GNU `cp -p` preserves mode, ownership, and timestamps. xattrs are
NOT preserved unless the user asks for them via `--preserve=xattr`
or `-a`. uutils's `Attributes::DEFAULT` had xattr set to
`Preserve::Yes { required: true }`, which (1) diverges from GNU and
breaks scripts that expect the stock behavior, (2) leaks security
xattrs like file capabilities and SELinux labels into copies when
run as root, and (3) fails hard on destinations that don't support
xattrs.
Remove the xattr override in `Attributes::DEFAULT` so it inherits
`Preserve::No` from `Attributes::NONE`. `Attributes::ALL` (used by
`-a` and `--preserve=all`) still sets xattr to Yes, and
`--preserve=xattr` still works as before.
In `-P` / no-dereference mode, cp now opens the source file with
`O_NOFOLLOW`, matching GNU cp. This closes a TOCTOU window where an
attacker who can swap the source path between cp's `lstat` check and
the subsequent open could redirect the read through a symlink to a
sensitive file (e.g. /etc/shadow). With `O_NOFOLLOW` the open fails
with `ELOOP` instead.
The same flag is propagated to `safe_copy::create_dest_restrictive`,
so the destination open also refuses to follow a symlink in
no-dereference mode. Without that, an attacker who plants the dest
path as a symlink between the caller's check and the open could
redirect the truncate (and the subsequent write) to any file the
caller has permission to write — the symmetric attack to the source
side. With `nofollow=true` the dest open returns `ELOOP` and the
victim file is left untouched.
`copy_on_write` gains a `nofollow` parameter threaded from
`copy_helper`, set to `!options.dereference(source_in_command_line)`.
In deref mode the flag is false and behavior is unchanged — cp still
follows symlinks, matching GNU.
Extends `util/check-safe-traversal.sh` with a cp -P strace check so
the invariant is locked in: future changes that drop `O_NOFOLLOW`
here will fail the smoke test.
cp previously created the destination with mode 0o666 masked by umask
(typically 0o644), then later applied the final permissions via
set_permissions. In a shared directory like /tmp this opened an
observable window where another user could open the destination with
the intermediate broad mode before cp narrowed it, leaking file
contents that were intended to stay private.
Create dest with 0o600 initially in every non-symlink code path —
clone, sparse_copy, sparse_copy_without_hole, fs_copy, the stream
path, and the non-Linux fs::copy fallback. The existing
set_permissions call in copy_file applies the real final mode after
the content is written, so user-visible end state is unchanged; only
the intermediate mode is tightened. Matches GNU cp.
Extend `util/check-safe-traversal.sh` with a cp strace check that
asserts the destination openat carries mode 0600 so a future change
that reintroduces 0666 fails the smoke test.
* chmod: fix TOCTOU race in recursive traversal
Use fchmodat2 (Linux 6.6+) with AT_SYMLINK_NOFOLLOW to prevent an
attacker from replacing a directory entry with a symlink between the
stat and chmod calls. Falls back to fchmodat on older kernels.
- Restrict fchmodat2 (syscall 452) to asm-generic architectures only
(x86_64, x86, arm, aarch64, riscv)
- Add SAFETY comment on unsafe syscall block per project convention
- Add O_PATH + /proc/self/fd fallback for musl on kernel < 6.6
- Cache ENOSYS result with AtomicBool to skip fchmodat2 on old kernels
- Remove unnecessary nix::Mode round-trip on the fchmodat2 path
- safe_chmod_file() takes explicit SymlinkBehavior parameter
- Always pass NoFollow for regular entries during recursion
- Document residual TOCTOU in symlink branch as intentional for -L
- Add test verifying NoFollow chmod doesn't modify symlink target
- Update check-safe-traversal.sh to recognize fchmodat2
`Mode::from_bits_truncate(DEST_INITIAL_MODE)` failed to build on macOS
because `mode_t` is `u16` there but `u32` on Linux. Compose the mode
from `Mode::RUSR | Mode::WUSR` so the call is portable by construction
and self-documents the intent (read+write owner = 0o600).
* factor: emit GNU's 'X is not a valid positive integer' wording
GNU's factor.c routes both stdin and command-line input through the same
print_factors() and reports invalid input as
factor: 'X' is not a valid positive integer
Match that wording exactly so the new GNU 9.11 'nul4' test passes and
the 'cont' test no longer needs the warning/invalid-digit hunk in
tests_factor_factor.pl.patch.
* Add 'cmdline' to spell-checker ignore list
GNU coreutils 9.11 changed fail-perm.sh to use the EACCES helper
in the expected diagnostics. Match the full diagnostic line so the
existing uutils message adaptation still applies.
* sort: Fix inconsistent sort orderg under i18n-collator with equal sorting keys.
* Test cases for fix#11980
* Simplyfing fix for #11980
* Fix clippy lint and rename test files.
* Remove old test files
* Update tests/by-util/test_sort.rs
Co-authored-by: Daniel Hofstetter <daniel.hofstetter@42dh.com>
* Update tests/by-util/test_sort.rs
Co-authored-by: Daniel Hofstetter <daniel.hofstetter@42dh.com>
* Removing redundant test and swapping default order for sort to match sort's ordering.
* Comment for clarification.
---------
Co-authored-by: Daniel Hofstetter <daniel.hofstetter@42dh.com>
Sylvestre Ledru