Skip to content

Explain TOCTOU on the top of std::fs, and reference it in functions #141847

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Explain TOCTOU on the top of std::fs, and reference it in functions #141847

wants to merge 1 commit into from
+41 −15

Conversation

xizheyin
Copy link
Contributor

@xizheyin xizheyin commented Jun 1, 2025
edited by rustbot
Loading

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Jun 1, 2025
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@workingjubilee
Copy link
Member

oh cool.

I was hoping to see this rebased on latest so that #141832 would be included and it "refactored" that documentation. I don't know what's worth changing here without seeing it be a more aggressive cleanup of, at least, the free functions inside std/src/fs.rs

@xizheyin
Copy link
Contributor Author

xizheyin commented Jun 1, 2025
edited
Loading

I have referenced this paragraph from all the functions in fs.rs(actually all files in std, including path.rs) that mention TOCTOU, but I don't know if there are any that don't explicitly mention TOCTOU. I will refactor documents in #141832 after I wake up and merge the common parts.

ChrisDenton
ChrisDenton reviewed Jun 1, 2025
View reviewed changes
@xizheyin
Explain TOCTOU on the top of std::fs, and ref it in functions
e95751a 
Signed-off-by: xizheyin <xizheyin@smail.nju.edu.cn>

Signed-off-by: xizheyin <xizheyin@smail.nju.edu.cn>
xizheyin
xizheyin commented Jun 2, 2025
View reviewed changes
library/std/src/fs.rs
Comment on lines +2950 to +2958
/// See the [module-level TOCTOU explanation](self#time-of-check-to-time-of-use-toctou).
///
/// On most platforms, `fs::remove_dir_all` protects against symlink TOCTOU races by default.
/// However, on the following platforms, this protection is not provided and the function should
/// not be used in security-sensitive contexts:
/// - **Miri**: Even when emulating targets where the underlying implementation will protect against
/// TOCTOU races, Miri will not do so.
/// - **Redox OS**: This function does not protect against TOCTOU races, as Redox does not implement
/// the required platform support to do so.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I refactored the contents in #141832. I moved the synbolic TOCTOU race example to the top of fs.rs, and only left which platforms should be taken care of.

library/std/src/fs.rs
Comment on lines +7 to +27
//!
//! # Time of Check to Time of Use (TOCTOU)
//!
//! Many filesystem operations are subject to a race condition known as "Time of Check to Time of Use"
//! (TOCTOU). This occurs when a program checks a condition (like file existence or permissions)
//! and then uses the result of that check to make a decision, but the condition may have changed
//! between the check and the use.
//!
//! For example, checking if a file exists and then creating it if it doesn't is vulnerable to
//! TOCTOU - another process could create the file between your check and creation attempt.
//!
//! Another example is with symbolic links: when removing a directory, if another process replaces
//! the directory with a symbolic link between the check and the removal operation, the removal
//! might affect the wrong location. This is why operations like [`remove_dir_all`] need to use
//! atomic operations to prevent such race conditions.
//!
//! To avoid TOCTOU issues:
//! - Be aware that metadata operations (like [`metadata`] or [`symlink_metadata`]) may be affected by
//! changes made by other processes.
//! - Use atomic operations when possible (like [`File::create_new`] instead of checking existence then creating).
//! - Keep file open for the duration of operations.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here,

  1. first explain what is TOCTOU
  2. present two examples including create and remove_dir_all, from simple to complex.
  3. give three notes to try to avoid TOCTOU.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChrisDenton ChrisDenton

Assignees

@workingjubilee workingjubilee

Labels
S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Partially consolidate "TOCTOU" explanations
5 participants
@xizheyin @rust-log-analyzer @workingjubilee @ChrisDenton @rustbot