fix: enforce POSIX permission checks on utime()#357
Draft
toddr-bot wants to merge 2 commits intocpan-authors:mainfrom
Draft
fix: enforce POSIX permission checks on utime()#357toddr-bot wants to merge 2 commits intocpan-authors:mainfrom
toddr-bot wants to merge 2 commits intocpan-authors:mainfrom
Conversation
Demonstrates that utime() on mocked files ignores POSIX permission rules: non-owners can set arbitrary times and files with no write permission can be touched. Three of nine tests fail against the current code, proving the vulnerability. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
utime() was missing permission enforcement entirely — any mock user
could modify timestamps on any file regardless of ownership or mode
bits. This violated POSIX semantics where:
- Root can always set times
- File owner can always set times
- Non-owner with write permission can only set times to "now"
(utime(undef, undef, ...))
- Non-owner without write permission gets EACCES
Follows the same permission-check pattern used by chmod() and chown().
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds POSIX permission enforcement to
utime()for mocked files.Why
utime()was the only filesystem-modifying operation with no permission checks whenset_user()is active. Any mock user could modify timestamps on any file regardless of ownership or mode bits, making permission-related tests unreliable.chmod()andchown()already had correct enforcement.How
Added per-file permission check in
__utimefollowing POSIX rules:utime(undef, undef, ...)(set to now) — returns EPERM for explicit timesTesting
t/utime_perms.twith 9 subtests covering all permission scenarios (owner, root, non-owner with/without write, group write, mixed files, no-user default)fh-ref-leak.tfailure)🤖 Generated with Claude Code
Quality Report
Changes: 2 files changed, 194 insertions(+)
Code scan: clean
Tests: failed (4 Failed, 95 test)
Branch hygiene: clean
Generated by Kōan post-mission quality pipeline