2654. [filesys.ts] [PDTS] Concerns with security and testability

Section: 99 [filesys.ts::fs.scope] Status: NAD Future Submitter: Google Opened: 2014-01-20 Last modified: 2016-08-11

Priority: Not Prioritized

View all other issues in [filesys.ts::fs.scope].

View all issues with NAD Future status.

Discussion:

Addresses: filesys.ts

We have two primary concerns with the interface as specified:

(a) its interface repeats the mistake of V7 Unix in 1979 by exposing access checking (and similarly file creation) independently from opening and mutating the file, and

(b) it provides no realistic means of testing a software library which uses the standard interface for accessing the filesystem under fault scenarios.

Due to the extent of (a), TOCTTOU [1] security vulnerabilities are guaranteed, if not during access checking[2], during other common operations such as temporary file creation[3].

Due to (b) it is impossible to portably test libraries using the proposed interface against critical correctness and security edge cases.

[1]: TOCTTOU: Time-of-check-to-time-of-use.  Operating system integrity in OS/VS2

[2]: Fixing Races for Fun and Profit: How to use access(2)

[3]: Checking for Race Conditions in File Accesses

[Beman Dawes: 10 Feb 2014: Suggested response: NAD, Future]

We share your concerns and look forward to receiving specific proposals to address them. Whether they will addressed by a revision of TS 18822 or a new TS will be decided as proposals progress through the committee process. See How To Submit a Proposal.

[17 Jun 2014 Rapperswil LWG agrees NAD, Future with rationale as stated above.]

Proposed resolution: