git.ipfire.org Git - thirdparty/rsync.git/commit

author	Andrew Tridgell <andrew@tridgell.net>
	Tue, 5 May 2026 04:34:50 +0000 (14:34 +1000)
committer	Andrew Tridgell <andrew@tridgell.net>
	Wed, 20 May 2026 00:01:22 +0000 (10:01 +1000)
commit	40a6e130710df3d8195d9612e0ba1d2aba2fc7d1
tree	0523fa4507f63eaefd96dcb2723af17779929234	tree \| snapshot
parent	3cc6a9e8cdcffb637ecdd41dae47833096dca317	commit \| diff

testsuite: end-to-end regression test for chdir-symlink-race

testsuite/chdir-symlink-race.test runs an actual rsync daemon
(via RSYNC_CONNECT_PROG to avoid the network) configured with
"use chroot = no", plants a symlink at module/subdir -> ../outside,
and runs four flavours of attacker-shaped transfer (single-file
poc_chmod, -r push into the symlinked subdir with --size-only and
without, -r push into the module root). All four must leave the
outside-the-module sentinel file's mode AND content unchanged.

Portability:
  - file_mode() helper falls back to BSD stat -f %Lp when GNU
    stat -c %a is unavailable (macOS, FreeBSD).
  - Pre-saved pristine copy + cmp(1) replaces sha1sum, which
    differs across platforms (sha1sum / shasum / sha1).

Tests are kept running as root in the user-namespace re-exec
wrapper used by symlink-race tests so the daemon's setuid path
doesn't drop into the test user's identity (which on Linux
would mean the chmod-escape code path can't trigger because
the test user doesn't have CAP_FOWNER over the outside file).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

testsuite/alt-dest-symlink-race.test		diff \| blob \| blame \| history
testsuite/bare-do-open-symlink-race.test		diff \| blob \| blame \| history
testsuite/chdir-symlink-race.test	[new file with mode: 0755]	blob
testsuite/copy-dest-source-symlink.test		diff \| blob \| blame \| history