On Tue, Jul 15, 2003 at 11:47:20AM -0700, Bill Studenmund wrote:
> On Mon, 14 Jul 2003, Greg A. Woods wrote:
> 
> > The underlying goal of having a system call that can unlink a file when
> > given a file descriptor open on that file is to avoid an unfortunately
> > common insecure programming technique commonly called a "Time-Of-Check,
> > Time-Of-Use (TOCTOU) race condition".  Calls to unlink() are vulnerable
> > if they are passed the fully qualified pathname of a file that was
> > created in or under an insecure (i.e. world-writable) directory, even if
> 
> Since the program should (or can) know the path the file should have, let
> it take care of remembering it. That way only the cases that need this
> bother with it.

Not really -- file descriptors inherited from parent processes:
shell redirections and such.

But the problem is not race conditions in world writeable directories
-- that is already solved. Sticky bits, etc. Don't make mode 777
directories for temporary files. I can't see why we need a new system
call either.

Are we certain the horse is dead yet?

Franchement!

-w