0

I'm having a bunch of processes from different privileges, all running a shared code that open (and create if needed) a file for write using fopen_s with "a+" flag.

However, since no permissions that supplied to this command, and a root process create the file first, than other non-root processes couldn't access this file.

I could use int open(const char *pathname, int flags, mode_t mode); and thus control the file permissions (represented by mode_t) to allow access for everyone, but I need the file descriptor (FILE *) and not fileID. so I can use FILE *fdopen(int fd, const char *mode); in order to make the conversion.

Perhaps there's a more straight forward way to do it ?

Irad K
  • 867
  • 6
  • 20
  • A little nitpicking about terms, a `FILE *` is a C file stream (not to be confused with C++ stream objects), while the integer returned by e.g. `open` is a *descriptor* (in the case of `open` it's a file descriptor). – Some programmer dude Dec 30 '19 at 14:40
  • 1
    As for your problem, `open` followed by `fdopen` is probably the simplest and most straight-forward way, unless you want to bother with [`chmod`](https://pubs.opengroup.org/onlinepubs/9699919799/functions/chmod.html) after opening the file. – Some programmer dude Dec 30 '19 at 14:42
  • Lastly a little more nitpicking: There's no `fopen_s` function in the C, C++ or POSIX standards, it's a Microsoft Visual C++ CRT specific extension. – Some programmer dude Dec 30 '19 at 14:42
  • Hi, I've read about fopen_s here `https://en.cppreference.com/w/c/io/fopen` so I assumed it also support posix. – Irad K Dec 30 '19 at 14:44
  • @Someprogrammerdude There is an `fopen_s()` in the **optional** Annex K of the C11 standard. No significant implementation other than Microsoft's exists, and Microsoft's doesn't fully comply with the C standard anyway. – Andrew Henle Dec 30 '19 at 14:45
  • You could `fopen` with `chmod`, but that won't be atomic. – KamilCuk Dec 30 '19 at 14:49
  • @IradK Read this for some data on the "safer" `*_s()` functions: https://stackoverflow.com/questions/50724726/why-didnt-gcc-implement-s-functions – Andrew Henle Dec 30 '19 at 14:49
  • @KamilCuk, perhaps you can provide simple code block to demonstrate your idea ? – Irad K Dec 30 '19 at 14:51
  • @KamilCuk There is no atomic way to create a file with a guaranteed set of permissions. The mode passed to `open()` is subject to modification via the `umask` setting, and that `umask` setting can be changed between its being set/checked and any subsequent call to `open()`. – Andrew Henle Dec 30 '19 at 15:15

2 Answers2

2

No. The technique you described (open followed by fdopen) is the correct way to achieve what you want to do. As Some programmer dude pointed out, you could call chmod from your program to change the file permissions after it's created, but that's a more roundabout way to do it.

Alexander Ryker
  • 130
  • 12
1

I could use int open(const char *pathname, int flags, mode_t mode); and thus control the file permissions (represented by mode_t)

Not really. Unless you set your process's umask setting. Because the permissions passed to open() are not the permissions the created file is necessarily created with.

Per POSIX open() (bolding mine):

the access permission bits (see <sys/stat.h>) of the file mode shall be set to the value of the argument following the oflag argument taken as type mode_t modified as follows: a bitwise AND is performed on the file-mode bits and the corresponding bits in the complement of the process' file mode creation mask. Thus, all bits in the file mode whose corresponding bit in the file mode creation mask is set are cleared.

So

int fd = open( someFileName, O_CREAT | O_RDWR, 0644 );

is NOT guaranteed to set the file permissions to 0644.

If your file creation mask is set to 0077, then the file will actually be created with permissions set to 0600.

Note that the umask() setting is a process-wide property, and it's not really a good idea to change it much. And if you're trying to write general-purpose code that has no side effects, it's a bad idea to change it at all. For example, changing the umask() setting in a multithreaded process in order to allow wider access to files being created can cause security problems if another thread creates a file at the same time.

The best way to set file permissions to be exactly what you want is to set file permissions to be exactly what you want with fchmod():

FILE *f = fopen(...);
fchmod( fileno( f ), 0644 );

In fact, since the umask() setting is a process-wide property, it's always possible in general that it can be changed by another thread at any time, so setting the permissions explicitly via chmod() or fchmod() is the only guaranteed way to get exactly the permissions specified in all circumstances.

Andrew Henle
  • 32,625
  • 3
  • 24
  • 56
  • in your solution of calling `fchmod` right after `fopen`, should I check if the file was created or simply changing the permissions anyway ? – Irad K Dec 30 '19 at 15:32
  • @IradK You'd need to check for success from `fopen()`, else making the `fileno()` call with a `NULL` parameter would potentially invoke undefined behavior, likely a `SIGSEGV` here. – Andrew Henle Dec 30 '19 at 16:11