On Tuesday, January 2 at 06:23 PM, quoth Thomas Roessler:
So, we're now caught in a catch-22: We can create our files super-securely, and in the course of doing so stop creating files on file systems that don't support hard links, or we can start taking the risk that the creation of files in shared directories is subject to race conditions at least in some use cases. (Note that we use safe_fopen even for files in locations that are derived from user input.)Input welcome.
It seems to me that the problem is one of policy rather than implementation: if we have a policy of "fall back" then the idea of "securely creating files" is bogus, and if we don't have such a fall-back policy, then we simply cannot create files on filesystems that have no way of creating files securely.
And, for matters of policy, it seems a config variable is in order. The default should, of course, be to create files securely, but it should be possible to turn off this behavior (set $secure_file_creation=no), for people who neither care nor are able to use a filesystem on which files can be created securely.
Might that solve the problem acceptably? ~Kyle --Three things in human life are important. The first is to be kind. The second is to be kind. And the third is to be kind.
-- Henry James
Attachment:
pgpZuCYsjIL78.pgp
Description: PGP signature