cp previously created the destination with mode 0o666 masked by umask
(typically 0o644), then later applied the final permissions via
set_permissions. In a shared directory like /tmp this opened an
observable window where another user could open the destination with
the intermediate broad mode before cp narrowed it, leaking file
contents that were intended to stay private.
Create dest with 0o600 initially in every non-symlink code path —
clone, sparse_copy, sparse_copy_without_hole, fs_copy, the stream
path, and the non-Linux fs::copy fallback. The existing
set_permissions call in copy_file applies the real final mode after
the content is written, so user-visible end state is unchanged; only
the intermediate mode is tightened. Matches GNU cp.
Extend `util/check-safe-traversal.sh` with a cp strace check that
asserts the destination openat carries mode 0600 so a future change
that reintroduces 0666 fails the smoke test.
* chmod: fix TOCTOU race in recursive traversal
Use fchmodat2 (Linux 6.6+) with AT_SYMLINK_NOFOLLOW to prevent an
attacker from replacing a directory entry with a symlink between the
stat and chmod calls. Falls back to fchmodat on older kernels.
- Restrict fchmodat2 (syscall 452) to asm-generic architectures only
(x86_64, x86, arm, aarch64, riscv)
- Add SAFETY comment on unsafe syscall block per project convention
- Add O_PATH + /proc/self/fd fallback for musl on kernel < 6.6
- Cache ENOSYS result with AtomicBool to skip fchmodat2 on old kernels
- Remove unnecessary nix::Mode round-trip on the fchmodat2 path
- safe_chmod_file() takes explicit SymlinkBehavior parameter
- Always pass NoFollow for regular entries during recursion
- Document residual TOCTOU in symlink branch as intentional for -L
- Add test verifying NoFollow chmod doesn't modify symlink target
- Update check-safe-traversal.sh to recognize fchmodat2
`Mode::from_bits_truncate(DEST_INITIAL_MODE)` failed to build on macOS
because `mode_t` is `u16` there but `u32` on Linux. Compose the mode
from `Mode::RUSR | Mode::WUSR` so the call is portable by construction
and self-documents the intent (read+write owner = 0o600).
* factor: emit GNU's 'X is not a valid positive integer' wording
GNU's factor.c routes both stdin and command-line input through the same
print_factors() and reports invalid input as
factor: 'X' is not a valid positive integer
Match that wording exactly so the new GNU 9.11 'nul4' test passes and
the 'cont' test no longer needs the warning/invalid-digit hunk in
tests_factor_factor.pl.patch.
* Add 'cmdline' to spell-checker ignore list
GNU coreutils 9.11 changed fail-perm.sh to use the EACCES helper
in the expected diagnostics. Match the full diagnostic line so the
existing uutils message adaptation still applies.
* sort: Fix inconsistent sort orderg under i18n-collator with equal sorting keys.
* Test cases for fix#11980
* Simplyfing fix for #11980
* Fix clippy lint and rename test files.
* Remove old test files
* Update tests/by-util/test_sort.rs
Co-authored-by: Daniel Hofstetter <daniel.hofstetter@42dh.com>
* Update tests/by-util/test_sort.rs
Co-authored-by: Daniel Hofstetter <daniel.hofstetter@42dh.com>
* Removing redundant test and swapping default order for sort to match sort's ordering.
* Comment for clarification.
---------
Co-authored-by: Daniel Hofstetter <daniel.hofstetter@42dh.com>
Sylvestre Ledru