🐛 Preserve Windows broken symlink metadata

Use handle-based Windows security APIs (GetSecurityInfo/SetSecurityInfo)
with FILE_FLAG_OPEN_REPARSE_POINT to read and write metadata on symlinks
without following them. This fixes broken symlinks losing their mode,
ownership, and ACL information during archival.

Changes:
- Add FileHandle RAII wrapper and open_path with follow_symlink control
- Add SecurityDescriptor::try_from_handle and apply_by_handle
- Switch lchown and chmod to handle-based APIs for symlink correctness
- Add set_facl_nofollow for symlink-aware ACL writes
- Extract build_acl_buffer to share between set_d_acl and set_d_acl_by_handle
- Use nofollow metadata collection in core.rs for symlink entries

Author: ChanTsune

cli/src/command/core.rs

@@ -972,11 +972,15 @@ pub(crate) fn apply_metadata(
     }
     #[cfg(windows)]
     if let OwnerStrategy::Preserve { options } = &keep_options.owner_strategy {
-        use crate::utils::os::windows::{fs::stat, security::SecurityDescriptor};
+        use crate::utils::os::windows::{
+            fs::{file_information, mode_from_file_information, open_read_metadata},
+            security::SecurityDescriptor,
+        };
 
-        let sd = SecurityDescriptor::try_from(path)?;
-        let stat = stat(sd.path.as_ptr() as _)?;
-        let mode = stat.st_mode;
+        let handle = open_read_metadata(path, !meta.file_type().is_symlink())?;
+        let info = file_information(handle.raw())?;
+        let sd = SecurityDescriptor::try_from_handle(handle.raw(), path)?;
+        let mode = mode_from_file_information(path, &info, meta.file_type().is_symlink());
         let user = sd.owner_sid()?;
         let group = sd.group_sid()?;
         // Get owner info: use overrides from OwnerStrategy
@@ -1007,7 +1011,15 @@ pub(crate) fn apply_metadata(
         if let AclStrategy::Always = keep_options.acl_strategy {
             use crate::chunk;
             use pna::RawChunk;
-            match utils::acl::get_facl(path) {
+            #[cfg(windows)]
+            let acl_result = if meta.file_type().is_symlink() {
+                utils::os::windows::acl::get_facl_nofollow(path)
+            } else {
+                utils::acl::get_facl(path)
+            };
+            #[cfg(not(windows))]
+            let acl_result = utils::acl::get_facl(path);
+            match acl_result {
                 Ok(acl) => {
                     entry
                         .add_extra_chunk(RawChunk::from_data(chunk::faCl, acl.platform.to_bytes()));

cli/src/utils/os/windows/acl.rs

@@ -1,9 +1,13 @@
 use crate::{
     chunk::{self, AcePlatform, Identifier, OwnerType},
-    utils::os::windows::security::{SecurityDescriptor, Sid, SidType},
+    utils::os::windows::{
+        fs::{open_read_metadata, open_write_dacl},
+        security::{SecurityDescriptor, Sid, SidType},
+    },
 };
 use field_offset::offset_of;
 use std::{io, mem, path::Path, ptr::null_mut};
+use windows::Win32::Foundation::HANDLE;
 use windows::Win32::Security::{
     ACCESS_ALLOWED_ACE, ACCESS_DENIED_ACE, ACE_FLAGS, ACE_HEADER, ACL as Win32ACL, ACL_REVISION_DS,
     AddAccessAllowedAceEx, AddAccessDeniedAceEx, CONTAINER_INHERIT_ACE, GetAce, INHERIT_ONLY_ACE,
@@ -38,6 +42,29 @@ pub fn get_facl<P: AsRef<Path>>(path: P) -> io::Result<chunk::Acl> {
     })
 }
 
+pub fn set_facl_nofollow<P: AsRef<Path>>(path: P, ace_list: chunk::Acl) -> io::Result<()> {
+    let path = path.as_ref();
+    let handle = open_write_dacl(path, false)?;
+    let acl = ACL::try_from_handle(handle.raw(), path)?;
+    let group_sid = acl.security_descriptor.group_sid()?;
+    let owner_sid = acl.security_descriptor.owner_sid()?;
+    let acl_entries = ace_list
+        .entries
+        .into_iter()
+        .map(|it| it.into_acl_entry_with(&owner_sid, &group_sid))
+        .collect::<Vec<_>>();
+    acl.set_d_acl_by_handle(handle.raw(), &acl_entries)
+}
+
+pub fn get_facl_nofollow<P: AsRef<Path>>(path: P) -> io::Result<chunk::Acl> {
+    let acl = ACL::try_from_nofollow(path.as_ref())?;
+    let ace_list = acl.get_d_acl()?;
+    Ok(chunk::Acl {
+        platform: AcePlatform::Windows,
+        entries: ace_list.into_iter().map(Into::into).collect(),
+    })
+}
+
 #[allow(non_camel_case_types)]
 type PACE_HEADER = *mut ACE_HEADER;
 
@@ -52,9 +79,25 @@ impl ACL {
         })
     }
 
+    pub fn try_from_nofollow(path: &Path) -> io::Result<Self> {
+        let handle = open_read_metadata(path, false)?;
+        Ok(Self {
+            security_descriptor: SecurityDescriptor::try_from_handle(handle.raw(), path)?,
+        })
+    }
+
+    pub fn try_from_handle(handle: HANDLE, path: &Path) -> io::Result<Self> {
+        Ok(Self {
+            security_descriptor: SecurityDescriptor::try_from_handle(handle, path)?,
+        })
+    }
+
     pub fn get_d_acl(&self) -> io::Result<Vec<ACLEntry>> {
         let mut result = Vec::new();
         let p_acl = self.security_descriptor.p_dacl;
+        if p_acl.is_null() {
+            return Ok(result);
+        }
         let count = unsafe { *p_acl }.AceCount as u32;
         for i in 0..count {
             let mut header: PACE_HEADER = null_mut();
@@ -106,37 +149,47 @@ impl ACL {
     }
 
     pub fn set_d_acl(&self, acl_entries: &[ACLEntry]) -> io::Result<()> {
-        let acl_size = acl_entries.iter().map(|it| it.size as usize).sum::<usize>()
-            + mem::size_of::<Win32ACL>();
-        let mut new_acl_buffer = Vec::<u8>::with_capacity(acl_size);
-        let new_acl = new_acl_buffer.as_mut_ptr();
-        unsafe { InitializeAcl(new_acl as _, acl_size as u32, ACL_REVISION_DS) }?;
-        for ace in acl_entries {
-            match ace.ace_type {
-                AceType::AccessAllow => unsafe {
-                    AddAccessAllowedAceEx(
-                        new_acl as _,
-                        ACL_REVISION_DS,
-                        ACE_FLAGS(ace.flags as u32),
-                        ace.mask,
-                        ace.sid.as_psid(),
-                    )
-                },
-                AceType::AccessDeny => unsafe {
-                    AddAccessDeniedAceEx(
-                        new_acl as _,
-                        ACL_REVISION_DS,
-                        ACE_FLAGS(ace.flags as u32),
-                        ace.mask,
-                        ace.sid.as_psid(),
-                    )
-                },
-                AceType::Unknown(n) => return Err(io::Error::other(format!("{}", n))),
-            }?;
-        }
+        let buffer = build_acl_buffer(acl_entries)?;
         self.security_descriptor
-            .apply(None, None, Some(new_acl as _))
+            .apply(None, None, Some(buffer.as_ptr() as _))
+    }
+
+    pub fn set_d_acl_by_handle(&self, handle: HANDLE, acl_entries: &[ACLEntry]) -> io::Result<()> {
+        let buffer = build_acl_buffer(acl_entries)?;
+        SecurityDescriptor::apply_by_handle(handle, None, None, Some(buffer.as_ptr() as _))
+    }
+}
+
+fn build_acl_buffer(acl_entries: &[ACLEntry]) -> io::Result<Vec<u8>> {
+    let acl_size =
+        acl_entries.iter().map(|it| it.size as usize).sum::<usize>() + mem::size_of::<Win32ACL>();
+    let mut buffer = Vec::<u8>::with_capacity(acl_size);
+    let ptr = buffer.as_mut_ptr();
+    unsafe { InitializeAcl(ptr as _, acl_size as u32, ACL_REVISION_DS) }?;
+    for ace in acl_entries {
+        match ace.ace_type {
+            AceType::AccessAllow => unsafe {
+                AddAccessAllowedAceEx(
+                    ptr as _,
+                    ACL_REVISION_DS,
+                    ACE_FLAGS(ace.flags as u32),
+                    ace.mask,
+                    ace.sid.as_psid(),
+                )
+            },
+            AceType::AccessDeny => unsafe {
+                AddAccessDeniedAceEx(
+                    ptr as _,
+                    ACL_REVISION_DS,
+                    ACE_FLAGS(ace.flags as u32),
+                    ace.mask,
+                    ace.sid.as_psid(),
+                )
+            },
+            AceType::Unknown(n) => return Err(io::Error::other(format!("{}", n))),
+        }?;
     }
+    Ok(buffer)
 }
 
 #[derive(Clone, Copy, Debug, PartialEq)]

cli/src/utils/os/windows/fs.rs

@@ -3,12 +3,41 @@ pub(crate) mod owner;
 use super::security::{SecurityDescriptor, Sid};
 use crate::utils::str::encode_wide;
 use std::io;
+use std::mem::size_of;
 use std::path::Path;
+use windows::Win32::Foundation::{CloseHandle, HANDLE};
 use windows::Win32::Storage::FileSystem::{
-    MOVEFILE_COPY_ALLOWED, MOVEFILE_REPLACE_EXISTING, MoveFileExW,
+    BY_HANDLE_FILE_INFORMATION, CreateFileW, FILE_ATTRIBUTE_DIRECTORY, FILE_ATTRIBUTE_READONLY,
+    FILE_BASIC_INFO, FILE_FLAG_BACKUP_SEMANTICS, FILE_FLAG_OPEN_REPARSE_POINT,
+    FILE_READ_ATTRIBUTES, FILE_SHARE_DELETE, FILE_SHARE_READ, FILE_SHARE_WRITE,
+    FILE_WRITE_ATTRIBUTES, FileBasicInfo, GetFileInformationByHandle, GetFileInformationByHandleEx,
+    MOVEFILE_COPY_ALLOWED, MOVEFILE_REPLACE_EXISTING, MoveFileExW, OPEN_EXISTING, READ_CONTROL,
+    SetFileInformationByHandle, WRITE_DAC, WRITE_OWNER,
 };
 use windows::core::PCWSTR;
 
+const MODE_SYMLINK: u16 = 0o120000;
+const MODE_DIR: u16 = 0o040000;
+const MODE_FILE: u16 = 0o100000;
+const MODE_READ_BITS: u16 = 0o444;
+const MODE_WRITE_BITS: u16 = 0o222;
+const MODE_EXEC_BITS: u16 = 0o111;
+
+pub(crate) struct FileHandle(HANDLE);
+
+impl FileHandle {
+    #[inline]
+    pub(crate) const fn raw(&self) -> HANDLE {
+        self.0
+    }
+}
+
+impl Drop for FileHandle {
+    fn drop(&mut self) {
+        let _ = unsafe { CloseHandle(self.0) };
+    }
+}
+
 #[inline]
 pub(crate) fn move_file(src: &std::ffi::OsStr, dist: &std::ffi::OsStr) -> io::Result<()> {
     unsafe {
@@ -21,14 +50,88 @@ pub(crate) fn move_file(src: &std::ffi::OsStr, dist: &std::ffi::OsStr) -> io::Re
     .map_err(Into::into)
 }
 
+#[inline]
+fn open_path(path: &Path, desired_access: u32, follow_symlink: bool) -> io::Result<FileHandle> {
+    let path = encode_wide(path.as_os_str())?;
+    let mut flags = FILE_FLAG_BACKUP_SEMANTICS;
+    if !follow_symlink {
+        flags |= FILE_FLAG_OPEN_REPARSE_POINT;
+    }
+    let handle = unsafe {
+        CreateFileW(
+            PCWSTR::from_raw(path.as_ptr()),
+            desired_access,
+            FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+            None,
+            OPEN_EXISTING,
+            flags,
+            None,
+        )
+    }?;
+    Ok(FileHandle(handle))
+}
+
+#[inline]
+pub(crate) fn open_read_metadata(path: &Path, follow_symlink: bool) -> io::Result<FileHandle> {
+    open_path(
+        path,
+        (READ_CONTROL | FILE_READ_ATTRIBUTES).0,
+        follow_symlink,
+    )
+}
+
+#[inline]
+pub(crate) fn open_write_dacl(path: &Path, follow_symlink: bool) -> io::Result<FileHandle> {
+    open_path(path, (READ_CONTROL | WRITE_DAC).0, follow_symlink)
+}
+
+#[inline]
+pub(crate) fn file_information(handle: HANDLE) -> io::Result<BY_HANDLE_FILE_INFORMATION> {
+    let mut info = BY_HANDLE_FILE_INFORMATION::default();
+    unsafe { GetFileInformationByHandle(handle, &mut info) }?;
+    Ok(info)
+}
+
+#[inline]
+pub(crate) fn mode_from_file_information(
+    path: &Path,
+    info: &BY_HANDLE_FILE_INFORMATION,
+    is_symlink: bool,
+) -> u16 {
+    let mut mode = MODE_READ_BITS;
+    if info.dwFileAttributes & FILE_ATTRIBUTE_READONLY.0 == 0 {
+        mode |= MODE_WRITE_BITS;
+    }
+    if is_symlink {
+        mode |= MODE_SYMLINK;
+        return mode;
+    }
+    if info.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY.0 != 0 {
+        mode |= MODE_DIR | MODE_EXEC_BITS;
+        return mode;
+    }
+
+    mode |= MODE_FILE;
+    if path
+        .extension()
+        .and_then(|it| it.to_str())
+        .map(str::to_ascii_lowercase)
+        .is_some_and(|ext| matches!(ext.as_str(), "bat" | "cmd" | "exe"))
+    {
+        mode |= MODE_EXEC_BITS;
+    }
+    mode
+}
+
 #[inline]
 pub(crate) fn lchown<U: Into<Sid>, G: Into<Sid>>(
     path: &Path,
     owner: Option<U>,
     group: Option<G>,
 ) -> io::Result<()> {
-    let sd = SecurityDescriptor::try_from(path)?;
-    sd.apply(
+    let handle = open_path(path, (READ_CONTROL | WRITE_OWNER).0, false)?;
+    SecurityDescriptor::apply_by_handle(
+        handle.raw(),
         owner.and_then(|it| it.into().to_psid().ok()),
         group.and_then(|it| it.into().to_psid().ok()),
         None,
@@ -37,6 +140,37 @@ pub(crate) fn lchown<U: Into<Sid>, G: Into<Sid>>(
 
 #[inline]
 pub(crate) fn chmod(path: &Path, mode: u16) -> io::Result<()> {
+    if std::fs::symlink_metadata(path)?.file_type().is_symlink() {
+        let handle = open_path(
+            path,
+            (FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES).0,
+            false,
+        )?;
+        let mut info = FILE_BASIC_INFO::default();
+        unsafe {
+            GetFileInformationByHandleEx(
+                handle.raw(),
+                FileBasicInfo,
+                &mut info as *mut _ as _,
+                size_of::<FILE_BASIC_INFO>() as u32,
+            )?;
+        }
+        if mode & MODE_WRITE_BITS == 0 {
+            info.FileAttributes |= FILE_ATTRIBUTE_READONLY.0;
+        } else {
+            info.FileAttributes &= !FILE_ATTRIBUTE_READONLY.0;
+        }
+        unsafe {
+            SetFileInformationByHandle(
+                handle.raw(),
+                FileBasicInfo,
+                &info as *const _ as _,
+                size_of::<FILE_BASIC_INFO>() as u32,
+            )?;
+        }
+        return Ok(());
+    }
+
     let s = encode_wide(path.as_os_str())?;
     let code = unsafe { libc::wchmod(s.as_ptr() as _, mode as _) };
     if code == 0 {
@@ -46,16 +180,6 @@ pub(crate) fn chmod(path: &Path, mode: u16) -> io::Result<()> {
     }
 }
 
-pub(crate) fn stat(path: *const libc::wchar_t) -> io::Result<libc::stat> {
-    let mut stat = unsafe { std::mem::zeroed::<libc::stat>() };
-    let code = unsafe { libc::wstat(path, &mut stat) };
-    if code == 0 {
-        Ok(stat)
-    } else {
-        Err(io::Error::last_os_error())
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;