coreutils: Protect against env -a for security

Author: oech3

Cargo.toml

@@ -539,6 +539,7 @@ wc = { optional = true, version = "0.6.0", package = "uu_wc", path = "src/uu/wc"
 who = { optional = true, version = "0.6.0", package = "uu_who", path = "src/uu/who" }
 whoami = { optional = true, version = "0.6.0", package = "uu_whoami", path = "src/uu/whoami" }
 yes = { optional = true, version = "0.6.0", package = "uu_yes", path = "src/uu/yes" }
+libc.workspace = true
 
 # this breaks clippy linting with: "tests/by-util/test_factor_benches.rs: No such file or directory (os error 2)"
 # factor_benches = { optional = true, version = "0.0.0", package = "uu_factor_benches", path = "tests/benches/factor" }

src/bin/coreutils.rs

@@ -3,6 +3,8 @@
 // For the full copyright and license information, please view the LICENSE
 // file that was distributed with this source code.
 
+// spell-checker:ignore getauxval EXECFN
+
 use clap::Command;
 use coreutils::validation;
 use itertools::Itertools as _;
@@ -45,8 +47,24 @@ fn main() {
     let utils = util_map();
     let mut args = uucore::args_os();
 
+    #[cfg(any(target_os = "linux", target_os = "android"))]
+    // protect against env -a
+    let binary = {
+        use std::ffi::{CStr, OsString};
+        use std::os::unix::ffi::OsStringExt;
+        let p: *const libc::c_char = unsafe { libc::getauxval(libc::AT_EXECFN) as _ };
+        if p.is_null() {
+            let _ = writeln!(io::stderr(), "getauxval failed");
+            process::exit(1);
+        }
+        let _ = args.next();
+        let n = unsafe { CStr::from_ptr(p) };
+        OsString::from_vec(n.to_bytes().to_vec())
+    };
+    #[cfg(not(any(target_os = "linux", target_os = "android")))]
     let binary = validation::binary_path(&mut args);
-    let binary_as_util = validation::name(&binary).unwrap_or_else(|| {
+
+    let binary_as_util = validation::name(binary.as_ref()).unwrap_or_else(|| {
         usage(&utils, "<unknown binary name>");
         process::exit(0);
     });
@@ -55,8 +73,12 @@ fn main() {
     let is_coreutils = binary_as_util.ends_with("utils");
     let matched_util = utils
         .keys()
+        //*utils is not ls
         .filter(|&&u| binary_as_util.ends_with(u) && !is_coreutils)
-        .max_by_key(|u| u.len()); //Prefer stty more than tty. *utils is not ls
+        //Prefer stty more than tty
+        .max_by_key(|u| u.len())
+        // todo: with coreutils -> ls -> blah symlink chain, blah calls ls
+        ;
 
     let util_name = if let Some(&util) = matched_util {
         Some(OsString::from(util))

tests/by-util/test_env.rs

@@ -722,7 +722,11 @@ fn test_env_with_empty_executable_double_quotes() {
 }
 
 #[test]
-#[cfg(all(unix, feature = "dirname", feature = "echo"))]
+#[cfg(all(
+    all(unix, feature = "dirname", feature = "echo"),
+    not(any(target_os = "linux", target_os = "android"))
+))]
+// protected against hijack at Linux
 fn test_env_overwrite_arg0() {
     let ts = TestScenario::new(util_name!());
 
@@ -746,7 +750,11 @@ fn test_env_overwrite_arg0() {
 }
 
 #[test]
-#[cfg(all(unix, feature = "echo"))]
+#[cfg(all(
+    all(unix, feature = "echo"),
+    not(any(target_os = "linux", target_os = "android"))
+))]
+// protected against hijack at Linux
 fn test_env_arg_argv0_overwrite() {
     let ts = TestScenario::new(util_name!());
 
@@ -794,7 +802,11 @@ fn test_env_arg_argv0_overwrite() {
 }
 
 #[test]
-#[cfg(all(unix, feature = "echo"))]
+#[cfg(all(
+    all(unix, feature = "echo"),
+    not(any(target_os = "linux", target_os = "android"))
+))]
+// protected against hijack at Linux
 fn test_env_arg_argv0_overwrite_mixed_with_string_args() {
     let ts = TestScenario::new(util_name!());