coreutils: Protect against env -a for security

[oech3]

env -a false ls does not fail. Works under masked /proc.
Closes #10135

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/tty/tty-eof (fails in this run but passes in the 'main' branch)
Skipping an intermittent issue tests/misc/usage_vs_getopt (passes in this run but fails in the 'main' branch)
Skipping an intermittent issue tests/shuf/shuf-reservoir (passes in this run but fails in the 'main' branch)
Skipping an intermittent issue tests/sort/sort-stale-thread-mem (passes in this run but fails in the 'main' branch)
Note: The gnu test tests/basenc/bounded-memory is now being skipped but was previously passing.

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/shuf/shuf-reservoir (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/sort/sort-stale-thread-mem (fails in this run but passes in the 'main' branch)

[codspeed-hq]

Merging this PR will not alter performance

✅ 118 untouched benchmarks
⏩ 228 skipped benchmarks¹

---

_{Comparing oech3:auxval (3b4ab62) with main (1ee881b)}

Footnotes

1. 228 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/cut/bounded-memory. tests/cut/bounded-memory is passing on 'main'. Maybe you have to rebase?
Congrats! The gnu test tests/pr/bounded-memory is no longer failing!

[ChrisDryden]

I think it would make sense for this code to go into the validation.rs file instead of in the main.rs, then you don't have to worry about importing libc.

It would be good to have an additional integration test that shows the env -a working

[github-actions]

GNU testsuite comparison:

Congrats! The gnu test tests/tail/tail-n0f is now passing!

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/shuf/shuf-reservoir (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/sort/sort-stale-thread-mem (fails in this run but passes in the 'main' branch)
Congrats! The gnu test tests/tail/tail-n0f is now passing!

[github-actions]

GNU testsuite comparison:

Congrats! The gnu test tests/tail/tail-n0f is now passing!

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/cut/bounded-memory. tests/cut/bounded-memory is passing on 'main'. Maybe you have to rebase?
GNU test failed: tests/pr/bounded-memory. tests/pr/bounded-memory is passing on 'main'. Maybe you have to rebase?
Congrats! The gnu test tests/tail/tail-n0f is now passing!

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/env/env. tests/env/env is passing on 'main'. Maybe you have to rebase?
Skipping an intermittent issue tests/tail/follow-name (passes in this run but fails in the 'main' branch)

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/env/env. tests/env/env is passing on 'main'. Maybe you have to rebase?
Skip an intermittent issue tests/cut/bounded-memory (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/tty/tty-eof (fails in this run but passes in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Note: The gnu test tests/tail/tail-n0f is now being skipped but was previously passing.
Skip an intermittent issue tests/pr/bounded-memory (was skipped on 'main', now failing)

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/env/env. tests/env/env is passing on 'main'. Maybe you have to rebase?
Skip an intermittent issue tests/date/date-locale-hour (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/tail/symlink (fails in this run but passes in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/rm/many-dir-entries-vs-OOM is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Congrats! The gnu test tests/pr/bounded-memory is now passing!

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/env/env. tests/env/env is passing on 'main'. Maybe you have to rebase?
Skip an intermittent issue tests/date/date-locale-hour (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/tail/symlink (fails in this run but passes in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/rm/many-dir-entries-vs-OOM is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Congrats! The gnu test tests/pr/bounded-memory is now passing!

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/env/env. tests/env/env is passing on 'main'. Maybe you have to rebase?
Skip an intermittent issue tests/tty/tty-eof (fails in this run but passes in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Congrats! The gnu test tests/pr/bounded-memory is now passing!

[Ecordonnier]

Can you please check this CI failure?

GNU test failed: tests/env/env. tests/env/env is passing on 'main'. Maybe you have to rebase?

For reference, an AI tools suggests this fix. Maybe you have a better idea:

 #[cfg(any(target_os = "linux", target_os = "android"))]
 pub fn binary_path(args: &mut impl Iterator<Item = OsString>) -> PathBuf {
-    let _ = args.next();
     use std::os::unix::ffi::OsStrExt;
-    OsStr::from_bytes(rustix::param::linux_execfn().to_bytes()).into()
+    
+    let argv0 = args.next().unwrap_or_default();
+    let execfn = rustix::param::linux_execfn();
+    let execfn_path: PathBuf = OsStr::from_bytes(execfn.to_bytes()).into();
+    
+    // When invoked via shebang, linux_execfn() returns the script path, not the interpreter.
+    // Check if execfn points to our actual binary by comparing canonical paths.
+    // If they match (direct execution), use execfn to prevent env -a hijacking.
+    // If not (shebang case), use argv[0] which contains the interpreter path.
+    if let (Ok(current_exe), Ok(execfn_canonical)) = (
+        std::env::current_exe(),
+        std::fs::canonicalize(&execfn_path)
+    ) {
+        if execfn_canonical == current_exe {
+            return execfn_path;
+        }
+    }
+    
+    // Fallback to argv[0] for shebang execution
+    PathBuf::from(argv0)
 }
 /// Extracts the binary name from a path
 pub fn name(binary_path: &Path) -> Option<&str> {

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/env/env. tests/env/env is passing on 'main'. Maybe you have to rebase?
Skip an intermittent issue tests/tty/tty-eof (fails in this run but passes in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Skip an intermittent issue tests/pr/bounded-memory (was skipped on 'main', now failing)

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/cp/parent-perm-race. tests/cp/parent-perm-race is passing on 'main'. Maybe you have to rebase?
GNU test failed: tests/env/env. tests/env/env is passing on 'main'. Maybe you have to rebase?
Skip an intermittent issue tests/date/date-locale-hour (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/tty/tty-eof (fails in this run but passes in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/csplit/csplit-heap is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Skip an intermittent issue tests/pr/bounded-memory (was skipped on 'main', now failing)

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/tty/tty-eof (fails in this run but passes in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/rm/many-dir-entries-vs-OOM is now being skipped but was previously passing.
Note: The gnu test tests/seq/seq-epipe is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Note: The gnu test tests/tail/tail-n0f is now being skipped but was previously passing.
Congrats! The gnu test tests/pr/bounded-memory is now passing!

[oech3]

I was considering calling true under the symlink chain:
invalid-name -> coreutils -> true for better symlink support.
Does it cover some usecase for shebang call?

[oech3]

Is read()ing #! faster than reading /proc/self/exe?

[oech3]

I did too many conversion for file pathes. Please drop them by review...

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/date/date-locale-hour (fails in this run but passes in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Congrats! The gnu test tests/tail/pipe-f is now passing!

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/misc/io-errors. tests/misc/io-errors is passing on 'main'. Maybe you have to rebase?
Skipping an intermittent issue tests/date/date-locale-hour (passes in this run but fails in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/cut/cut-huge-range is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Note: The gnu test tests/tail/tail-n0f is now being skipped but was previously passing.
Note: The gnu test tests/env/env-signal-handler was skipped on 'main' but is now failing.