In article <20040720091531.GA34513@compsoc.man.ac.uk>, Jonathan Wakely <cow@compsoc.man.ac.uk> wrote:
If you can ensure the files are created in a directory that is not group- or world-writeable, or in a directory that has the sticky bit set, then isn't it (relatively) safe to use:
There is no way to atomically create a directory. The only atomic filesystem modification is file creation; this property of filesystems on UNIX/POSIX is widely known and has numerous consequences, including the use of lock files to implement persistent advisory locking, and many convolutions involving secure temporary files. The only secure way to use temporary files is to have a function which securely and atomically creates and opens one and returns you the file descriptor, and to use that file descriptor (and not the path/name to the new temporary file) to access the file thereafter. This causes problems because there is no standard way to convert a file descriptor to an iostream (although most vendors have vendor extensions that allow you to do so). This alone should probably be abstracted away in boost, as it's a common request, but even if it isn't, it has to be used for secure temporary files. There is no way around it. meeroh (Yes, I know that it's possible that some filesystems have atomic directory creation. POSIX API semantics don't guarantee it because not all filesystems have that, so it's moot.) -- If this message helped you, consider buying an item from my wish list: <http://web.meeroh.org/wishlist>