HyperSupers/spip_nursit
4
0
Fork 0
Code Issues Pull requests Releases Activity
spip_nursit/ecrire/inc/nfslock.php

326 lines
12 KiB
PHP
Raw Permalink Normal View History

First commit
2023-06-01 15:30:12 +00:00
<?php
/**
* Gestion des verrous NFS
*
* @package SPIP\Core\NFS
**/
if (!defined('_ECRIRE_INC_VERSION')) {
return;
}
include_spip('inc/acces');
define('_DEFAULT_LOCKTIME', 60);
define('_NAME_LOCK', 'spip_nfs_lock');
/**
* Crée un verrou pour NFS
*
* (Excerpts from Chuck's notes:
* this becomes complex, due to our dear friend, the NFS mounted mail spool.
* the netbsd code didn't do this properly, as far as I could tell.
*
* - you can't trust exclusive creating opens over NFS, the protocol
* just doesn't support it. so to do a lock you have to create
* a tmp file and then try and hard link it to your lock file.
* - to detect a stale lock file you have to see how old it is, but
* you can't use time(0) because that is the time on the local system
* and the file gets the times of the NFS server. when is a lock
* file stale? people seem to like 120 or 300 seconds.)
*
* NB: It is _critical_ that nfslock()ed files be unlocked by nfsunlock().
* Simply unlinking the lock file is a good way to trash someone else's lock
* file. All it takes is for the process doing the unlink to get hung for
* a few minutes when it doesn't expect it. Meanwhile, its lock expires and
* a second process forces the lock and creates its own. Then the first
* process comes along and kills the second process' lock while it's still
* valid.
*
* Security considerations:
* If we're root, be very careful to see that the temp file we opened is
* what we think it is. The problem is that we could lose a race with
* someone who takes our tmp file and replaces it with, say, a hard
* link to /etc/passwd. Then, if the first lock attempt fails, we'll
* write a char to the file (see 4. below); this would truncate the
* passwd file. So we make sure that the link count is 1. We don't really
* care about any other screwing around since we don't write anything
* sensitive to the lock file, nor do we change its owner or mode. If
* someone beats us on a race and replaces our temp file with anything
* else, it's no big deal- the file may get truncated, but there's no
* possible security breach. ...Actually the possibility of the race
* ever happening, given the random name of the file, is virtually nil.
*
* args: path = path to directory of lock file (/net/u/1/a/alexis/.mailspool)
* namelock = file name of lock file (alexis.lock)
* max_age = age of lockfile, in seconds, after which the lock is stale.
* stale locks are always broken. Defaults to DEFAULT_LOCKTIME
* if zero. Panix mail locks go stale at 300 seconds, the default.
* notify = 1 if we should tell stdout that we're sleeping on a lock
*
* Returns the time that the lock was created on the other system. This is
* important for nfsunlock(). If the lock already exists, returns NFSL_LOCKED.
* If there is some other failure, return NFSL_SYSF. If NFSL_LOCKED is
* returned, errno is also set to EEXIST. If we're root and the link count
* on the tmp file is wrong, return NFSL_SECV.
*
* Mods of 7/13/95: Change a bit of code to re-stat the lockfile after
* closing it. This is to work around a bug in SunOS that appears to to affect
* some SunOS 4.1.3 machines (but not all). The bug is that close() updates
* the stat st_ctime field for that file. So use lstat on fullpath instead
* of fstat on tmpfd. This alteration applies to both nfslock and nfslock1.
*
* Mod of 5/4/95: Change printf's to fprintf(stderr... in nfslock and nfslock1.
*
* Mods of 4/29/95: Fix freeing memory before use if a stat fails. Remove
* code that forbids running as root; instead, if root, check link count on
* tmp file after opening it.
*
* Mods of 4/27/95: Return the create time instead of the lockfile's fd, which
* is useless. Added new routines nfsunlock(), nfslock_test(), nfslock_renew().
*
* Mods of 1/8/95: Eliminate some security checks since this code never
* runs as root. In particular, we completely eliminate the safeopen
* routine. But add one check: if we _are_ root, fail immediately.
*
* Change arguments: take a path and a filename. Don't assume a global or
* macro pointing to a mailspool.
*
* Add notify argument; if 1, tell user when we're waiting for a lock.
*
* Add max_age argument and DEFAULT_LOCKTIME.
*
* Change comments drastically.
*
* @author Chuck Cranor <chuck@maria.wustl.edu> (original author)
* @author Alexis Rosen <alexis@panix.com> (rewritter)
* @author Cedric Morin <cedric@yterium.com> (rewritter for php&SPIP)
*
* @param string $fichier Chemin du fichier
* @param int $max_age Age maximum du verrou
* @return int|bool Timestamp du verrou, false si erreur
*/
function spip_nfslock($fichier, $max_age = 0) {
$tries = 0;
if (!$max_age) {
$max_age = _DEFAULT_LOCKTIME;
}
$lock_file = _DIR_TMP . _NAME_LOCK . '-' . substr(md5($fichier), 0, 8);
/*
* 1. create a tmp file with a psuedo random file name. we also make
* tpath which is a buffer to store the full pathname of the tmp file.
*/
$id = creer_uniqid();
$tpath = _DIR_TMP . "slock.$id";
$tmpfd = @fopen($tpath, 'w'); // hum, le 'x' necessite php4,3,2 ...
if (!$tmpfd) { /* open failed */
@fclose($tmpfd);
spip_unlink($tpath);
return false; //NFSL_SYSF
}
/*
* 2. make fullpath, a buffer for the full pathname of the lock file.
* then start looping trying to lock it
*/
while ($tries < 10) {
/*
* 3. link tmp file to lock file. if it goes, we win and we clean
* up and return the st_ctime of the lock file.
*/
if (link($tpath, $lock_file) == 1) {
spip_unlink($tpath); /* got it! */
@fclose($tmpfd);
if (($our_tmp = lstat($lock_file)) == false) { /* stat failed... shouldn't happen */
spip_unlink($lock_file);
return false; // (NFSL_SYSF);
}
return ($our_tmp['ctime']);
}
/*
* 4. the lock failed. check for a stale lock file, being mindful
* of NFS and the fact the time is set from the NFS server. we
* do a write on the tmp file to update its time to the server's
* idea of "now."
*/
$old_stat = lstat($lock_file);
if (@fputs($tmpfd, 'zz', 2) != 2 || !$our_tmp = fstat($tmpfd)) {
break;
} /* something bogus is going on */
if ($old_stat != false && (($old_stat['ctime'] + $max_age) < $our_tmp['ctime'])) {
spip_unlink($lock_file); /* break the stale lock */
$tries++;
/* It is CRITICAL that we sleep after breaking
* the lock. Otherwise, we could race with
* another process and unlink it's newly-
* created file.
*/
sleep(1 + rand(0, 4));
continue;
}
/*
* 5. try again
*/
$tries++;
sleep(1 + rand(0, 4));
}
/*
* 6. give up, failure.
*/
spip_unlink($tpath);
@fclose($tmpfd);
return false; //(NFSL_LOCKED);
}
/**
* Unlock an nfslock()ed file
*
* This can get tricky because the lock may have expired (perhaps even
* during a process that should be "atomic"). We have to make sure we don't
* unlock some other process' lock, and return a panic code if we think our
* lock file has been broken illegally. What's done in reaction to that panic
* (of anything) is up to the caller. See the comments on nfslock()!
*
* args: path = path to directory of lock file (/net/u/1/a/alexis/.mailspool)
* namelock = file name of lock file (alexis.lock)
* max_age = age of lockfile, in seconds, after which the lock is stale.
* stale locks are always broken. Defaults to DEFAULT_LOCKTIME
* if zero. Panix mail locks go stale at 300 seconds, the default.
* birth = time the lock was created (as returned by nfslock()).
*
* Returns NFSL_OK if successful, NFSL_LOST if the lock has been lost
* legitimately (because more than max_age has passed since the lock was
* created), and NFSL_STOLEN if it's been tampered with illegally (i.e.
* while this program is within the expiry period). Returns NFSL_SYSF if
* another system failure prevents it from even trying to unlock the file.
*
* Note that for many programs, a return code of NFSL_LOST or NFSL_STOLEN is
* equally disastrous; a NFSL_STOLEN means that some other program may have
* trashed your file, but a NFSL_LOST may mean that _you_ have trashed someone
* else's file (if in fact you wrote the file that you locked after you lost
* the lock) or that you read inconsistent information.
*
* In practice, a return code of NFSL_LOST or NFSL_STOLEN will virtually never
* happen unless someone is violating the locking protocol.
*
* @author Alexis Rosen <alexis@panix.com>
* @see spip_nfslock()
*
* @param string $fichier Chemin du fichier
* @param bool $birth Timestamp de l'heure de création du verrou
* @param int $max_age Age maximum du verrou
* @param bool $test Mode de test
* return bool true si déverrouillé, false sinon
*/
function spip_nfsunlock($fichier, $birth, $max_age = 0, $test = false) {
$id = creer_uniqid();
if (!$max_age) {
$max_age = _DEFAULT_LOCKTIME;
}
/*
* 1. Build a temp file and stat that to get an idea of what the server
* thinks the current time is (our_tmp.st_ctime)..
*/
$tpath = _DIR_TMP . "stime.$id";
$tmpfd = @fopen($tpath, 'w');
if ((!$tmpfd)
or (@fputs($tmpfd, 'zz', 2) != 2)
or !($our_tmp = fstat($tmpfd))
) {
/* The open failed, or we can't write the file, or we can't stat it */
@fclose($tmpfd);
spip_unlink($tpath);
return false; //(NFSL_SYSF);
}
@fclose($tmpfd); /* We don't need this once we have our_tmp.st_ctime. */
spip_unlink($tpath);
/*
* 2. make fullpath, a buffer for the full pathname of the lock file
*/
$lock_file = _DIR_TMP . _NAME_LOCK . '-' . substr(md5($fichier), 0, 8);
/*
* 3. If the ctime hasn't been modified, unlink the file and return. If the
* lock has expired, sleep the usual random interval before returning.
* If we didn't sleep, there could be a race if the caller immediately
* tries to relock the file.
*/
if (($old_stat = @lstat($lock_file)) /* stat succeeds so file is there */
&& ($old_stat['ctime'] == $birth)
) { /* hasn't been modified since birth */
if (!$test) {
spip_unlink($lock_file);
} /* so the lock is ours to remove */
if ($our_tmp['ctime'] >= $birth + $max_age) { /* the lock has expired */
if (!$test) {
return false;
} //(NFSL_LOST);
sleep(1 + (random(0, 4))); /* so sleep a bit */
}
return true;//(NFSL_OK); /* success */
}
/*
* 4. Either ctime has been modified, or the entire lock file is missing.
* If the lock should still be ours, based on the ctime of the temp
* file, return with NFSL_STOLEN. If not, then our lock is expired and
* someone else has grabbed the file, so return NFSL_LOST.
*/
if ($our_tmp['ctime'] < $birth + $max_age) { /* lock was stolen */
return false;
} //(NFSL_STOLEN);
return false; //(NFSL_LOST); /* The lock must have expired first. */
}
/**
* Test a lock to see if it's still valid.
*
* Args, return codes, and behavior are identical to nfsunlock except
* that nfslock_test doesn't remove the lock. NFSL_OK means the lock is
* good, NFLS_LOST and NFSL_STOLEN means it's bad, and NFSL_SYSF means
* we couldn't tell due to system failure.
*
* The source for this routine is almost identical to nfsunlock(), but it's
* coded separately to make things as clear as possible.
*
* @author Alexis Rosen <alexis@panix.com>
* @see spip_nfsunlock() about lost and stolen locks.
*
* @param string $fichier Chemin du fichier
* @param bool $birth Timestamp de l'heure de création du verrou
* @param int $max_age Age maximum du verrou
* return bool true si déverrouillé, false sinon
*/
function spip_nfslock_test($fichier, $birth, $max_age = 0) {
return spip_nfsunlock($fichier, $birth, $max_age, true);
}
Copy permalink