fix(install): prevent symlink race condition in install -D (fixes #10013) (#10140)

Author: abendrothj

.vscode/cspell.dictionaries/jargon.wordlist.txt

@@ -116,6 +116,7 @@ noxfer
 ofile
 oflag
 oflags
+openat
 pdeathsig
 peekable
 performant

src/uu/chmod/src/chmod.rs

@@ -19,7 +19,7 @@ use uucore::mode;
 use uucore::perms::{TraverseSymlinks, configure_symlink_and_recursion};
 
 #[cfg(all(unix, not(target_os = "redox")))]
-use uucore::safe_traversal::DirFd;
+use uucore::safe_traversal::{DirFd, SymlinkBehavior};
 use uucore::{format_usage, show, show_error};
 
 use uucore::translate;
@@ -473,7 +473,7 @@ impl Chmoder {
 
         // If the path is a directory (or we should follow symlinks), recurse into it using safe traversal
         if (!file_path.is_symlink() || should_follow_symlink) && file_path.is_dir() {
-            match DirFd::open(file_path) {
+            match DirFd::open(file_path, SymlinkBehavior::Follow) {
                 Ok(dir_fd) => {
                     r = self.safe_traverse_dir(&dir_fd, file_path).and(r);
                 }
@@ -502,7 +502,7 @@ impl Chmoder {
         for entry_name in entries {
             let entry_path = dir_path.join(&entry_name);
 
-            let dir_meta = dir_fd.metadata_at(&entry_name, should_follow_symlink);
+            let dir_meta = dir_fd.metadata_at(&entry_name, should_follow_symlink.into());
             let Ok(meta) = dir_meta else {
                 // Handle permission denied with proper file path context
                 let e = dir_meta.unwrap_err();
@@ -527,7 +527,7 @@ impl Chmoder {
 
                 // Recurse into subdirectories using the existing directory fd
                 if meta.is_dir() {
-                    match dir_fd.open_subdir(&entry_name) {
+                    match dir_fd.open_subdir(&entry_name, SymlinkBehavior::Follow) {
                         Ok(child_dir_fd) => {
                             r = self.safe_traverse_dir(&child_dir_fd, &entry_path).and(r);
                         }
@@ -591,7 +591,7 @@ impl Chmoder {
 
         // Use safe traversal to change the mode
         let follow_symlinks = self.dereference;
-        if let Err(_e) = dir_fd.chmod_at(entry_name, new_mode, follow_symlinks) {
+        if let Err(_e) = dir_fd.chmod_at(entry_name, new_mode, follow_symlinks.into()) {
             if self.verbose {
                 println!(
                     "failed to change mode of {} to {new_mode:o}",

src/uu/du/src/du.rs

@@ -26,7 +26,7 @@ use uucore::error::{FromIo, UError, UResult, USimpleError, set_exit_code};
 use uucore::fsext::{MetadataTimeField, metadata_get_time};
 use uucore::line_ending::LineEnding;
 #[cfg(all(unix, not(target_os = "redox")))]
-use uucore::safe_traversal::DirFd;
+use uucore::safe_traversal::{DirFd, SymlinkBehavior};
 use uucore::translate;
 
 use uucore::parser::parse_glob;
@@ -313,7 +313,7 @@ fn safe_du(
     let mut my_stat = if let Some(parent_fd) = parent_fd {
         // We have a parent fd, this is a subdirectory - use openat
         let dir_name = path.file_name().unwrap_or(path.as_os_str());
-        match parent_fd.metadata_at(dir_name, false) {
+        match parent_fd.metadata_at(dir_name, SymlinkBehavior::NoFollow) {
             Ok(safe_metadata) => {
                 // Create Stat from safe metadata
                 let file_info = safe_metadata.file_info();
@@ -368,7 +368,7 @@ fn safe_du(
             Ok(s) => s,
             Err(_e) => {
                 // Try using our new DirFd method for the root directory
-                match DirFd::open(path) {
+                match DirFd::open(path, SymlinkBehavior::Follow) {
                     Ok(dir_fd) => match Stat::new_from_dirfd(&dir_fd, path) {
                         Ok(s) => s,
                         Err(e) => {
@@ -406,8 +406,11 @@ fn safe_du(
 
     // Open the directory using DirFd
     let open_result = match parent_fd {
-        Some(parent) => parent.open_subdir(path.file_name().unwrap_or(path.as_os_str())),
-        None => DirFd::open(path),
+        Some(parent) => parent.open_subdir(
+            path.file_name().unwrap_or(path.as_os_str()),
+            SymlinkBehavior::Follow,
+        ),
+        None => DirFd::open(path, SymlinkBehavior::Follow),
     };
 
     let dir_fd = match open_result {
@@ -435,7 +438,7 @@ fn safe_du(
         let entry_path = path.join(&entry_name);
 
         // First get the lstat (without following symlinks) to check if it's a symlink
-        let lstat = match dir_fd.stat_at(&entry_name, false) {
+        let lstat = match dir_fd.stat_at(&entry_name, SymlinkBehavior::NoFollow) {
             Ok(stat) => stat,
             Err(e) => {
                 print_tx.send(Err(e.map_err_context(