From: Vladimir Prus (ghost_at_[hidden])
Date: 2004-07-21 02:56:58
Miro Jurisic wrote:
>> I'm still at loss. Could you give some specific situations between
>> "completely succeed" and "completely fail". Also, how does it affect
>> temporary files? The only case which seems to be problematic is when
>> 'mkdir' returns success but does not set the right permissions. Is it
>> ever possible? My reading of the docs suggests otherwise.
> For example, my understanding is that there are filesystems (e.g. NFS) in
> which it is possible for mkdir to return an error even though the
> directory was created, for example. That fails the "completely succeeds or
> completely fails" definition of atomic I am applying here. However, it is
> possible that my knowledge is out of date on this, and it's likely this
> particular failure is not relevant to temp file creation.
If it fails even though directory is created, this is no security risk...
after getting the error we'll bail out.
> I strongly believe that boost::filesystem should do the right thing as far
> as temp files are concerned,
> so this question boils down to whether mkdir
> is the right thing or not. I have not been able to find an authoritative
> reference either way. However,
> gives a recommended procedure for creating secure temporary files and it
> does not involve mkdir.
Yes, because it uses /tmp, which, as I pointed in another email, is also as
secure as it can gets -- so we can use that solution at Unix. The book also
says "never close and reopen the file" -- which is different from opening
the file by name when you already hold an open file descriptor.
> (Another difficulty with using mkdir for temp files is that it potentially
> leaves you with a directory if you "forget" to delete it because of a
> poorly handled exception or a crash; an unlinked file has no such danger.)
Yes, that's true. So, /tmp is best. Need to figure out what to do on
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk