High-level abstractions of *at
and related *nix syscalls to build race condition-free, thread-safe, symlink traversal attack-safe user APIs.
While building filesystem-abstracting APIs, you can easily run into race conditions: classic system calls, as exposed by Rust's filesystem library, often do not provide sufficient protections in multi-threaded or multi-process applications. In more complex applications, especially if they run as root, you risk exposing yourself to time-of-check time-of-use (TOCTOU) race conditions, which can culminate to privilege escalation vulnerabilities. Up until recently, the Rust standard library's std::fs::remove_dir_all
was sensitive to this attack vector.
Unfortunately, avoiding these race conditions is not an easy task. You need to directly interact with specialized system calls, handle different operating systems and unsafe
code. This library aims to provide a safe, easy to use yet ultra flexible API which doesn't hide away any implementation details.
See the documentation.
use sneak::Dir;
let base_dir = Dir::open("/var/lib/myapp/")?;
while let Some(item) = queue.recv() {
let filepath = format!("./user_data/{}/data.txt", item.user_id);
// open the file in a TOCTOU-safe way
let mut file = base_dir.open_file(&filepath, libc::O_WRONLY)?;
// write data
file.write_all(&item.data)?;
println!("wrote data to user {}'s folder!", item.user_id);
}
This software is dual-licensed under the MIT license and the Apache-2.0 license.