mv Incorrectly Expands Symlinks During Cross-Device Move #10009
Description
Component
mv
Description
uutils expands symlinks inside directories when doing cross-device moves, copying the target contents instead of preserving the symlink.
Test / Reproduction Steps
On filesystem A (e.g. /tmp):
$ mkdir -p /tmp/src
$ echo local > /tmp/src/local.txt
$ ln -s /etc /tmp/src/etc_link
On filesystem B (e.g. /home):
$ mv /tmp/src /home/dst- GNU:
/home/dst/src/etc_linkis still a symlink pointing to/etc. - uutils:
/home/dst/src/etc_linkbecomes a real directory containing a full copy of/etc.
Impact
- Cross-device moves can silently explode a small tree into a huge one (DoS by space/time), duplicate sensitive paths (like /etc, /home, log dirs) into new locations, and break expected isolation semantics where symlinks were used as lightweight references instead of real copies.
- In addition, if the source directory contains symlink loops (e.g. sub/loop -> ..), uutils will recursively follow these symlinks during cross-device moves. This can cause extremely deep recursion, repeated copying of the same subtree, and in practice a severe resource exhaustion / denial-of-service scenario, while GNU mv (via cp with DEREF_NEVER) keeps such symlinks as symlinks and does not recurse into them.
