From: Miro Jurisic (macdev_at_[hidden])
Date: 2004-07-20 04:45:35
In article <20040720091531.GA34513_at_[hidden]>,
Jonathan Wakely <cow_at_[hidden]> wrote:
> If you can ensure the files are created in a directory that is not group-
> or world-writeable, or in a directory that has the sticky bit set, then
> isn't it (relatively) safe to use:
There is no way to atomically create a directory. The only atomic filesystem
modification is file creation; this property of filesystems on UNIX/POSIX is
widely known and has numerous consequences, including the use of lock files to
implement persistent advisory locking, and many convolutions involving secure
temporary files.
The only secure way to use temporary files is to have a function which securely
and atomically creates and opens one and returns you the file descriptor, and to
use that file descriptor (and not the path/name to the new temporary file) to
access the file thereafter.
This causes problems because there is no standard way to convert a file
descriptor to an iostream (although most vendors have vendor extensions that
allow you to do so). This alone should probably be abstracted away in boost, as
it's a common request, but even if it isn't, it has to be used for secure
temporary files. There is no way around it.
meeroh
(Yes, I know that it's possible that some filesystems have atomic directory
creation. POSIX API semantics don't guarantee it because not all filesystems
have that, so it's moot.)
-- If this message helped you, consider buying an item from my wish list: <http://web.meeroh.org/wishlist>