Content deleted Content added
Thumperward (talk | contribs) tidy a bit |
→Preventing TOCTTOU: EAFP |
||
Line 62:
== Preventing TOCTTOU ==
Despite conceptual simplicity, TOCTTOU race conditions are difficult to avoid and eliminate. One general technique is to use [[exception handling]] instead of checking, under the philosophy of [[EAFP]] "It is easier to ask for forgiveness than permission" rather than LBYL "look before you leap" – in this case there is no check, and failure of assumptions to hold are detected at use time, by an exception.
In the context of file system TOCTTOU race conditions, the fundamental challenge is ensuring that the file system cannot be changed between two system calls. In 2004, an impossibility result was published, showing that there was no portable, deterministic technique for avoiding TOCTTOU race conditions.<ref>[http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.83.8647 Dean, Drew; and Hu, Alan J.; 2004; ''Fixing races for fun and profit: How to use access(2)''; Proceedings of the 13th USENIX Security Symposium, San Diego (CA), August 9–13, 2004, pp. 195–206]</ref> Since this impossibility result, most UNIX systems (including Linux and Solaris) have adopted variants of common file system calls that operate on file handles rather than file names. These calls end in the "at" suffix, such as <code>openat</code>, <code>statat</code>, etc. Because file handles are a private mapping to a file, they cannot be changed by another program and are not subject to race conditions with other applications. The example above can be rewritten using these calls to avoid a TOCTTOU race condition:
| |||