4F49812F80
 for <pbs-devel@lists.proxmox.com>; Tue, 18 Aug 2020 13:53:07 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id EF6DE12F70
 for <pbs-devel@lists.proxmox.com>; Tue, 18 Aug 2020 13:53:05 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id B40434466E
 for <pbs-devel@lists.proxmox.com>; Tue, 18 Aug 2020 13:53:05 +0200 (CEST)
From: Mira Limbeck <m.limbeck@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Tue, 18 Aug 2020 13:52:58 +0200
Message-Id: <20200818115259.12558-1-m.limbeck@proxmox.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.106 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
 methods
 NO_DNS_FOR_FROM         0.379 Envelope sender has no MX or A DNS records
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_NONE                0.001 SPF: sender does not publish an SPF Record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [fs.rs]
Subject: [pbs-devel] [PATCH v5 proxmox] Add tempfile() helper function
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 11:53:07 -0000

The tempfile() helper function tries to create a temporary file in /tmp
with the O_TMPFILE option. If that fails it falls back to using
mkstemp(). This happens in /tmp/proxmox-<UID> which is either created,
or if it already exists, checked for the right owner and permissions.

As O_TMPFILE was introduced in kernel 3.11 this fallback can help with
CentOS 7 and its 3.10 kernel as well as with WSL (Windows Subsystem for
Linux).

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
---
v5:
 - switched from AtomicBool to static mut bool
 - split O_TMPFILE and mkstemp code paths into separate functions
 - improved error handling
 - removed eprintln!()
 - fixed fd leak
v4:
 - changed directory from proxmox-backup-<UID> to proxmox-<UID>
 - added check for owner and permissions
v3:
 - O_TMPFILE support is tested on first run of tempfile()
 - EISDIR is handled specifically to test for O_TMPFILE support
 - AtomicBool is used as it provides a safe interface, but 'static mut'
     could also be used
 - mkstemp() now creates the tempfile in a subdirectory called
   proxmox-backup-<UID>

 proxmox/src/tools/fs.rs | 85 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 83 insertions(+), 2 deletions(-)

diff --git a/proxmox/src/tools/fs.rs b/proxmox/src/tools/fs.rs
index b1a95b5..3e9ef1e 100644
--- a/proxmox/src/tools/fs.rs
+++ b/proxmox/src/tools/fs.rs
@@ -1,17 +1,19 @@
 //! File related utilities such as `replace_file`.
 
 use std::ffi::CStr;
-use std::fs::{File, OpenOptions};
+use std::fs::{DirBuilder, File, OpenOptions};
 use std::io::{self, BufRead, BufReader, Write};
+use std::os::unix::fs::{DirBuilderExt, MetadataExt, OpenOptionsExt, PermissionsExt};
 use std::os::unix::io::{AsRawFd, FromRawFd, RawFd};
 use std::path::Path;
 use std::time::Duration;
 
 use anyhow::{bail, format_err, Error};
+use lazy_static::lazy_static;
 use nix::errno::Errno;
 use nix::fcntl::OFlag;
 use nix::sys::stat;
-use nix::unistd::{self, Gid, Uid};
+use nix::unistd::{self, geteuid, mkstemp, unlink, Gid, Uid};
 use serde_json::Value;
 
 use crate::sys::error::SysResult;
@@ -518,3 +520,82 @@ pub fn open_file_locked<P: AsRef<Path>>(path: P, timeout: Duration) -> Result<Fi
         Err(err) => bail!("Unable to acquire lock {:?} - {}", path, err),
     }
 }
+
+// Only ever set to 'false' if O_TMPFILE is not supported. As we never set it to 'true' again
+// once it is set to 'false', the eventual consistency provided by a static mut bool (x86) is
+// enough. Worst-case: multiple threads will try O_TMPFILE first before switching to mkstemp().
+static mut O_TMPFILE_SUPPORT: bool = true;
+lazy_static! {
+    static ref MKSTEMP_PATH: String = {
+        let uid = geteuid();
+        format!("/tmp/proxmox-{}", uid)
+    };
+    static ref MKSTEMP_FILE: String = format!("{}/tmpfile_XXXXXX", MKSTEMP_PATH.as_str());
+}
+
+/// Create a new tempfile by using O_TMPFILE with a fallback to mkstemp() if it fails
+/// (e.g. not supported).
+pub fn tempfile() -> Result<File, Error> {
+    if unsafe { O_TMPFILE_SUPPORT } {
+        create_tempfile_otmpfile()
+    } else {
+        create_tempfile_mkstemp()
+    }
+    .map_err(|err| format_err!("create tempfile failed: {}", err))
+}
+
+fn create_tempfile_otmpfile() -> Result<File, Error> {
+    match std::fs::OpenOptions::new()
+        .write(true)
+        .read(true)
+        .custom_flags(libc::O_TMPFILE)
+        .open("/tmp")
+    {
+        Ok(file) => Ok(file),
+        Err(ref err) if err.raw_os_error() == Some(libc::EISDIR) => {
+            unsafe {
+                O_TMPFILE_SUPPORT = false;
+            }
+            create_tempfile_mkstemp()
+        }
+        Err(err) => Err(err.into()),
+    }
+}
+
+fn create_tempfile_mkstemp() -> Result<File, Error> {
+    if let Err(err) = DirBuilder::new().mode(0o700).create(MKSTEMP_PATH.as_str()) {
+        if err.kind() != std::io::ErrorKind::AlreadyExists {
+            bail!(
+                "create directory '{}' failed: '{}'",
+                MKSTEMP_PATH.as_str(),
+                err
+            );
+        } else {
+            // check owner
+            let metadata = std::fs::metadata(MKSTEMP_PATH.as_str())?;
+            if metadata.uid() != geteuid().as_raw() {
+                bail!(
+                    "directory '{}' has wrong owner: {}",
+                    MKSTEMP_PATH.as_str(),
+                    metadata.uid()
+                );
+            }
+
+            // check permissions
+            let perm = metadata.permissions();
+            if (perm.mode() & 0o077) != 0 {
+                bail!(
+                    "directory '{}' has invalid permissions: {:o}",
+                    MKSTEMP_PATH.as_str(),
+                    perm.mode() & 0o777
+                );
+            }
+        }
+    }
+
+    let (fd, path) =
+        mkstemp(MKSTEMP_FILE.as_str()).map_err(|err| format_err!("mkstemp() failed: {}", err))?;
+    let file = unsafe { File::from_raw_fd(fd) };
+    unlink(path.as_path()).map_err(|err| format_err!("unlink() failed: {}", err))?;
+    Ok(file)
+}
-- 
2.20.1