sneak

High-level abstractions of *at and related *nix syscalls to build race condition-free, thread-safe, symlink traversal attack-safe user APIs.

Motivation

While building filesystem-abstracting APIs, you can easily run into race conditions: classic system calls, as exposed by Rust's filesystem library, often do not provide sufficient protections in multi-threaded or multi-process applications. In more complex applications, especially if they run as root, you risk exposing yourself to time-of-check time-of-use (TOCTOU) race conditions, which can culminate to privilege escalation vulnerabilities. Up until recently, the Rust standard library's std::fs::remove_dir_all was sensitive to this attack vector.

Unfortunately, avoiding these race conditions is not an easy task. You need to directly interact with specialized system calls, handle different operating systems and unsafe code. This library aims to provide a safe, easy to use yet ultra flexible API which doesn't hide away any implementation details.

Getting started

See the documentation.

use sneak::Dir;

let base_dir = Dir::open("/var/lib/myapp/")?;

while let Some(item) = queue.recv() {
	let filepath = format!("./user_data/{}/data.txt", item.user_id);

	// open the file in a TOCTOU-safe way
	let mut file = base_dir.open_file(&filepath, libc::O_WRONLY)?;

	// write data
	file.write_all(&item.data)?;

	println!("wrote data to user {}'s folder!", item.user_id);
}

License

This software is dual-licensed under the MIT license and the Apache-2.0 license.