std::fs::set_symlink_permissions

[lolbinarycat]

Proposal

Problem statement

the current behavior of set_permissions can lead to privilege escilations such as in CVE-2025-27591.

Motivating examples or use cases

Privileged software that wishes to set up a world-writable directory without potentially making other directories world-writable

Solution sketch

add set_symlink_permissions, a function that attempts to set the permissions of a file or directory without following any symlinks.

on linux, this will simply fail when used on a symlink, however on BSD systems it can use lchmod.

Alternatives

• change the behavior of std::fs::set_permissions without an edition boundary.
• add set_permissions_nofollow which always fails when used on a symlink

Future Possibilites

if we get edition-dependent aliases, set_permissions could be changed to point to this in a future edition.

Links and related work

What happens now?

This issue contains an API change proposal (or ACP) and is part of the libs-api team feature lifecycle. Once this issue is filed, the libs-api team will review open proposals as capability becomes available. Current response times do not have a clear estimate, but may be up to several months.

Possible responses

The libs team may respond in various different ways. First, the team will consider the problem (this doesn't require any concrete solution or alternatives to have been proposed):

• We think this problem seems worth solving, and the standard library might be the right place to solve it.
• We think that this probably doesn't belong in the standard library.

Second, if there's a concrete solution:

• We think this specific solution looks roughly right, approved, you or someone else should implement this. (Further review will still happen on the subsequent implementation PR.)
• We're not sure this is the right solution, and the alternatives or other materials don't give us enough information to be sure about that. Here are some questions we have that aren't answered, or rough ideas about alternatives we'd want to see discussed.

[the8472]

add set_symlink_permissions, a function that attempts to set the permissions of a file or directory without following any symlinks.

set_permissions_nofollow seems like it would be more appropriate for that goal. fchmodat is part of posix at least. https://pubs.opengroup.org/onlinepubs/9799919799/functions/chmod.html

[Amanieu]

We discussed this in the @rust-lang/libs-api meeting today. We would like to accept this with the name set_permissions_nofollow since it is clearer that set_symlink_permissions. The behavior when attempting to set the permissions of symlink is platform-specific: on some platforms it succeeds but has no effect (BSD), on others it simply fails (Linux). This should only perform one underlying filesystem operation to avoid TOCTOU issues.

Please open a tracking issue and open a PR to rust-lang/rust to add it as an unstable feature. You can close this ACP once the tracking issue has been created.