Can we implement a facility to safely create temporary files in C++23?
After reading a review of my own code, an answer about boost::filesystem::unique_path, another answer about unique_path and its references, documentation about tmpnam and its Linux man page, and a few other related things, I am under the impression that with C++23, we have all we need to provide a safe implementation of temporary file creation, only using the C++23 standard library.
By safe, I among others mean an implementation that would not have the known safety vulnerabilities of tmpnam and boost::filesystem::unique_path.
For instance, we could implement a class temp_file whose constructor would both generate a 128-bit random file name and open a file of that name located under std::filesystem::temp_directory_path() in exclusive mode (std::ios::noreplace), whose destructor would close the file and delete it, and whose stream member function would return a reference to the opened file's input/output stream.
Could such an implementation, assuming it is correct, be considered as a safe facility to create and use temporary files, or am I missing some important considerations, in which case, what are those considerations?
Nicol Bolas' answer, in combination with comments from user17732522, allow me to compose a self-sufficient answer, rooted in the C++ standard.
Could such an implementation, assuming it is correct, be considered as a safe facility to create and use temporary files, or am I missing some important considerations, in which case, what are those considerations?
The C++23 final draft contains:
Since we can never guarantee that a separate thread or process will not access the temporary file while it is being created and accessed by the user of the facility, such a facility could not be considered as safe.
Such lack of guaranteed safety is in fact very general for C++' file streams, but, as user17732522 puts it, "it is just a bit worse for [temporary files], because they may be created in a directory accessible by all users".
When it comes to alternatives, in the C++ standard, we have tmpfile which does not expose a file name, and hence at least theoretically could be safer, at the cost of using the FILE API instead of std::fstream.
There are also OS-specific alternatives.
- How to trigger implicit pointer conversion inline in a C macro?
- How do I create a Virus signature?
- snprintf and sprintf explanation
- Code for implementing queue with ring buffer
- c - what is the most efficient way to copying a string?
- passing argument 2 makes pointer from integer without a cast
- How to declare a 2d Array without knowing the dimensions?
- what is the easiest way to read and process serial data for windows 32-bit systems?
- Where is SYSCALL() implemented in Linux?
- Does s conversion specifier specify direction / order in which characters are written?
- I'm getting an incredible error in the for loop in c language. For loop works in 1,2 and 3 but stops suddenly
- Address of local variable gives invalid address
- ESP-IDF linker not reporting duplicate functions so generating unsafe binary
- typedef for constant pointer to constant data function array
- Transfer pointer from dll (c/c++) to python
- Find out which thread/process is consuming CPU
- Chocolate Feast Program
- Embedding python in multithreaded C application
- C and C++ : Partial initialization of automatic structure
- How to access global variable via JNA interface?
- Error while loading shared libraries: libpq.so.5
- Request for heeds when using '_' <underscore> as identifier in C (and interop with other languages)
- What is the result of #if MACRO and MACRO is defined without value?
- Mac OS Catalina sbrk is deprecated
- Why do I need to put the millis() function inside the main loop to trigger the ISR?
- undefined reference to `WinMain@16' collect2.exe: error: ld returned 1 exit status
- String brokes after splitted in C
- What's the meaning of the %m formatting specifier?
- Trouble Returning to Previous input in loop
- snprintf vs. strcpy (etc.) in C