20 lines
1.2 KiB
Plaintext
20 lines
1.2 KiB
Plaintext
To prevent TOCTOU race condition issues, best practices recommend relying on
|
|
file operations that can perform the necessary preliminary checks atomically.
|
|
For example, file opening functions usually accept a parameter to check the file
|
|
exists and return an error depending on the result. This check is atomic and is
|
|
not susceptible to race conditions.
|
|
|
|
When this is not possible, it might be possible to open a file directly, and to
|
|
keep a reference to it for later use. If the conditions are set for the
|
|
subsequent operations, the application can continue with its processing and use
|
|
the open file pointer to read or write to the file. In the opposite case, an
|
|
error might be raised that will need to be properly handled.
|
|
|
|
To finish, for most complex operations, the application can create a dedicated
|
|
working directory and set tight permissions on it. This needs to be performed
|
|
atomically to prevent further race conditions. All subsequent sensitive file
|
|
operations can then be performed in this dedicated directory.
|
|
|
|
Note that this last solution is imperfect and is still susceptible to race
|
|
condition attacks from privileged users and the application itself. It should be
|
|
used when no other countermeasure is acceptable. |