On Sat, Feb 27, 2021 at 07:25:00PM -0500, Drew DeVault wrote: > The mkdir and mkdirat syscalls both return 0 on success, and use of the > newly-created directory requires a separate open or openat (or openat2) > call. The time between these syscalls is an opportunity for a race > condition. It is thus desirable to establish a means of creating a > directory and returning an open dirfd for it in one atomic operation. I don't understand what the TOCTOU race is. $ cd /tmp $ mkdir foo $ sudo su fake $ rmdir foo rmdir: failed to remove 'foo': Operation not permitted $ mv foo bar mv: cannot move 'foo' to 'bar': Operation not permitted Where's the problem? If mkdir succeeds in a sticky directory, others can't remove or rename it. So how can an app be tricked into doing something wrong?
