Add an undocumented flag --ignore-visibility.

This is mostly useful in the case where you are root, but the directories
in question no longer exist (or were never there to begin with) and you
still want to search in the database, or dump all of it using plocate ''.
Obviously, this needs to drop the sgid flag like --debug already does,
so we do that.

Using this together with -e/--existing doesn't make any sense,
but we don't have any explicit checks for it.

diff --git a/plocate.cpp b/plocate.cpp
index 7182ee892dfa839b5b50794a4e22582500759996..519024e07c5b31d04f96db1cc085e8313bb4c39b 100644 (file)
--- a/plocate.cpp
+++ b/plocate.cpp
@@ -55,6 +55,7 @@ bool patterns_are_regex = false;
 bool use_extended_regex = false;
 bool match_basename = false;
 bool check_existence = false;
+bool ignore_visibility = false;
 int64_t limit_matches = numeric_limits<int64_t>::max();
 int64_t limit_left = numeric_limits<int64_t>::max();
 bool stdout_is_tty = false;
@@ -114,6 +115,9 @@ Corpus::Corpus(int fd, const char *filename_for_errors, IOUringEngine *engine)
                // This too. (We ignore the other max_version 2 fields.)
                hdr.check_visibility = true;
        }
+       if (ignore_visibility) {
+               hdr.check_visibility = false;
+       }
 }
 
 Corpus::~Corpus()
@@ -834,6 +838,7 @@ int main(int argc, char **argv)
 
        constexpr int EXTENDED_REGEX = 1000;
        constexpr int FLUSH_CACHE = 1001;
+       constexpr int IGNORE_VISIBILITY = 1002;
        static const struct option long_options[] = {
                { "help", no_argument, 0, 'h' },
                { "count", no_argument, 0, 'c' },
@@ -852,6 +857,9 @@ int main(int argc, char **argv)
                { "debug", no_argument, 0, 'D' },  // Not documented.
                // Enable to test cold-cache behavior (except for access()). Not documented.
                { "flush-cache", no_argument, 0, FLUSH_CACHE },
+               // Mostly useful to dump out the entire database, even if the given directories
+               // are gone. Disables sgid due to security. Not documented.
+               { "ignore-visibility", no_argument, 0, IGNORE_VISIBILITY },
                { 0, 0, 0, 0 }
        };
 
@@ -917,17 +925,22 @@ int main(int argc, char **argv)
                case 'V':
                        version();
                        break;
+               case IGNORE_VISIBILITY:
+                       ignore_visibility = true;
+                       break;
                default:
                        exit(1);
                }
        }
 
-       if (use_debug || flush_cache) {
+       if (use_debug || flush_cache || ignore_visibility) {
                // Debug information would leak information about which files exist,
                // so drop setgid before we open the file; one would either need to run
                // as root, or use a locally-built file. Doing the same thing for
                // flush_cache is mostly paranoia, in an attempt to prevent random users
                // from making plocate slow for everyone else.
+               // --ignore-visibility is obvious; if we allowed to keep sgid with
+               // that flag on, it would subvert the entire security model.
                if (setgid(getgid()) != 0) {
                        perror("setgid");
                        exit(EXIT_FAILURE);