Adjust rm & du to use safe traversal (openat, unlinkat, etc)

[sylvestre]

I have other for chmod, chown & cp

For now, I am only modifying Linux. It would be too hard to update all of them at once I think.

[sylvestre]

i am pretty sure it is going to regress some GNU tests!

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/du/bind-mount-dir-cycle. tests/du/bind-mount-dir-cycle is passing on 'main'. Maybe you have to rebase?
GNU test failed: tests/du/bind-mount-dir-cycle-v2. tests/du/bind-mount-dir-cycle-v2 is passing on 'main'. Maybe you have to rebase?
GNU test failed: tests/du/deref. tests/du/deref is passing on 'main'. Maybe you have to rebase?
GNU test failed: tests/du/long-sloop. tests/du/long-sloop is passing on 'main'. Maybe you have to rebase?
GNU test failed: tests/du/move-dir-while-traversing. tests/du/move-dir-while-traversing is passing on 'main'. Maybe you have to rebase?
Skip an intermittent issue tests/misc/tee (fails in this run but passes in the 'main' branch)
Congrats! The gnu test tests/du/long-from-unreadable is no longer failing!

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/du/move-dir-while-traversing. tests/du/move-dir-while-traversing is passing on 'main'. Maybe you have to rebase?
Skipping an intermittent issue tests/timeout/timeout (passes in this run but fails in the 'main' branch)

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/du/move-dir-while-traversing. tests/du/move-dir-while-traversing is passing on 'main'. Maybe you have to rebase?
Skip an intermittent issue tests/misc/tee (fails in this run but passes in the 'main' branch)
Congrats! The gnu test tests/du/long-from-unreadable is no longer failing!

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/misc/tee (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/misc/usage_vs_getopt (fails in this run but passes in the 'main' branch)
Skipping an intermittent issue tests/timeout/timeout (passes in this run but fails in the 'main' branch)
Congrats! The gnu test tests/du/long-from-unreadable is no longer failing!

[Copilot]

Pull Request Overview

This PR implements safe directory traversal for the rm and du utilities on Linux using openat(), unlinkat(), and related syscalls to avoid TOCTOU (Time-of-Check-Time-of-Use) race conditions. The implementation provides protection against filesystem race attacks by using file descriptors instead of paths for operations.

• Linux-specific safe traversal module added with RAII file descriptor management
• rm updated to use safe traversal for long paths (>1000 characters) to prevent path length issues
• du updated with safe traversal implementation that avoids symlink-related race conditions

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
util/build-gnu.sh	Skip GNU test that relies on race conditions safe traversal prevents
tests/by-util/test_rm.rs	Add test for recursive removal with long paths using safe traversal
tests/by-util/test_du.rs	Add comprehensive tests for safe traversal edge cases and symlink handling
src/uucore/src/lib/lib.rs	Export safe_traversal module when feature is enabled
src/uucore/src/lib/features/safe_traversal.rs	Core safe traversal implementation with DirFd wrapper
src/uucore/src/lib/features.rs	Declare safe_traversal module
src/uucore/Cargo.toml	Add safe-traversal feature flag
src/uu/rm/src/rm.rs	Implement safe directory removal for long paths on Linux
src/uu/rm/Cargo.toml	Enable safe-traversal feature
src/uu/du/src/du.rs	Implement safe directory traversal with cycle detection
src/uu/du/Cargo.toml	Enable safe-traversal feature

Comments suppressed due to low confidence (1)

src/uucore/src/lib/features/safe_traversal.rs:1

• Using / as a fallback metadata source will provide incorrect file type and size information. This could lead to incorrect behavior when the fake metadata is used for file operations. Consider returning an error instead of providing misleading metadata.

// Safe directory traversal using openat() and related syscalls

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/misc/tee (fails in this run but passes in the 'main' branch)
Congrats! The gnu test tests/du/long-from-unreadable is no longer failing!

[cakebaker]

Are the tests supposed to pass even without applying any of the changes to the other files?

[sylvestre]

yeah
we should do an strace to verify that openat is called instead of open

[cakebaker]

Done :)

[sylvestre]

i have some intermittent issues with this PR:

  ---- test_du::test_du_soft_link stdout ----
  bin: "/home/sylvestre/dev/debian/coreutils.uutests/target/debug/coreutils"
  symlink: /tmp/.tmpzfGQVo/subdir/links/subwords.txt,/tmp/.tmpzfGQVo/subdir/links/sublink.txt

  thread 'test_du::test_du_soft_link' panicked at tests/uutests/src/lib/util.rs:1191:60:
  called `Result::unwrap()` on an `Err` value: Os { code: 2, kind: NotFound, message: "No such file or directory" }
  note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

  ---- test_du::test_du_one_file_system stdout ----
  bin: "/home/sylvestre/dev/debian/coreutils.uutests/target/debug/coreutils"
  run: /home/sylvestre/dev/debian/coreutils.uutests/target/debug/coreutils du -x subdir/deeper

  thread 'test_du::test_du_one_file_system' panicked at tests/by-util/test_du.rs:818:51:
  Command was expected to succeed. code: 1
  stdout = 
   stderr = du: cannot access 'subdir/deeper': No such file or directory

[github-actions]

GNU testsuite comparison:

Congrats! The gnu test tests/du/long-from-unreadable is no longer failing!

[cakebaker]

Sorry, there is a conflict :|

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/misc/tee (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/timeout/timeout (fails in this run but passes in the 'main' branch)
Congrats! The gnu test tests/du/long-from-unreadable is no longer failing!

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/misc/tee (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/timeout/timeout (fails in this run but passes in the 'main' branch)
Congrats! The gnu test tests/du/long-from-unreadable is no longer failing!

[github-actions]

GNU testsuite comparison:

Skipping an intermittent issue tests/misc/tee (passes in this run but fails in the 'main' branch)
Skipping an intermittent issue tests/timeout/timeout (passes in this run but fails in the 'main' branch)
Congrats! The gnu test tests/du/long-from-unreadable is no longer failing!

[github-actions]

GNU testsuite comparison:

Skipping an intermittent issue tests/timeout/timeout (passes in this run but fails in the 'main' branch)
Congrats! The gnu test tests/du/long-from-unreadable is no longer failing!

[github-actions]

GNU testsuite comparison:

Congrats! The gnu test tests/du/long-from-unreadable is no longer failing!

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/misc/tee (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/timeout/timeout (fails in this run but passes in the 'main' branch)
Skipping an intermittent issue tests/misc/stdbuf (passes in this run but fails in the 'main' branch)
Congrats! The gnu test tests/du/long-from-unreadable is no longer failing!

[cakebaker]

Congrats! The gnu test tests/du/long-from-unreadable is no longer failing!

Great :)