Miro Jurisic wrote:
I'm still at loss. Could you give some specific situations between "completely succeed" and "completely fail". Also, how does it affect temporary files? The only case which seems to be problematic is when 'mkdir' returns success but does not set the right permissions. Is it ever possible? My reading of the docs suggests otherwise.
For example, my understanding is that there are filesystems (e.g. NFS) in which it is possible for mkdir to return an error even though the directory was created, for example. That fails the "completely succeeds or completely fails" definition of atomic I am applying here. However, it is possible that my knowledge is out of date on this, and it's likely this particular failure is not relevant to temp file creation.
If it fails even though directory is created, this is no security risk... after getting the error we'll bail out.
I strongly believe that boost::filesystem should do the right thing as far as temp files are concerned,
Agreed.
so this question boils down to whether mkdir is the right thing or not. I have not been able to find an authoritative reference either way. However,
<http://www.awprofessional.com/articles/article.asp?p=23947&seqNum=5>
gives a recommended procedure for creating secure temporary files and it does not involve mkdir.
Yes, because it uses /tmp, which, as I pointed in another email, is also as secure as it can gets -- so we can use that solution at Unix. The book also says "never close and reopen the file" -- which is different from opening the file by name when you already hold an open file descriptor.
(Another difficulty with using mkdir for temp files is that it potentially leaves you with a directory if you "forget" to delete it because of a poorly handled exception or a crash; an unlinked file has no such danger.)
Yes, that's true. So, /tmp is best. Need to figure out what to do on Windows. - Volodya