[英]Efficient way to make sure file is (X levels)? under a certain directory
I need to make sure a certain file is inside (doesn't matter how many levels) a certain directory. 我需要确保某个文件位于某个目录内(与级别无关)。
To visualize: 可视化:
A/ + file
or 要么
A/ + x/x/x/..../file
It has to be under A, doesn't matter how many levels. 它必须在A以下,无论多少级。
The file path (after the plus sign) is given to the program by the user. 用户将文件路径(加号后)赋予程序。
The thing is that I can't use chroot, because the program also needs to access some folders outside A (lets say B) but users (that are connected via socket interface) should not be able to access them via A/ + ../B/file
事实是我不能使用chroot,因为该程序还需要访问A以外的一些文件夹(比方说B),但是用户(通过套接字接口连接)不能通过
A/ + ../B/file
访问它们A/ + ../B/file
This will be done in an inner inner loop so it has to perform well. 这将在内部内部循环中完成,因此它必须表现良好。 I have thought of counting '/', extracting number of '..', extracting number of '/./' and comparing it >= 1 but it both does not perform well and feels open to bugs since the input is given by the user.
我曾想过要计数'/',提取'..'的数量,提取'/./'的数量并比较> = 1,但由于输入是由用户。
Is there a function that checks this that I don't know of or some other way? 是否有一个功能可以检查我不知道的功能或其他方式?
EDIT: 编辑:
If there is a way that will grant me access to folder B even after I chroot (file handles remain after chroot if I remember right, I need folder version of that), that is also OK. 如果有一种方法即使在我chroot之后也可以授予我对文件夹B的访问权限(如果我没记错的话,文件句柄仍在chroot之后,则需要该文件夹的版本),那也可以。 All I need is to access B , create/read/write files in it after the chroot.
我所需要做的就是访问ch ,然后在chroot之后创建/读取/写入文件B。
EDIT2: EDIT2:
By the way, I know a way to do this using UID and such but I need an alternative. 顺便说一句,我知道一种使用UID之类的方法,但是我需要替代方法。
You can call ftw()
or nftw()
in a recursive function. 您可以在递归函数中调用
ftw()
或nftw()
。
While doing this, you need to make sure that you do not follow symlinks or limit the traversal to them. 在执行此操作时,您需要确保不遵循符号链接或将符号遍历限制为它们。
Initial start may scan the frequently visited folders for memoization until a request is received and while the system is idle. 初始启动可能会扫描频繁访问的文件夹以备忘,直到接收到请求并且系统处于空闲状态为止。 All requests are added to the memoization (hashtable etc.)
所有请求都添加到备忘录中(哈希表等)
I think the easiest way to do this would be to append the user-supplied path string to end of the A directory's path, and then use the POSIX realpath() function to simplify the resulting path string. 我认为最简单的方法是将用户提供的路径字符串附加到A目录路径的末尾,然后使用POSIX realpath()函数简化生成的路径字符串。 (realpath() will iron out any ".." or symlink shenanigans and give you a simple, absolute file-path string)
(realpath()会消除任何“ ..”或symlink的恶作剧,并为您提供一个简单的绝对文件路径字符串)
Then compare that path to the A directory's simplified/absolute path. 然后将该路径与A目录的简化/绝对路径进行比较。 If the file-path string starts with A's path-string (eg strncmp(file_path_str, a_dir_path_str, strlen(a_dir_path_str))==0), then allow access to the file;
如果文件路径字符串以A的路径字符串开头(例如strncmp(file_path_str,a_dir_path_str,strlen(a_dir_path_str))== 0),则允许访问文件; otherwise deny access.
否则,拒绝访问。
Assuming the "user" doesn't have free access to the system, but has sufficient privileges in itself, I'd expect that chroot
is the solution you are looking for. 假设“用户”没有对系统的免费访问权,但本身具有足够的特权,我希望
chroot
是您正在寻找的解决方案。
So, instead of validating the directory structure of the input, simply change the "root" so that it points at "A/" - and then (if need be) remove "A/" from the start of the path, and accept the rest. 因此,无需验证输入的目录结构,只需更改“ root”,使其指向“ A /”-然后(如果需要)从路径的开头删除“ A /”,并接受休息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.