chmod:fix safe traversal/access (#9554)

* feat(chmod): use dirfd for recursive subdirectory traversal

- Update chmod recursive logic to use directory file descriptors instead of full paths for subdirectories
- Improves performance, avoids path length issues, and ensures dirfd-relative openat calls
- Add test to verify strace output shows no AT_FDCWD with multi-component paths

* test(chmod): add spell-check ignore for dirfd, subdirs, openat, FDCWD

Added a spell-checker ignore directive in the chmod test file to suppress false positives for legitimate technical terms used in Unix API calls.

* test(chmod): enforce strace requirement in recursive test, fail fast instead of skip

Previously, the test_chmod_recursive_uses_dirfd_for_subdirs test skipped gracefully if strace
was unavailable, without failing. This change enforces the strace dependency by failing the
test immediately if strace is not installed or runnable, ensuring the test runs reliably
in environments where it is expected to pass, and preventing silent skips.

* ci: install strace in Ubuntu CI jobs for debugging system calls

Add installation of strace tool on Ubuntu runners in both individual build/test and feature build/test jobs. This enables tracing system calls during execution, aiding in debugging and performance analysis within the CI/CD pipeline. Updated existing apt-get commands and added conditional steps for Linux-only installations.

* ci: Add strace installation to Ubuntu-based CI workflows

Install strace on ubuntu-latest runners across multiple jobs to enable system call tracing for testing purposes, ensuring compatibility with tests that require this debugging tool. This includes updating package lists in existing installation steps.

* chore(build): install strace and prevent apt prompts in Cross.toml pre-build

Modified the pre-build command to install strace utility for debugging and added -y flag to apt-get install to skip prompts, ensuring non-interactive builds.

* feat(build): support Alpine-based cross images in pre-build

Detect package manager (apt vs apk) to install tzdata and strace
in both Debian/Ubuntu and Alpine *-musl targets. Added fallback
warning for unsupported managers. This ensures strace is available
for targets using Alpine, which doesn't have apt-get.

* refactor(build): improve pre-build script readability by using multi-line strings

Replace escaped multi-line string with triple-quoted string for better readability in Cross.toml.

* feat(ci): install strace in WSL2 GitHub Actions workflow

Install strace utility in the WSL2 environment to support tracing system calls during testing. Minor update to Cross.toml spell-checker ignore list for consistency with change.

* ci(wsl2): install strace as root with non-interactive apt-get

Updated the WSL2 workflow step to use root shell (wsl-bash-root) for installing strace, removing sudo calls and adding DEBIAN_FRONTEND=noninteractive to prevent prompts. This improves CI reliability by ensuring direct root access and automated, interrupt-free package installation.

* ci: Move strace installation to user shell and update spell ignore

Fix WSL2 GitHub Actions workflow by installing strace as the user instead of root for better permission handling, and add "noninteractive" to the spell-checker ignore comment for consistency with the new apt-get command. This ensures the tool is available in the testing environment without unnecessary privilege escalation.

* chore: ci: remove unused strace installation from CI workflows

Remove strace package installation from multiple GitHub Actions workflow files (CICD.yml, l10n.yml, wsl2.yml). Strace was historically installed in Ubuntu jobs for debugging system calls, but it's no longer required for the tests and builds, reducing CI setup time and dependencies.

* ci: add strace installation and fix spell-checker comments in CI files

- Install strace package in CICD workflow to support safe traversal verification for utilities like rm, chmod, chown, chgrp, mv, and du, enabling syscall tracing for testing.
- Clean up spell-checker ignore comments in wsl2.yml and Cross.toml by removing misplaced flags.第二个测试产品**ci: add strace installation and fix spell-checker comments in CI files**

- Install strace package in CICD workflow to support safe traversal verification for utilities like rm, chmod, chown, chgrp, mv, and du, enabling syscall tracing for testing.
- Clean up spell-checker ignore comments in wsl2.yml and Cross.toml by removing misplaced flags.

* test: add regression guard for recursive chmod dirfd-relative traversal

Add a check in check-safe-traversal.sh to ensure recursive chmod operations use dirfd-relative openat calls instead of AT_FDCWD with multi-component paths, preventing potential race conditions. Ignore the corresponding Rust test as it is now covered by this shell script guard.

Author: mattsu2020

src/uu/chmod/src/chmod.rs

@@ -522,9 +522,24 @@ impl Chmoder {
                     .safe_chmod_file(&entry_path, dir_fd, &entry_name, meta.mode() & 0o7777)
                     .and(r);
 
-                // Recurse into subdirectories
+                // Recurse into subdirectories using the existing directory fd
                 if meta.is_dir() {
-                    r = self.walk_dir_with_context(&entry_path, false).and(r);
+                    match dir_fd.open_subdir(&entry_name) {
+                        Ok(child_dir_fd) => {
+                            r = self.safe_traverse_dir(&child_dir_fd, &entry_path).and(r);
+                        }
+                        Err(err) => {
+                            let error = if err.kind() == std::io::ErrorKind::PermissionDenied {
+                                ChmodError::PermissionDenied(
+                                    entry_path.to_string_lossy().to_string(),
+                                )
+                                .into()
+                            } else {
+                                err.into()
+                            };
+                            r = r.and(Err(error));
+                        }
+                    }
                 }
             }
         }

tests/by-util/test_chmod.rs

@@ -2,6 +2,7 @@
 //
 // For the full copyright and license information, please view the LICENSE
 // file that was distributed with this source code.
+// spell-checker:ignore (words) dirfd subdirs openat FDCWD
 
 use std::fs::{OpenOptions, Permissions, metadata, set_permissions};
 use std::os::unix::fs::{OpenOptionsExt, PermissionsExt};
@@ -1280,6 +1281,51 @@ fn test_chmod_non_utf8_paths() {
     );
 }
 
+#[cfg(all(target_os = "linux", feature = "chmod"))]
+#[test]
+#[ignore = "covered by util/check-safe-traversal.sh"]
+fn test_chmod_recursive_uses_dirfd_for_subdirs() {
+    use std::process::Command;
+    use uutests::get_tests_binary;
+
+    // strace is required; fail fast if it is missing or not runnable
+    let output = Command::new("strace")
+        .arg("-V")
+        .output()
+        .expect("strace not found; install strace to run this test");
+    assert!(
+        output.status.success(),
+        "strace -V failed; ensure strace is installed and usable"
+    );
+
+    let (at, _ucmd) = at_and_ucmd!();
+    at.mkdir("x");
+    at.mkdir("x/y");
+    at.mkdir("x/y/z");
+
+    let log_path = at.plus_as_string("strace.log");
+
+    let status = Command::new("strace")
+        .arg("-e")
+        .arg("openat")
+        .arg("-o")
+        .arg(&log_path)
+        .arg(get_tests_binary!())
+        .args(["chmod", "-R", "+x", "x"])
+        .current_dir(&at.subdir)
+        .status()
+        .expect("failed to run strace");
+    assert!(status.success(), "strace run failed");
+
+    let log = at.read("strace.log");
+
+    // Regression guard: ensure recursion uses dirfd-relative openat instead of AT_FDCWD with a multi-component path
+    assert!(
+        !log.contains("openat(AT_FDCWD, \"x/y"),
+        "chmod recursed using AT_FDCWD with a multi-component path; expected dirfd-relative openat"
+    );
+}
+
 #[test]
 fn test_chmod_colored_output() {
     // Test colored help message

util/check-safe-traversal.sh

@@ -173,6 +173,11 @@ fi
 if echo "$AVAILABLE_UTILS" | grep -q "chmod"; then
     cp -r test_dir test_chmod
     check_utility "chmod" "openat,fchmodat,newfstatat,chmod" "openat fchmodat" "-R 755 test_chmod" "recursive_chmod"
+
+    # Additional regression guard: ensure recursion uses dirfd-relative openat, not AT_FDCWD with a multi-component path
+    if grep -q 'openat(AT_FDCWD, "test_chmod/' strace_chmod_recursive_chmod.log; then
+        fail_immediately "chmod recursed using AT_FDCWD with a multi-component path; expected dirfd-relative openat"
+    fi
 fi
 
 # Test chown - should use openat, fchownat, newfstatat