Many of their TOCTOU issues are something a type system can help with. Require operations to execute on a fd handle directly rather than using convenience functions.
let fd = FileDescriptor::new(path);
fd.delete()?;
fd.create(mode)?;
let is_root = fd == FileDescriptor::new("/"); // does (dev, inode) comparison internally
// etc
The uutils devs would need to create that themselves, but OpenOptions seems to get them part of the way there at least.
It’s only enforced because of Rust’s strict type system. Python, on the other hand, lets you do whatever you want by comparison, and complains only at runtime. I’ve seen far too many **kwargs for my liking.
And FD types (e.g. OwnedFd, BorrowedFd) are already in std.
My example would be a thin wrapper around these, most likely. It’s only an example of what I’m trying to convey, though.
Many of their TOCTOU issues are something a type system can help with. Require operations to execute on a fd handle directly rather than using convenience functions.
The uutils devs would need to create that themselves, but
OpenOptionsseems to get them part of the way there at least.That’s a question of API, not type system. And FD types (e.g.
OwnedFd,BorrowedFd) are already in std.It’s only enforced because of Rust’s strict type system. Python, on the other hand, lets you do whatever you want by comparison, and complains only at runtime. I’ve seen far too many
**kwargsfor my liking.My example would be a thin wrapper around these, most likely. It’s only an example of what I’m trying to convey, though.