[Bug 2111815] Re: [MIR] rust-coreutils

Julian Andres Klode 2111815 at bugs.launchpad.net
Wed Jul 23 18:24:24 UTC 2025 

The tree walking also affects ls:

$ mkdir -p a/b/c
$ strace ls -lhR a
[...]
openat(AT_FDCWD, "./a", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0775, st_size=60, ...}) = 0
newfstatat(AT_FDCWD, "./a", {st_mode=S_IFDIR|0775, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0
getdents64(4, 0x5f4fbf019e70 /* 3 entries */, 32768) = 72
getdents64(4, 0x5f4fbf019e70 /* 0 entries */, 32768) = 0
statx(4, "b", AT_STATX_SYNC_AS_STAT|AT_SYMLINK_NOFOLLOW, STATX_ALL, {stx_mask=STATX_ALL|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFDIR|0775, stx_size=60, ...}) = 0
listxattr("b", 0x1, 0)                  = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "./a/b", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5
fstat(5, {st_mode=S_IFDIR|0775, st_size=60, ...}) = 0
newfstatat(AT_FDCWD, "./a/b", {st_mode=S_IFDIR|0775, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0
getdents64(5, 0x5f4fbf021eb0 /* 3 entries */, 32768) = 72
getdents64(5, 0x5f4fbf021eb0 /* 0 entries */, 32768) = 0
statx(5, "c", AT_STATX_SYNC_AS_STAT|AT_SYMLINK_NOFOLLOW, STATX_ALL, {stx_mask=STATX_ALL|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFDIR|0775, stx_size=40, ...}) = 0
listxattr("c", 0x1, 0)                  = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "./a/b/c", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 6
fstat(6, {st_mode=S_IFDIR|0775, st_size=40, ...}) = 0
brk(0x5f4fbf052000)                     = 0x5f4fbf052000
newfstatat(AT_FDCWD, "./a/b/c", {st_mode=S_IFDIR|0775, st_size=40, ...}, AT_SYMLINK_NOFOLLOW) = 0
getdents64(6, 0x5f4fbf029ef0 /* 2 entries */, 32768) = 48
getdents64(6, 0x5f4fbf029ef0 /* 0 entries */, 32768) = 0
brk(0x5f4fbf04a000)                     = 0x5f4fbf04a000
close(6)                                = 0
newfstatat(AT_FDCWD, "./a/b/c", {st_mode=S_IFDIR|0775, st_size=40, ...}, AT_SYMLINK_NOFOLLOW) = 0
brk(0x5f4fbf042000)                     = 0x5f4fbf042000
close(5)                                = 0
newfstatat(AT_FDCWD, "./a/b", {st_mode=S_IFDIR|0775, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0
brk(0x5f4fbf03a000)                     = 0x5f4fbf03a000
close(4)                                = 0
newfstatat(AT_FDCWD, "./a", {st_mode=S_IFDIR|0775, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0
close(3)                                = 0
write(1, ".:\ntotal 0\ndrwxrwxr-x 3 jak jak "..., 176.:
total 0

It's not clear how the raciness would be unsafe though, there doesn't
seem possible exploits: If you can modify any part of the file path you
can also modify it before or after...

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rust-coreutils in Ubuntu.
https://bugs.launchpad.net/bugs/2111815

Title:
  [MIR] rust-coreutils

Status in rust-coreutils package in Ubuntu:
  New

Bug description:
  [Availability]
  The package rust-coreutils is already in Ubuntu universe.
  The package rust-coreutils build for the architectures it is designed to work on.
  It currently builds and works for architectures: (all of them)
  Link to package https://launchpad.net/ubuntu/+source/rust-coreutils

  [Rationale]
  - The package rust-coreutils is required in Ubuntu main for 
    strengthening product security, resilience, and safety by adopting
    memory-safe replacements for core functionalities as outlined in
    Jon Seager's post:

    https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-
  ubuntu/56995

  - The package rust-coreutils will generally be useful for a large part of
    our user base as it will become the new default coreutils

  [Security]
  - No CVEs/security issues in this software in the past
  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
    [chroot used to be in sbin]

  - Package does not install services, timers or recurring jobs
  - Security has been kept in mind and common isolation/risk-mitigation
    patterns are in place utilizing the following features:
    This is using a memory-safe language, eliminating most memory safety
    issue.
  - Package does not expose any external endpoints
  - Packages does not contain extensions to security-sensitive software
    (filters, scanners, plugins, UI skins, ...)

  [Quality assurance - function/usage]
  - The package works well right after install

    Particularly, when installing coreutils-from-uutils, which is to be the
    default. On its own, this provides a single coreutils binary.

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and does
    not have too many, long-term & critical, open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-coreutils/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-coreutils
    - Upstream's bug tracker, e.g., GitHub Issues
  - The package has important open bugs, listing them:
    - Lots of coreutils still have some breakage which prevents the default
      switch, I won't list them individually.
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package runs a test suite on build time, if it fails
    it makes the build fail, link to build log 
            https://launchpadlibrarian.net/797298944/buildlog_ubuntu-questing-amd64.rust-coreutils_0.0.30-2ubuntu2_BUILDING.txt.gz

  - The package does not run an autopkgtest because there are no additional
    tests. It does trigger a whole bunch of packages; and of course the GNU
    coreutils test suite gets triggerd by coreutils-from with coreutils-from-uutils
    as the default coreutils provider.

  [Quality assurance - packaging]
  - debian/watch is not present, instead it has "cargo magic"
  - debian/control defines a correct Maintainer field

  - Please link to a recent build log of the package https://launchpadlibrarian.net/797298944/buildlog_ubuntu-questing-amd64.rust-coreutils_0.0.30-2ubuntu2_BUILDING.txt.gz
  - Please attach the full output you have got from
    `lintian --pedantic` as an extra post to this bug:

    it's just:

      W: rust-coreutils: bad-whatis-entry [usr/share/man/man1/rust-coreutils.1.gz]
      W: rust-coreutils: debian-changelog-line-too-long [usr/share/doc/rust-coreutils/changelog.Debian.gz:9]
      W: rust-coreutils: no-manual-page [usr/bin/coreutils]

    aka rust-coreutils is the manpage for coreutils and it's a bit
  weird.

  - Lintian overrides are not present

  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies

  - The package will be installed by default, but does not ask debconf
    questions
  - Packaging and build is easy, link to debian/rules 
    https://git.launchpad.net/ubuntu/+source/rust-coreutils/tree/debian/rules?h=ubuntu/questing-devel
    The vendoring is the most part :D

  [UI standards]
  The situation is a bit more complex than the template allows for; coreutils
  are *somewhat* user interfacing - for terminal users.

  Translation support is being added, but sadly it uses "Fluent" which is
  not compatible with Launchpad's translation service, which is going to need
  some more work to see how we can translate from ftl to pot, produce po and
  then translate back to ftl such that we can ship translations in language
  packs.

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main
    [Rust dependencies are vendored per Rust MIR policy]

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - The owning team will be foundations-bugs and I have their acknowledgement for
    that commitment
  - I Suggest the owning team to be debcrafters-packages starting 26.10

  - The team foundations is aware of the implications by a static build and
    commits to test no-change-rebuilds and to fix any issues found for the
    lifetime of the release (including ESM)

  - The team foundations is aware of the implications of vendored code and (as
    alerted by the security team) commits to provide updates and backports
    to the security team for any affected vendored code for the lifetime
    of the release (including ESM).

  - This package uses vendored rust code tracked in Cargo.lock as shipped,
    in the *source* package (it produces a single binary, no crates), refreshing
    that code is outlined in debian/README.source
    [FIXME: I don't have a README.source]

  - This package is rust based and vendors all non language-runtime
    dependencies

  - The package has been built within the last 3 months in the archive
  - Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-coreutils/0.0.30-2ubuntu2

  [Background information]
  The Package description explains the package well
  Upstream Name is coreutils (same as GNU one)
  Link to upstream project https://github.com/uutils/coreutils

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-coreutils/+bug/2111815/+subscriptions

More information about the foundations-bugs mailing list