574 Commits

Author SHA1 Message Date
oech3 e62a1ff514 GnuTests (SMACK): bump busybox URL 2026-06-10 14:26:56 +02:00
Sylvestre Ledru 7cfc74e47f chcon: anchor recursive relabel resolution to traversal dirfd (#12566)
---------

Co-authored-by: can1357 <me@can.ac>
2026-06-05 22:58:32 +02:00
Sylvestre Ledru 58040feb5c split: harden output open path against TOCTOU target swaps (#12565)
Co-authored-by: can1357 <me@can.ac>
2026-06-05 18:09:05 +02:00
Sylvestre Ledru 3222b4aa52 util: move touch/head TOCTOU checks into check-toctou.sh 2026-06-05 17:58:26 +02:00
Sylvestre Ledru c004672c5e mkfifo: drop path-based chmod to close TOCTOU race; switch to rustix (#10020) (#12174)
(except on mac)
2026-06-05 15:52:53 +02:00
Sylvestre Ledru 7d27b3baa1 head: add TOCTOU regression tests and fix comment typo (#12637)
Follow-up to the metadata TOCTOU fix (#11972, PR #12439):

- Add a syscall-level regression guard in util/check-safe-traversal.sh:
  under strace, head must read metadata from the open descriptor
  (fstat/statx on the fd) and must not stat the path before opening it.
  Verified this fails on the pre-fix code and passes after.
- Add an integration test asserting that an unreadable file produces an
  error but no "==> name <==" header, matching GNU (the header is only
  printed after a successful open).
- Fix a stray paren in the Windows-branch comment.
2026-06-05 15:21:40 +02:00
Sylvestre Ledru 6d015356dd pwd: ignore non-option arguments, drop getcwd disabling from pwd-long test 2026-06-05 09:44:04 +02:00
Sylvestre Ledru ca0c842e71 touch: drop O_TRUNC on create to close TOCTOU race (#10019) 2026-06-04 16:19:26 +02:00
Sylvestre Ledru b286558423 chown/chgrp/chmod/rm: open recursive descent with O_NOFOLLOW 2026-06-01 14:43:47 +02:00
Sylvestre Ledru 77bb522c0c prepare release 0.9.0 2026-05-28 10:31:37 +02:00
Sylvestre Ledru 54877ac475 uucore/mv: fd-based xattr copy for cross-device moves (#10014)
Add fsxattr::copy_xattrs_fd; mv's EXDEV fallback opens src/dst with
O_NOFOLLOW via safe_copy and copies content + xattrs on the live fds,
pinning both inodes against a concurrent renamer.
2026-05-17 13:03:17 +02:00
Sylvestre Ledru 515d74b995 mv: atomically replace existing dest when moving symlinks cross-device (#10010)
EXDEV fallback now catches AlreadyExists and replaces the destination
via temp-name + fs::rename. Matches GNU mv.
2026-05-17 13:03:17 +02:00
Sylvestre Ledru ef5d752282 cp: open source and dest with O_NOFOLLOW in no-dereference mode (#10017)
In `-P` / no-dereference mode, cp now opens the source file with
`O_NOFOLLOW`, matching GNU cp. This closes a TOCTOU window where an
attacker who can swap the source path between cp's `lstat` check and
the subsequent open could redirect the read through a symlink to a
sensitive file (e.g. /etc/shadow). With `O_NOFOLLOW` the open fails
with `ELOOP` instead.

The same flag is propagated to `safe_copy::create_dest_restrictive`,
so the destination open also refuses to follow a symlink in
no-dereference mode. Without that, an attacker who plants the dest
path as a symlink between the caller's check and the open could
redirect the truncate (and the subsequent write) to any file the
caller has permission to write — the symmetric attack to the source
side. With `nofollow=true` the dest open returns `ELOOP` and the
victim file is left untouched.

`copy_on_write` gains a `nofollow` parameter threaded from
`copy_helper`, set to `!options.dereference(source_in_command_line)`.
In deref mode the flag is false and behavior is unchanged — cp still
follows symlinks, matching GNU.

Extends `util/check-safe-traversal.sh` with a cp -P strace check so
the invariant is locked in: future changes that drop `O_NOFOLLOW`
here will fail the smoke test.
2026-05-06 11:47:38 +02:00
Sylvestre Ledru 681030bca3 cp: create destination with restrictive 0o600 initial mode (#10011)
cp previously created the destination with mode 0o666 masked by umask
(typically 0o644), then later applied the final permissions via
set_permissions. In a shared directory like /tmp this opened an
observable window where another user could open the destination with
the intermediate broad mode before cp narrowed it, leaking file
contents that were intended to stay private.

Create dest with 0o600 initially in every non-symlink code path —
clone, sparse_copy, sparse_copy_without_hole, fs_copy, the stream
path, and the non-Linux fs::copy fallback. The existing
set_permissions call in copy_file applies the real final mode after
the content is written, so user-visible end state is unchanged; only
the intermediate mode is tightened. Matches GNU cp.

Extend `util/check-safe-traversal.sh` with a cp strace check that
asserts the destination openat carries mode 0600 so a future change
that reintroduces 0666 fails the smoke test.
2026-05-06 11:47:38 +02:00
mattsu b195b1de88 chmod: fix TOCTOU race in recursive traversal (#11918)
* chmod: fix TOCTOU race in recursive traversal

Use fchmodat2 (Linux 6.6+) with AT_SYMLINK_NOFOLLOW to prevent an
attacker from replacing a directory entry with a symlink between the
stat and chmod calls. Falls back to fchmodat on older kernels.

- Restrict fchmodat2 (syscall 452) to asm-generic architectures only
  (x86_64, x86, arm, aarch64, riscv)
- Add SAFETY comment on unsafe syscall block per project convention
- Add O_PATH + /proc/self/fd fallback for musl on kernel < 6.6
- Cache ENOSYS result with AtomicBool to skip fchmodat2 on old kernels
- Remove unnecessary nix::Mode round-trip on the fchmodat2 path
- safe_chmod_file() takes explicit SymlinkBehavior parameter
- Always pass NoFollow for regular entries during recursion
- Document residual TOCTOU in symlink branch as intentional for -L
- Add test verifying NoFollow chmod doesn't modify symlink target
- Update check-safe-traversal.sh to recognize fchmodat2
2026-05-05 22:06:06 +02:00
Sylvestre Ledru b2c4e0c125 factor: emit GNU 9.11 'is not a valid positive integer' for stdin input (#12137)
* factor: emit GNU's 'X is not a valid positive integer' wording

GNU's factor.c routes both stdin and command-line input through the same
print_factors() and reports invalid input as
  factor: 'X' is not a valid positive integer
Match that wording exactly so the new GNU 9.11 'nul4' test passes and
the 'cont' test no longer needs the warning/invalid-digit hunk in
tests_factor_factor.pl.patch.

* Add 'cmdline' to spell-checker ignore list
2026-05-04 09:31:59 +02:00
Sylvestre Ledru 9de73ef9be tests: patch GNU numfmt 'neg-arg-not-option' to accept clap-style error (#12123) 2026-05-03 09:56:18 +02:00
karanabe 3057b7d9da rm: fix inaccessible GNU test adaptation (#12127) 2026-05-03 09:53:27 +02:00
karanabe 37ac49ee35 cp: fix fail-perm GNU test adaptation
GNU coreutils 9.11 changed fail-perm.sh to use the EACCES helper
in the expected diagnostics. Match the full diagnostic line so the
existing uutils message adaptation still applies.
2026-05-02 14:34:47 +02:00
oech3 dad3249a58 GnuTests: bump GNU version to 9.11 (#11922) 2026-04-23 08:38:58 +02:00
Daniel Hofstetter 2be465a572 Revert "fix: replace apt with apt-get in scripts"
This reverts commit 6f939edb72.
2026-04-16 07:16:50 +02:00
xtqqczze 6f939edb72 fix: replace apt with apt-get in scripts
fix warning:

```
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
```
2026-04-14 22:56:39 +02:00
oech3 9f50c8b42e tee: fix input with sleep 2026-04-12 16:30:35 +02:00
oech3 d7f969c008 GnuTests: mask an equivalent df test 2026-04-12 14:48:54 +02:00
Sylvestre Ledru 56210f1137 test: add unit tests for compare_size_results.py
Mirrors test_compare_test_results.py: covers human_kb formatting,
load_sizes (date-keyed and flat), compare() including threshold
boundaries on both growth and shrinkage, format_report, and an
end-to-end main() check that the comment file is only written when
something significant is reported.

Wired into code-quality.yml alongside the existing compare_test_results
unit tests.
2026-04-11 16:02:00 +02:00