Skip to content

chmod:fix safe traversal/access #9554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sylvestre merged 15 commits into from
Dec 5, 2025
Merged

chmod:fix safe traversal/access #9554

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
f56412c
feat(chmod): use dirfd for recursive subdirectory traversal
mattsu2020 Dec 3, 2025
2ab13b5
test(chmod): add spell-check ignore for dirfd, subdirs, openat, FDCWD
mattsu2020 Dec 3, 2025
232ad27
test(chmod): enforce strace requirement in recursive test, fail fast …
mattsu2020 Dec 5, 2025
3335055
ci: install strace in Ubuntu CI jobs for debugging system calls
mattsu2020 Dec 5, 2025
41cc13e
ci: Add strace installation to Ubuntu-based CI workflows
mattsu2020 Dec 5, 2025
ce63d1d
chore(build): install strace and prevent apt prompts in Cross.toml pr…
mattsu2020 Dec 5, 2025
d0cda8d
feat(build): support Alpine-based cross images in pre-build
mattsu2020 Dec 5, 2025
266cdd8
refactor(build): improve pre-build script readability by using multi-…
mattsu2020 Dec 5, 2025
1e1d982
feat(ci): install strace in WSL2 GitHub Actions workflow
mattsu2020 Dec 5, 2025
91246f6
ci(wsl2): install strace as root with non-interactive apt-get
mattsu2020 Dec 5, 2025
57520c0
ci: Move strace installation to user shell and update spell ignore
mattsu2020 Dec 5, 2025
09dae13
chore: ci: remove unused strace installation from CI workflows
mattsu2020 Dec 5, 2025
4ce6cd1
ci: add strace installation and fix spell-checker comments in CI files
mattsu2020 Dec 5, 2025
6ce14f1
test: add regression guard for recursive chmod dirfd-relative traversal
mattsu2020 Dec 5, 2025
d950e93
Merge branch 'main' into chmod_fix
mattsu2020 Dec 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions src/uu/chmod/src/chmod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -522,9 +522,24 @@ impl Chmoder {
.safe_chmod_file(&entry_path, dir_fd, &entry_name, meta.mode() & 0o7777)
.and(r);

// Recurse into subdirectories
// Recurse into subdirectories using the existing directory fd
if meta.is_dir() {
r = self.walk_dir_with_context(&entry_path, false).and(r);
match dir_fd.open_subdir(&entry_name) {
Ok(child_dir_fd) => {
r = self.safe_traverse_dir(&child_dir_fd, &entry_path).and(r);
}
Err(err) => {
let error = if err.kind() == std::io::ErrorKind::PermissionDenied {
ChmodError::PermissionDenied(
entry_path.to_string_lossy().to_string(),
)
.into()
} else {
err.into()
};
r = r.and(Err(error));
}
}
}
}
}
Expand Down
41 changes: 41 additions & 0 deletions tests/by-util/test_chmod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
//
// For the full copyright and license information, please view the LICENSE
// file that was distributed with this source code.
// spell-checker:ignore (words) dirfd subdirs openat FDCWD

use std::fs::{OpenOptions, Permissions, metadata, set_permissions};
use std::os::unix::fs::{OpenOptionsExt, PermissionsExt};
Expand Down Expand Up @@ -1280,6 +1281,46 @@ fn test_chmod_non_utf8_paths() {
);
}

#[cfg(all(target_os = "linux", feature = "chmod"))]
#[test]
fn test_chmod_recursive_uses_dirfd_for_subdirs() {
use std::process::Command;
use uutests::get_tests_binary;

// Skip test if strace is not available
if Command::new("strace").arg("-V").output().is_err() {
eprintln!("strace not found; skipping test_chmod_recursive_uses_dirfd_for_subdirs");
return;
}

let (at, _ucmd) = at_and_ucmd!();
at.mkdir("x");
at.mkdir("x/y");
at.mkdir("x/y/z");

let log_path = at.plus_as_string("strace.log");

let status = Command::new("strace")
Copy link
Contributor

@sylvestre sylvestre Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/uutils/coreutils/blob/main/util/check-safe-traversal.sh isn't better ?

Copy link
Contributor Author

@mattsu2020 mattsu2020 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whether to guarantee the detailed condition of “safely traversing while holding directory FD”
Otherwise, using scripts is not a problem.

Copy link
Contributor

@sylvestre sylvestre Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the issue with the current test is that we aren't never certain that it will fail :)
as it is skipped easily


    // Skip test if strace is not available
    if Command::new("strace").arg("-V").output().is_err() {
        eprintln!("strace not found; skipping test_chmod_recursive_uses_dirfd_for_subdirs");
        return;
    }

.arg("-e")
.arg("openat")
.arg("-o")
.arg(&log_path)
.arg(get_tests_binary!())
.args(["chmod", "-R", "+x", "x"])
.current_dir(&at.subdir)
.status()
.expect("failed to run strace");
assert!(status.success(), "strace run failed");

let log = at.read("strace.log");

// Regression guard: ensure recursion uses dirfd-relative openat instead of AT_FDCWD with a multi-component path
assert!(
!log.contains("openat(AT_FDCWD, \"x/y"),
"chmod recursed using AT_FDCWD with a multi-component path; expected dirfd-relative openat"
);
}

#[test]
fn test_chmod_colored_output() {
// Test colored help message
Expand Down
Loading