Opening a file securely is far harder than it appears when a security boundary exists between processes sharing a filesystem. Path strings are not stable references — they can be manipulated via symlinks or TOCTOU races. The safe primitive is the file descriptor (fd), which pins an inode in the kernel. The post explains how to safely traverse paths using openat, O_PATH, O_NOFOLLOW, and the libglnx glnx_chaseat() function. It also critiques POSIX, GLib/GIO, and Rust standard library APIs for being path-based and thus insecure by default. The author then reveals the real-world motivation: a CVE-2026-34078 sandbox escape in Flatpak, caused by the portal passing untrusted path strings to flatpak run, which was designed for trusted callers. The fix required replacing every path string with an fd across the entire call chain.
Table of contents
Opening a File, the Hard Waylibglnx chaseAn Aside on Standard LibrariesWait, Why Are You Talking About This?Sort: