Description
Hiyo, I was digging around for popular crates and seeing if they had any specific macOS version dependencies. time is big enough I figured it was worth a look. What I found is in 9d3cbef, where some OSes got added to an allow-list that lets them skip the soundness and/or thread safety checks other UNIXy things need.
macOS is currently in the list:
time/time/src/sys/local_offset_at/unix.rs
Line 20 in a98fe2d
But, Apple's libc hasn't supported env thread safety forever and pretty much is guaranteed not to in all versions of macOS Rust supports today (officially back to 10.7 even if its harder to actually do). The API they're using internally is os_unfair_lock, which at least in the public API came into existence in macOS 10.12. Though even with that, the headers say the locking functions used in getenv and setenv were added in 12.3, which is very recent in the scale of things and far past what people are shipping apps with compatibility for.
With all that, I think macOS should just be removed from the list unless time wants to dynamically check the OS version at runtime (which Rust is yet to provide a built-in for). However...
With all of the "maybe it would be fine if..." done, the general pattern that all three of these UNIX OSes have employed appears fraught anyway. All of them lock, get the value pointer, unlock, and then return it to the user. I think that macOS and the BSDs will just leak the old string if you setenv with a new larger value, but if its the same length then it updates the existing slot in place and changes the contents of that pointer returned to userspace. So, a data race, even if it isn't an actual problem in practice. I'll leave it up to you to determine how bad that actually is.
In short, the current macOS exemption is unsound due to older versions without it existing and dubious on newer macOS + other currently exempted UNIXes.