Struct fs_mistrust::CheckedDir

pub struct CheckedDir { /* private fields */ }

A directory whose access properties we have verified, along with accessor functions to access members of that directory.

The accessor functions will enforce that whatever security properties we checked on the the directory also apply to all of the members that we access within the directory.

Limitations

Having a CheckedDir means only that, at the time it was created, we were confident that no untrusted user could access it inappropriately. It is still possible, after the CheckedDir is created, that a trusted user can alter its permissions, make its path point somewhere else, or so forth.

If this kind of time-of-use/time-of-check issue is unacceptable, you may wish to look at other solutions, possibly involving openat() or related APIs.

See also the crate-level Limitations section.

Implementations

impl CheckedDir

pub fn make_directory<P: AsRef<Path>>(&self, path: P) -> Result<()>

Construct a new directory within this CheckedDir, if it does not already exist.

path must be a relative path to the new directory, containing no .. components.

pub fn open<P: AsRef<Path>>(
    &self,
    path: P,
    options: &OpenOptions
) -> Result<File>

Open a file within this CheckedDir, using a set of OpenOptions.

path must be a relative path to the new directory, containing no .. components. We check, but do not create, the file’s parent directories. We check the file’s permissions after opening it. If the file already exists, it must not be a symlink.

If the file is created (and this is a unix-like operating system), we always create it with mode 600, regardless of any mode options set in options.

pub fn as_path(&self) -> &Path

Return a reference to this directory as a Path.

Note that this function lets you work with a broader collection of functions, including functions that might let you access or create a file that is accessible by non-trusted users. Be careful!