all: revert permissions

2024-11-25 18:01:47 +03:00 · 2024-11-25 18:01:47 +03:00 · b75ed7d4d3
parent 9789e5b0fe
commit b75ed7d4d3
18 changed files with 28 additions and 661 deletions
--- a/internal/aghos/permission.go
+++ b/internal/aghos/permission.go
@ -1,50 +0,0 @@
-package aghos
-
-import (
-	"io/fs"
-	"os"
-)
-
-// TODO(e.burkov):  Add platform-independent tests.
-
-// Chmod is an extension for [os.Chmod] that properly handles Windows access
-// rights.
-func Chmod(name string, perm fs.FileMode) (err error) {
-	return chmod(name, perm)
-}
-
-// Mkdir is an extension for [os.Mkdir] that properly handles Windows access
-// rights.
-func Mkdir(name string, perm fs.FileMode) (err error) {
-	return mkdir(name, perm)
-}
-
-// MkdirAll is an extension for [os.MkdirAll] that properly handles Windows
-// access rights.
-func MkdirAll(path string, perm fs.FileMode) (err error) {
-	return mkdirAll(path, perm)
-}
-
-// WriteFile is an extension for [os.WriteFile] that properly handles Windows
-// access rights.
-func WriteFile(filename string, data []byte, perm fs.FileMode) (err error) {
-	return writeFile(filename, data, perm)
-}
-
-// OpenFile is an extension for [os.OpenFile] that properly handles Windows
-// access rights.
-func OpenFile(name string, flag int, perm fs.FileMode) (file *os.File, err error) {
-	return openFile(name, flag, perm)
-}
-
-// Stat is an extension for [os.Stat] that properly handles Windows access
-// rights.
-//
-// Note that on Windows the "other" permission bits combines the access rights
-// of any trustee that is neither the owner nor the owning group for the file.
-//
-// TODO(e.burkov):  Inspect the behavior for the World (everyone) well-known
-// SID and, perhaps, use it.
-func Stat(name string) (fi fs.FileInfo, err error) {
-	return stat(name)
-}
--- a/internal/aghos/permission_unix.go
+++ b/internal/aghos/permission_unix.go
@ -1,42 +0,0 @@
-//go:build unix
-
-package aghos
-
-import (
-	"io/fs"
-	"os"
-
-	"github.com/google/renameio/v2/maybe"
-)
-
-// chmod is a Unix implementation of [Chmod].
-func chmod(name string, perm fs.FileMode) (err error) {
-	return os.Chmod(name, perm)
-}
-
-// mkdir is a Unix implementation of [Mkdir].
-func mkdir(name string, perm fs.FileMode) (err error) {
-	return os.Mkdir(name, perm)
-}
-
-// mkdirAll is a Unix implementation of [MkdirAll].
-func mkdirAll(path string, perm fs.FileMode) (err error) {
-	return os.MkdirAll(path, perm)
-}
-
-// writeFile is a Unix implementation of [WriteFile].
-func writeFile(filename string, data []byte, perm fs.FileMode) (err error) {
-	return maybe.WriteFile(filename, data, perm)
-}
-
-// openFile is a Unix implementation of [OpenFile].
-func openFile(name string, flag int, perm fs.FileMode) (file *os.File, err error) {
-	// #nosec G304 -- This function simply wraps the [os.OpenFile] function, so
-	// the security concerns should be addressed to the [OpenFile] calls.
-	return os.OpenFile(name, flag, perm)
-}
-
-// stat is a Unix implementation of [Stat].
-func stat(name string) (fi os.FileInfo, err error) {
-	return os.Stat(name)
-}
--- a/internal/aghos/permission_windows.go
+++ b/internal/aghos/permission_windows.go
@ -1,392 +0,0 @@
-//go:build windows
-
-package aghos
-
-import (
-	"fmt"
-	"io/fs"
-	"os"
-	"path/filepath"
-	"unsafe"
-
-	"github.com/AdguardTeam/golibs/errors"
-	"golang.org/x/sys/windows"
-)
-
-// fileInfo is a Windows implementation of [fs.FileInfo], that contains the
-// filemode converted from the security descriptor.
-type fileInfo struct {
-	// fs.FileInfo is embedded to provide the default implementations and data
-	// successfully retrieved by [os.Stat].
-	fs.FileInfo
-
-	// mode is the file mode converted from the security descriptor.
-	mode fs.FileMode
-}
-
-// type check
-var _ fs.FileInfo = (*fileInfo)(nil)
-
-// Mode implements [fs.FileInfo.Mode] for [*fileInfo].
-func (fi *fileInfo) Mode() (mode fs.FileMode) { return fi.mode }
-
-// stat is a Windows implementation of [Stat].
-func stat(name string) (fi os.FileInfo, err error) {
-	absName, err := filepath.Abs(name)
-	if err != nil {
-		return nil, fmt.Errorf("computing absolute path: %w", err)
-	}
-
-	fi, err = os.Stat(absName)
-	if err != nil {
-		// Don't wrap the error, since it's informative enough as is.
-		return nil, err
-	}
-
-	dacl, owner, group, err := retrieveDACL(absName)
-	if err != nil {
-		// Don't wrap the error, since it's informative enough as is.
-		return nil, err
-	}
-
-	var ownerMask, groupMask, otherMask windows.ACCESS_MASK
-	for i := range uint32(dacl.AceCount) {
-		var ace *windows.ACCESS_ALLOWED_ACE
-		err = windows.GetAce(dacl, i, &ace)
-		if err != nil {
-			return nil, fmt.Errorf("getting access control entry at index %d: %w", i, err)
-		}
-
-		entrySid := (*windows.SID)(unsafe.Pointer(&ace.SidStart))
-		switch {
-		case entrySid.Equals(owner):
-			ownerMask |= ace.Mask
-		case entrySid.Equals(group):
-			groupMask |= ace.Mask
-		default:
-			otherMask |= ace.Mask
-		}
-	}
-
-	mode := fi.Mode()
-	perm := masksToPerm(ownerMask, groupMask, otherMask, mode.IsDir())
-
-	return &fileInfo{
-		FileInfo: fi,
-		// Use the file mode from the security descriptor, but use the
-		// calculated permission bits.
-		mode: perm | mode&^fs.FileMode(0o777),
-	}, nil
-}
-
-// retrieveDACL retrieves the discretionary access control list, owner, and
-// group from the security descriptor of the file with the specified absolute
-// name.
-func retrieveDACL(absName string) (dacl *windows.ACL, owner, group *windows.SID, err error) {
-	// desiredSecInfo defines the parts of a security descriptor to retrieve.
-	const desiredSecInfo windows.SECURITY_INFORMATION = windows.OWNER_SECURITY_INFORMATION |
-		windows.GROUP_SECURITY_INFORMATION |
-		windows.DACL_SECURITY_INFORMATION |
-		windows.PROTECTED_DACL_SECURITY_INFORMATION |
-		windows.UNPROTECTED_DACL_SECURITY_INFORMATION
-
-	sd, err := windows.GetNamedSecurityInfo(absName, windows.SE_FILE_OBJECT, desiredSecInfo)
-	if err != nil {
-		return nil, nil, nil, fmt.Errorf("getting security descriptor: %w", err)
-	}
-
-	dacl, _, err = sd.DACL()
-	if err != nil {
-		return nil, nil, nil, fmt.Errorf("getting discretionary access control list: %w", err)
-	}
-
-	owner, _, err = sd.Owner()
-	if err != nil {
-		return nil, nil, nil, fmt.Errorf("getting owner sid: %w", err)
-	}
-
-	group, _, err = sd.Group()
-	if err != nil {
-		return nil, nil, nil, fmt.Errorf("getting group sid: %w", err)
-	}
-
-	return dacl, owner, group, nil
-}
-
-// chmod is a Windows implementation of [Chmod].
-func chmod(name string, perm fs.FileMode) (err error) {
-	fi, err := os.Stat(name)
-	if err != nil {
-		return fmt.Errorf("getting file info: %w", err)
-	}
-
-	entries := make([]windows.EXPLICIT_ACCESS, 0, 3)
-	creatorMask, groupMask, worldMask := permToMasks(perm, fi.IsDir())
-
-	sidMasks := []struct {
-		Key   windows.WELL_KNOWN_SID_TYPE
-		Value windows.ACCESS_MASK
-	}{{
-		Key:   windows.WinCreatorOwnerSid,
-		Value: creatorMask,
-	}, {
-		Key:   windows.WinCreatorGroupSid,
-		Value: groupMask,
-	}, {
-		Key:   windows.WinWorldSid,
-		Value: worldMask,
-	}}
-
-	var errs []error
-	for _, sidMask := range sidMasks {
-		if sidMask.Value == 0 {
-			continue
-		}
-
-		var trustee windows.TRUSTEE
-		trustee, err = newWellKnownTrustee(sidMask.Key)
-		if err != nil {
-			errs = append(errs, err)
-
-			continue
-		}
-
-		entries = append(entries, windows.EXPLICIT_ACCESS{
-			AccessPermissions: sidMask.Value,
-			AccessMode:        windows.GRANT_ACCESS,
-			Inheritance:       windows.NO_INHERITANCE,
-			Trustee:           trustee,
-		})
-	}
-
-	if err = errors.Join(errs...); err != nil {
-		return fmt.Errorf("creating access control entries: %w", err)
-	}
-
-	acl, err := windows.ACLFromEntries(entries, nil)
-	if err != nil {
-		return fmt.Errorf("creating access control list: %w", err)
-	}
-
-	// secInfo defines the parts of a security descriptor to set.
-	const secInfo windows.SECURITY_INFORMATION = windows.DACL_SECURITY_INFORMATION |
-		windows.PROTECTED_DACL_SECURITY_INFORMATION
-
-	err = windows.SetNamedSecurityInfo(name, windows.SE_FILE_OBJECT, secInfo, nil, nil, acl, nil)
-	if err != nil {
-		return fmt.Errorf("setting security descriptor: %w", err)
-	}
-
-	return nil
-}
-
-// mkdir is a Windows implementation of [Mkdir].
-//
-// TODO(e.burkov):  Consider using [windows.CreateDirectory] instead of
-// [os.Mkdir] to reduce the number of syscalls.
-func mkdir(name string, perm os.FileMode) (err error) {
-	name, err = filepath.Abs(name)
-	if err != nil {
-		return fmt.Errorf("computing absolute path: %w", err)
-	}
-
-	err = os.Mkdir(name, perm)
-	if err != nil {
-		return fmt.Errorf("creating directory: %w", err)
-	}
-
-	defer func() {
-		if err != nil {
-			err = errors.WithDeferred(err, os.Remove(name))
-		}
-	}()
-
-	return chmod(name, perm)
-}
-
-// mkdirAll is a Windows implementation of [MkdirAll].
-func mkdirAll(path string, perm os.FileMode) (err error) {
-	parent, _ := filepath.Split(path)
-
-	if parent != "" {
-		err = os.MkdirAll(parent, perm)
-		if err != nil && !errors.Is(err, os.ErrExist) {
-			return fmt.Errorf("creating parent directories: %w", err)
-		}
-	}
-
-	err = mkdir(path, perm)
-	if errors.Is(err, os.ErrExist) {
-		return nil
-	}
-
-	return err
-}
-
-// writeFile is a Windows implementation of [WriteFile].
-func writeFile(filename string, data []byte, perm os.FileMode) (err error) {
-	file, err := openFile(filename, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, perm)
-	if err != nil {
-		return fmt.Errorf("opening file: %w", err)
-	}
-	defer func() { err = errors.WithDeferred(err, file.Close()) }()
-
-	_, err = file.Write(data)
-	if err != nil {
-		return fmt.Errorf("writing data: %w", err)
-	}
-
-	return nil
-}
-
-// openFile is a Windows implementation of [OpenFile].
-func openFile(name string, flag int, perm os.FileMode) (file *os.File, err error) {
-	// Only change permissions if the file not yet exists, but should be
-	// created.
-	if flag&os.O_CREATE == 0 {
-		return os.OpenFile(name, flag, perm)
-	}
-
-	_, err = stat(name)
-	if err != nil {
-		if errors.Is(err, os.ErrNotExist) {
-			defer func() { err = errors.WithDeferred(err, chmod(name, perm)) }()
-		} else {
-			return nil, fmt.Errorf("getting file info: %w", err)
-		}
-	}
-
-	return os.OpenFile(name, flag, perm)
-}
-
-// newWellKnownTrustee returns a trustee for a well-known SID.
-func newWellKnownTrustee(stype windows.WELL_KNOWN_SID_TYPE) (t windows.TRUSTEE, err error) {
-	sid, err := windows.CreateWellKnownSid(stype)
-	if err != nil {
-		return windows.TRUSTEE{}, fmt.Errorf("creating sid for type %d: %w", stype, err)
-	}
-
-	return windows.TRUSTEE{
-		TrusteeForm:  windows.TRUSTEE_IS_SID,
-		TrusteeValue: windows.TrusteeValueFromSID(sid),
-	}, nil
-}
-
-// UNIX file mode permission bits.
-const (
-	permRead    = 0b100
-	permWrite   = 0b010
-	permExecute = 0b001
-)
-
-// Windows access masks for appropriate UNIX file mode permission bits and
-// file types.
-const (
-	fileReadRights windows.ACCESS_MASK = windows.READ_CONTROL |
-		windows.FILE_READ_DATA |
-		windows.FILE_READ_ATTRIBUTES |
-		windows.FILE_READ_EA |
-		windows.SYNCHRONIZE |
-		windows.ACCESS_SYSTEM_SECURITY
-
-	fileWriteRights windows.ACCESS_MASK = windows.WRITE_DAC |
-		windows.WRITE_OWNER |
-		windows.FILE_WRITE_DATA |
-		windows.FILE_WRITE_ATTRIBUTES |
-		windows.FILE_WRITE_EA |
-		windows.DELETE |
-		windows.FILE_APPEND_DATA |
-		windows.SYNCHRONIZE |
-		windows.ACCESS_SYSTEM_SECURITY
-
-	fileExecuteRights windows.ACCESS_MASK = windows.FILE_EXECUTE
-
-	dirReadRights windows.ACCESS_MASK = windows.READ_CONTROL |
-		windows.FILE_LIST_DIRECTORY |
-		windows.FILE_READ_EA |
-		windows.FILE_READ_ATTRIBUTES<<1 |
-		windows.SYNCHRONIZE |
-		windows.ACCESS_SYSTEM_SECURITY
-
-	dirWriteRights windows.ACCESS_MASK = windows.WRITE_DAC |
-		windows.WRITE_OWNER |
-		windows.DELETE |
-		windows.FILE_WRITE_DATA |
-		windows.FILE_APPEND_DATA |
-		windows.FILE_WRITE_EA |
-		windows.FILE_WRITE_ATTRIBUTES<<1 |
-		windows.SYNCHRONIZE |
-		windows.ACCESS_SYSTEM_SECURITY
-
-	dirExecuteRights windows.ACCESS_MASK = windows.FILE_TRAVERSE
-)
-
-// permToMasks converts a UNIX file mode permissions to the corresponding
-// Windows access masks.  The [isDir] argument is used to set specific access
-// bits for directories.
-func permToMasks(fm os.FileMode, isDir bool) (owner, group, world windows.ACCESS_MASK) {
-	mask := fm.Perm()
-
-	owner = permToMask(byte((mask>>6)&0b111), isDir)
-	group = permToMask(byte((mask>>3)&0b111), isDir)
-	world = permToMask(byte(mask&0b111), isDir)
-
-	return owner, group, world
-}
-
-// permToMask converts a UNIX file mode permission bits within p byte to the
-// corresponding Windows access mask.  The [isDir] argument is used to set
-// specific access bits for directories.
-func permToMask(p byte, isDir bool) (mask windows.ACCESS_MASK) {
-	readRights, writeRights, executeRights := fileReadRights, fileWriteRights, fileExecuteRights
-	if isDir {
-		readRights, writeRights, executeRights = dirReadRights, dirWriteRights, dirExecuteRights
-	}
-
-	if p&permRead != 0 {
-		mask |= readRights
-	}
-	if p&permWrite != 0 {
-		mask |= writeRights
-	}
-	if p&permExecute != 0 {
-		mask |= executeRights
-	}
-
-	return mask
-}
-
-// masksToPerm converts Windows access masks to the corresponding UNIX file
-// mode permission bits.
-func masksToPerm(u, g, o windows.ACCESS_MASK, isDir bool) (perm fs.FileMode) {
-	perm |= fs.FileMode(maskToPerm(u, isDir)) << 6
-	perm |= fs.FileMode(maskToPerm(g, isDir)) << 3
-	perm |= fs.FileMode(maskToPerm(o, isDir))
-
-	return perm
-}
-
-// maskToPerm converts a Windows access mask to the corresponding UNIX file
-// mode permission bits.
-func maskToPerm(mask windows.ACCESS_MASK, isDir bool) (perm byte) {
-	readMask, writeMask, executeMask := fileReadRights, fileWriteRights, fileExecuteRights
-	if isDir {
-		readMask, writeMask, executeMask = dirReadRights, dirWriteRights, dirExecuteRights
-	}
-
-	// Remove common bits to avoid false positive detection of unset rights.
-	readMask ^= windows.SYNCHRONIZE | windows.ACCESS_SYSTEM_SECURITY
-	writeMask ^= windows.SYNCHRONIZE | windows.ACCESS_SYSTEM_SECURITY
-
-	if mask&readMask != 0 {
-		perm |= permRead
-	}
-	if mask&writeMask != 0 {
-		perm |= permWrite
-	}
-	if mask&executeMask != 0 {
-		perm |= permExecute
-	}
-
-	return perm
-}
--- a/internal/aghos/permission_windows_internal_test.go
+++ b/internal/aghos/permission_windows_internal_test.go
@ -1,135 +0,0 @@
-//go:build windows
-
-package aghos
-
-import (
-	"io/fs"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"golang.org/x/sys/windows"
-)
-
-func TestPermToMasks(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name      string
-		perm      fs.FileMode
-		wantUser  windows.ACCESS_MASK
-		wantGroup windows.ACCESS_MASK
-		wantOther windows.ACCESS_MASK
-		isDir     bool
-	}{{
-		name:      "all",
-		perm:      0b111_111_111,
-		wantUser:  fileReadRights | fileWriteRights | fileExecuteRights,
-		wantGroup: fileReadRights | fileWriteRights | fileExecuteRights,
-		wantOther: fileReadRights | fileWriteRights | fileExecuteRights,
-		isDir:     false,
-	}, {
-		name:      "user_write",
-		perm:      0b010_000_000,
-		wantUser:  fileWriteRights,
-		wantGroup: 0,
-		wantOther: 0,
-		isDir:     false,
-	}, {
-		name:      "group_read",
-		perm:      0b000_100_000,
-		wantUser:  0,
-		wantGroup: fileReadRights,
-		wantOther: 0,
-		isDir:     false,
-	}, {
-		name:      "all_dir",
-		perm:      0b111_111_111,
-		wantUser:  dirReadRights | dirWriteRights | dirExecuteRights,
-		wantGroup: dirReadRights | dirWriteRights | dirExecuteRights,
-		wantOther: dirReadRights | dirWriteRights | dirExecuteRights,
-		isDir:     true,
-	}, {
-		name:      "user_write_dir",
-		perm:      0b010_000_000,
-		wantUser:  dirWriteRights,
-		wantGroup: 0,
-		wantOther: 0,
-		isDir:     true,
-	}}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			user, group, other := permToMasks(tc.perm, tc.isDir)
-			assert.Equal(t, tc.wantUser, user)
-			assert.Equal(t, tc.wantGroup, group)
-			assert.Equal(t, tc.wantOther, other)
-		})
-	}
-}
-
-func TestMasksToPerm(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name     string
-		user     windows.ACCESS_MASK
-		group    windows.ACCESS_MASK
-		other    windows.ACCESS_MASK
-		wantPerm fs.FileMode
-		isDir    bool
-	}{{
-		name:     "all",
-		user:     fileReadRights | fileWriteRights | fileExecuteRights,
-		group:    fileReadRights | fileWriteRights | fileExecuteRights,
-		other:    fileReadRights | fileWriteRights | fileExecuteRights,
-		wantPerm: 0b111_111_111,
-		isDir:    false,
-	}, {
-		name:     "user_write",
-		user:     fileWriteRights,
-		group:    0,
-		other:    0,
-		wantPerm: 0b010_000_000,
-		isDir:    false,
-	}, {
-		name:     "group_read",
-		user:     0,
-		group:    fileReadRights,
-		other:    0,
-		wantPerm: 0b000_100_000,
-		isDir:    false,
-	}, {
-		name:     "no_access",
-		user:     0,
-		group:    0,
-		other:    0,
-		wantPerm: 0,
-		isDir:    false,
-	}, {
-		name:     "all_dir",
-		user:     dirReadRights | dirWriteRights | dirExecuteRights,
-		group:    dirReadRights | dirWriteRights | dirExecuteRights,
-		other:    dirReadRights | dirWriteRights | dirExecuteRights,
-		wantPerm: 0b111_111_111,
-		isDir:    true,
-	}, {
-		name:     "user_write_dir",
-		user:     dirWriteRights,
-		group:    0,
-		other:    0,
-		wantPerm: 0b010_000_000,
-		isDir:    true,
-	}}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			// Don't call [fs.FileMode.Perm] since the result is expected to
-			// contain only the permission bits.
-			assert.Equal(t, tc.wantPerm, masksToPerm(tc.user, tc.group, tc.other, tc.isDir))
-		})
-	}
-}
--- a/internal/aghrenameio/renameio_windows.go
+++ b/internal/aghrenameio/renameio_windows.go
@ -8,7 +8,6 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/golibs/errors"
 )

@ -63,7 +62,7 @@ func newPendingFile(filePath string, mode fs.FileMode) (f PendingFile, err error
 		return nil, fmt.Errorf("opening pending file: %w", err)
 	}

-	err = aghos.Chmod(file.Name(), mode)
+	err = os.Chmod(file.Name(), mode)
 	if err != nil {
 		return nil, fmt.Errorf("preparing pending file: %w", err)
 	}
--- a/internal/filtering/filtering.go
+++ b/internal/filtering/filtering.go
@ -1057,7 +1057,7 @@ func New(c *Config, blockFilters []Filter) (d *DNSFilter, err error) {
 		}
 	}

-	err = aghos.MkdirAll(filepath.Join(d.conf.DataDir, filterDir), aghos.DefaultPermDir)
+	err = os.MkdirAll(filepath.Join(d.conf.DataDir, filterDir), aghos.DefaultPermDir)
 	if err != nil {
 		d.Close()

--- a/internal/filtering/http.go
+++ b/internal/filtering/http.go
@ -13,7 +13,6 @@ import (
 	"time"

 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
-	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering/rulelist"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
@ -27,7 +26,7 @@ func (d *DNSFilter) validateFilterURL(urlStr string) (err error) {

 	if filepath.IsAbs(urlStr) {
 		urlStr = filepath.Clean(urlStr)
-		_, err = aghos.Stat(urlStr)
+		_, err = os.Stat(urlStr)
 		if err != nil {
 			// Don't wrap the error since it's informative enough as is.
 			return err
--- a/internal/home/auth.go
+++ b/internal/home/auth.go
@ -91,10 +91,7 @@ func InitAuth(
 	}
 	var err error

-	opts := *bbolt.DefaultOptions
-	opts.OpenFile = aghos.OpenFile
-
-	a.db, err = bbolt.Open(dbFilename, aghos.DefaultPermFile, &opts)
+	a.db, err = bbolt.Open(dbFilename, aghos.DefaultPermFile, nil)
 	if err != nil {
 		log.Error("auth: open DB: %s: %s", dbFilename, err)
 		if err.Error() == "invalid argument" {
--- a/internal/home/config.go
+++ b/internal/home/config.go
@ -714,7 +714,7 @@ func (c *configuration) write() (err error) {
 		return fmt.Errorf("generating config file: %w", err)
 	}

-	err = aghos.WriteFile(confPath, buf.Bytes(), aghos.DefaultPermFile)
+	err = maybe.WriteFile(confPath, buf.Bytes(), aghos.DefaultPermFile)
 	if err != nil {
 		return fmt.Errorf("writing config file: %w", err)
 	}
--- a/internal/home/home.go
+++ b/internal/home/home.go
@ -645,7 +645,7 @@ func run(opts options, clientBuildFS fs.FS, done chan struct{}) {
 	}

 	dataDir := Context.getDataDir()
-	err = aghos.MkdirAll(dataDir, aghos.DefaultPermDir)
+	err = os.MkdirAll(dataDir, aghos.DefaultPermDir)
 	fatalOnError(errors.Annotate(err, "creating DNS data dir at %s: %w", dataDir))

 	GLMode = opts.glinetMode
--- a/internal/next/cmd/signal.go
+++ b/internal/next/cmd/signal.go
@ -8,12 +8,12 @@ import (
 	"strconv"
 	"time"

-	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/AdGuardHome/internal/next/configmgr"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/logutil/slogutil"
 	"github.com/AdguardTeam/golibs/osutil"
 	"github.com/AdguardTeam/golibs/service"
+	"github.com/google/renameio/v2/maybe"
 )

 // signalHandler processes incoming signals and shuts services down.
@ -84,7 +84,7 @@ func (h *signalHandler) writePID(ctx context.Context) {
 	data := strconv.AppendInt(nil, int64(pid), 10)
 	data = append(data, '\n')

-	err := aghos.WriteFile(h.pidFile, data, 0o644)
+	err := maybe.WriteFile(h.pidFile, data, 0o644)
 	if err != nil {
 		h.logger.ErrorContext(ctx, "writing pidfile", slogutil.KeyError, err)

--- a/internal/next/configmgr/configmgr.go
+++ b/internal/next/configmgr/configmgr.go
@ -22,6 +22,7 @@ import (
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/logutil/slogutil"
 	"github.com/AdguardTeam/golibs/timeutil"
+	"github.com/google/renameio/v2/maybe"
 	"gopkg.in/yaml.v3"
 )

@ -203,7 +204,7 @@ func (m *Manager) write(ctx context.Context) (err error) {
 		return fmt.Errorf("encoding: %w", err)
 	}

-	err = aghos.WriteFile(m.fileName, b, aghos.DefaultPermFile)
+	err = maybe.WriteFile(m.fileName, b, aghos.DefaultPermFile)
 	if err != nil {
 		return fmt.Errorf("writing: %w", err)
 	}
--- a/internal/permcheck/migrate.go
+++ b/internal/permcheck/migrate.go
@ -14,7 +14,7 @@ import (
 //
 // TODO(a.garipov):  Consider ways to detect this better.
 func NeedsMigration(confFilePath string) (ok bool) {
-	s, err := aghos.Stat(confFilePath)
+	s, err := os.Stat(confFilePath)
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			// Likely a first run.  Don't check.
@ -70,7 +70,7 @@ func chmodFile(filePath string) {
 // chmodPath changes the permissions of a single filesystem entity.  The results
 // are logged at the appropriate level.
 func chmodPath(entPath, fileType string, fm fs.FileMode) {
-	err := aghos.Chmod(entPath, fm)
+	err := os.Chmod(entPath, fm)
 	if err == nil {
 		log.Info("permcheck: changed permissions for %s %q", fileType, entPath)

--- a/internal/permcheck/permcheck.go
+++ b/internal/permcheck/permcheck.go
@ -60,7 +60,7 @@ func checkFile(filePath string) {
 // checkPath checks the permissions of a single filesystem entity.  The results
 // are logged at the appropriate level.
 func checkPath(entPath, fileType string, want fs.FileMode) {
-	s, err := aghos.Stat(entPath)
+	s, err := os.Stat(entPath)
 	if err != nil {
 		logFunc := log.Error
 		if errors.Is(err, os.ErrNotExist) {
--- a/internal/querylog/qlogfile.go
+++ b/internal/querylog/qlogfile.go
@ -59,7 +59,6 @@ type qLogFile struct {

 // newQLogFile initializes a new instance of the qLogFile.
 func newQLogFile(path string) (qf *qLogFile, err error) {
-	// Don't use [aghos.OpenFile] here, because the file is expected to exist.
 	f, err := os.OpenFile(path, os.O_RDONLY, aghos.DefaultPermFile)
 	if err != nil {
 		return nil, err
--- a/internal/querylog/querylogfile.go
+++ b/internal/querylog/querylogfile.go
@ -83,7 +83,7 @@ func (l *queryLog) flushToFile(ctx context.Context, b *bytes.Buffer) (err error)

 	filename := l.logFile

-	f, err := aghos.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_APPEND, aghos.DefaultPermFile)
+	f, err := os.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_APPEND, aghos.DefaultPermFile)
 	if err != nil {
 		return fmt.Errorf("creating file %q: %w", filename, err)
 	}
--- a/internal/stats/stats.go
+++ b/internal/stats/stats.go
@ -385,12 +385,7 @@ func (s *StatsCtx) openDB() (err error) {

 	var db *bbolt.DB

-	opts := *bbolt.DefaultOptions
-	// Use the custom OpenFile function to properly handle access rights on
-	// Windows.
-	opts.OpenFile = aghos.OpenFile
-
-	db, err = bbolt.Open(s.filename, aghos.DefaultPermFile, &opts)
+	db, err = bbolt.Open(s.filename, aghos.DefaultPermFile, nil)
 	if err != nil {
 		if err.Error() == "invalid argument" {
 			const lines = `AdGuard Home cannot be initialized due to an incompatible file system.
--- a/internal/updater/updater.go
+++ b/internal/updater/updater.go
@ -270,7 +270,7 @@ func (u *Updater) check() (err error) {
 // ignores the configuration file if firstRun is true.
 func (u *Updater) backup(firstRun bool) (err error) {
 	log.Debug("updater: backing up current configuration")
-	_ = aghos.Mkdir(u.backupDir, aghos.DefaultPermDir)
+	_ = os.Mkdir(u.backupDir, aghos.DefaultPermDir)
 	if !firstRun {
 		err = copyFile(u.confName, filepath.Join(u.backupDir, "AdGuardHome.yaml"), aghos.DefaultPermFile)
 		if err != nil {
@ -344,10 +344,10 @@ func (u *Updater) downloadPackageFile() (err error) {
 		return fmt.Errorf("io.ReadAll() failed: %w", err)
 	}

-	_ = aghos.Mkdir(u.updateDir, aghos.DefaultPermDir)
+	_ = os.Mkdir(u.updateDir, aghos.DefaultPermDir)

 	log.Debug("updater: saving package to file")
-	err = aghos.WriteFile(u.packageName, body, aghos.DefaultPermFile)
+	err = os.WriteFile(u.packageName, body, aghos.DefaultPermFile)
 	if err != nil {
 		return fmt.Errorf("writing package file: %w", err)
 	}
@ -360,7 +360,7 @@ func tarGzFileUnpackOne(outDir string, tr *tar.Reader, hdr *tar.Header) (name st
 		return "", nil
 	}

-	outputName := filepath.Join(outDir, name)
+	outName := filepath.Join(outDir, name)

 	if hdr.Typeflag == tar.TypeDir {
 		if name == "AdGuardHome" {
@ -372,12 +372,12 @@ func tarGzFileUnpackOne(outDir string, tr *tar.Reader, hdr *tar.Header) (name st
 			return "", nil
 		}

-		err = aghos.Mkdir(outputName, os.FileMode(hdr.Mode&0o755))
+		err = os.Mkdir(outName, os.FileMode(hdr.Mode&0o755))
 		if err != nil && !errors.Is(err, os.ErrExist) {
-			return "", fmt.Errorf("creating directory %q: %w", outputName, err)
+			return "", fmt.Errorf("creating directory %q: %w", outName, err)
 		}

-		log.Debug("updater: created directory %q", outputName)
+		log.Debug("updater: created directory %q", outName)

 		return "", nil
 	}
@ -389,13 +389,9 @@ func tarGzFileUnpackOne(outDir string, tr *tar.Reader, hdr *tar.Header) (name st
 	}

 	var wc io.WriteCloser
-	wc, err = aghos.OpenFile(
-		outputName,
-		os.O_WRONLY|os.O_CREATE|os.O_TRUNC,
-		os.FileMode(hdr.Mode&0o755),
-	)
+	wc, err = os.OpenFile(outName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, os.FileMode(hdr.Mode)&0o755)
 	if err != nil {
-		return "", fmt.Errorf("os.OpenFile(%s): %w", outputName, err)
+		return "", fmt.Errorf("os.OpenFile(%s): %w", outName, err)
 	}
 	defer func() { err = errors.WithDeferred(err, wc.Close()) }()

@ -404,7 +400,7 @@ func tarGzFileUnpackOne(outDir string, tr *tar.Reader, hdr *tar.Header) (name st
 		return "", fmt.Errorf("io.Copy(): %w", err)
 	}

-	log.Debug("updater: created file %q", outputName)
+	log.Debug("updater: created file %q", outName)

 	return name, nil
 }
@ -474,7 +470,7 @@ func zipFileUnpackOne(outDir string, zf *zip.File) (name string, err error) {
 			return "", nil
 		}

-		err = aghos.Mkdir(outputName, fi.Mode())
+		err = os.Mkdir(outputName, fi.Mode())
 		if err != nil && !errors.Is(err, os.ErrExist) {
 			return "", fmt.Errorf("creating directory %q: %w", outputName, err)
 		}
@ -485,7 +481,7 @@ func zipFileUnpackOne(outDir string, zf *zip.File) (name string, err error) {
 	}

 	var wc io.WriteCloser
-	wc, err = aghos.OpenFile(outputName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, fi.Mode())
+	wc, err = os.OpenFile(outputName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, fi.Mode())
 	if err != nil {
 		return "", fmt.Errorf("os.OpenFile(): %w", err)
 	}
@ -535,7 +531,7 @@ func copyFile(src, dst string, perm fs.FileMode) (err error) {
 		return err
 	}

-	err = aghos.WriteFile(dst, d, perm)
+	err = os.WriteFile(dst, d, perm)
 	if err != nil {
 		// Don't wrap the error, since it's informative enough as is.
 		return err