Can we implement a facility to safely create temporary files in C++23?
After reading a review of my own code, an answer about boost::filesystem::unique_path, another answer about unique_path and its references, documentation about tmpnam and its Linux man page, and a few other related things, I am under the impression that with C++23, we have all we need to provide a safe implementation of temporary file creation, only using the C++23 standard library.
By safe, I among others mean an implementation that would not have the known safety vulnerabilities of tmpnam and boost::filesystem::unique_path.
For instance, we could implement a class temp_file whose constructor would both generate a 128-bit random file name and open a file of that name located under std::filesystem::temp_directory_path() in exclusive mode (std::ios::noreplace), whose destructor would close the file and delete it, and whose stream member function would return a reference to the opened file's input/output stream.
Could such an implementation, assuming it is correct, be considered as a safe facility to create and use temporary files, or am I missing some important considerations, in which case, what are those considerations?
Nicol Bolas' answer, in combination with comments from user17732522, allow me to compose a self-sufficient answer, rooted in the C++ standard.
Could such an implementation, assuming it is correct, be considered as a safe facility to create and use temporary files, or am I missing some important considerations, in which case, what are those considerations?
The C++23 final draft contains:
Since we can never guarantee that a separate thread or process will not access the temporary file while it is being created and accessed by the user of the facility, such a facility could not be considered as safe.
Such lack of guaranteed safety is in fact very general for C++' file streams, but, as user17732522 puts it, "it is just a bit worse for [temporary files], because they may be created in a directory accessible by all users".
When it comes to alternatives, in the C++ standard, we have tmpfile which does not expose a file name, and hence at least theoretically could be safer, at the cost of using the FILE API instead of std::fstream.
There are also OS-specific alternatives.
- How portable is code with #pragma optimize?
- Make warn_unused_result applied to all function with GCC
- Multiple threads and CPU cache
- Linking error vs. compilation error
- how to compile multiple instances of a source file linking to it different files.o
- Background compile in VS2010 and C/C++
- What Turing complete macro languages are available for C/C++
- How to use Cython to compile Python 3 into C
- Are forward declarations needed when the typedef declaration is done?
- How to assign real and imaginary parts of complex variables in C
- Strict aliasing between Complex numbers and real numbers in C
- How to CORRECTLY install gsl library in Linux?
- Using = operator on atomic variable?
- Unknown conversion types in this program I'm meant to compile
- Iterator in C language
- Treating __func__ as a string literal instead of a predefined identifier
- c - strcpy with struct string returning error
- Segmentation fault when executing a Python script in a C program?
- Questions about C Function Prototypes and Compilation
- What is the purpose of "-Wa,option" in GCC?
- Do we have c99 subflags
- netcat gcc compile option so that IDA pro can show function name
- What is the correct way to free output buffer after call to openssl::i2d_X509?
- How can I link C++ files to a C program?
- Why doesn't this program in C compile? Error: undefined reference to `i2c_smbus_read_byte_data'
- integer promotion isn't taken into account
- Why do I get a SEGFAULT when I try to sort an array of integers using K & R code examples?
- Are C preprocessor statements a part of the C language?
- FFMPEG Api conversion from YUV420P to RGB produces strange output
- Why is the tree constructed this way incorrect?