std::fs::write is not atomic - document it explicitly or make it atomic #82590
Comments
That isn't limited to
Several crates for atomic file operations exist on crates.io. Note that the usual atomic file creation dances have a cost, they keep more data on the disk until the operation is complete, which could be an issue on constrained systems. I'm not saying this concern would be a blocker for making fs::write atomic, but it's not without downsides. Additionally the atomic file dances can occasionally leave you with stranded temporary files on the filesystem. |
|
@the8472 very good points and I agree 100%. I didn't intend to dismiss those. My idea is to make If I was confident that there's one true solution, I'd just open a PR, not an issue. :)
Could you recommend some you're experienced with? |
I think improving the documentation would be fine. There just is that niggling doubt that we can never do enough to document all possible pitfalls for all security-critical use-cases. This could basically fill a book.
I don't want to endorse anything. |
I hope it's not that bad. :D Thanks for pointers! |
|
It's that bad if we're talking about using filesystem APIs in security contexts in general. Atomically and durably overwriting a file in a potentially attacker-controlled directory is a bit smaller in scope, it would merely take up several blog articles or a chapter in the book.
And that's just about linux stuff. Other OSes bring their own complications. |
ChrisDenton
added
T-libs-api
|
I would be very opposed to making And this isn't getting into the fact that we can't really make it atomic in the face of crashes in many situations. (To be clear: in general it is that bad) |
|
On platforms that have O_TMPFILE and *at syscalls it is possible, but google tells me that macos does not have the former. |
If you use non-atomic But intuitively, I agree that documenting is better than making it atomic. |
By not being atomic,
std::fs::write()may be a footgun for people trying to create correct/secure code.As an example, nodejs has a function with same behavior that led to a security risk. In that case creation of the secret token file succeeded but writing to it failed leaving an empty token file which caused application to accept empty authentication token later.
The documentation currently kind of describes the behavior but the implications may not be obvious to people. Adding a note about the risk of empty/corrupted file being left in case of failure could help people avoid issues.
If atomic behavior is undesired due to compatibility reasons, then maybe add another
atomic_write()function and suggest it inwrite()doc. This could be done in a crate obviously but maybe the security/robustness benefits are a good reason to put it intostd.I'm willing to make a PR regardless of the conclusion.
The text was updated successfully, but these errors were encountered: