tempfile: add a new_with_mode method

champtar · champtar · commit 0c6abfb5e54b · 2025-05-26T06:06:22.000-04:00
On filesystems that do not support `O_TMPFILE` (e.g. `vfat`), TempFile::new()
automatically falls back to a potentially world readable named temp file.

Add TempFile::new_with_mode() to create temp files with a chosen mode directly.

The chosen mode is still restricted by the current umask.
diff --git a/cap-tempfile/src/tempfile.rs b/cap-tempfile/src/tempfile.rs
@@ -1,5 +1,8 @@
 //! Temporary files.
 
+#[cfg(unix)]
+use cap_std::fs::OpenOptionsExt;
+
 use cap_std::fs::{Dir, File};
 use std::ffi::OsStr;
 use std::fmt::Debug;
@@ -60,7 +63,7 @@ impl<'d> Debug for TempFile<'d> {
 }
 
 #[cfg(any(target_os = "android", target_os = "linux"))]
-fn new_tempfile_linux(d: &Dir, anonymous: bool) -> io::Result<Option<File>> {
+fn new_tempfile_linux(d: &Dir, anonymous: bool, mode: Option<u32>) -> io::Result<Option<File>> {
     use rustix::fs::{Mode, OFlags};
     // openat's API uses WRONLY. There may be use cases for reading too, so let's
     // support it.
@@ -70,7 +73,10 @@ fn new_tempfile_linux(d: &Dir, anonymous: bool) -> io::Result<Option<File>> {
     }
     // We default to 0o666, same as main rust when creating new files; this will be
     // modified by umask: <https://github.com/rust-lang/rust/blob/44628f7273052d0bb8e8218518dacab210e1fe0d/library/std/src/sys/unix/fs.rs#L762>
-    let mode = Mode::from_raw_mode(0o666);
+    let mode = match mode {
+        Some(mode) => Mode::from(mode),
+        None => Mode::from(0o666),
+    };
     // Happy path - Linux with O_TMPFILE
     match rustix::fs::openat(d, ".", oflags, mode) {
         Ok(r) => Ok(Some(File::from(r))),
@@ -100,17 +106,25 @@ fn generate_name_in(subdir: &Dir, f: &File) -> io::Result<String> {
 /// Create a new temporary file in the target directory, which may or may not
 /// have a (randomly generated) name at this point. If anonymous is specified,
 /// the file will be deleted
-fn new_tempfile(d: &Dir, anonymous: bool) -> io::Result<(File, Option<String>)> {
+fn new_tempfile(
+    d: &Dir,
+    anonymous: bool,
+    #[cfg(unix)] mode: Option<u32>,
+) -> io::Result<(File, Option<String>)> {
     // On Linux, try O_TMPFILE
     #[cfg(any(target_os = "android", target_os = "linux"))]
-    if let Some(f) = new_tempfile_linux(d, anonymous)? {
+    if let Some(f) = new_tempfile_linux(d, anonymous, mode)? {
         return Ok((f, None));
     }
     // Otherwise, fall back to just creating a randomly named file.
     let mut opts = cap_std::fs::OpenOptions::new();
     opts.read(true);
     opts.write(true);
     opts.create_new(true);
+    #[cfg(unix)]
+    if let Some(mode) = mode {
+        opts.mode(mode);
+    }
     let (f, name) = super::retry_with_name_ignoring(io::ErrorKind::AlreadyExists, |name| {
         d.open_with(name, &opts)
     })?;
@@ -125,7 +139,20 @@ fn new_tempfile(d: &Dir, anonymous: bool) -> io::Result<(File, Option<String>)>
 impl<'d> TempFile<'d> {
     /// Create a new temporary file in the provided directory.
     pub fn new(dir: &'d Dir) -> io::Result<Self> {
-        let (fd, name) = new_tempfile(dir, false)?;
+        let (fd, name) = new_tempfile(
+            dir,
+            false,
+            #[cfg(unix)]
+            None,
+        )?;
+        Ok(Self { dir, fd, name })
+    }
+
+    /// Create a new temporary file in the provided directory, with the provided mode.
+    /// Process umask is taken into account for the actual file mode.
+    #[cfg(unix)]
+    pub fn new_with_mode(dir: &'d Dir, mode: u32) -> io::Result<Self> {
+        let (fd, name) = new_tempfile(dir, false, Some(mode))?;
         Ok(Self { dir, fd, name })
     }
 
@@ -134,7 +161,13 @@ impl<'d> TempFile<'d> {
     ///
     /// [`tempfile::tempfile_in`]: https://docs.rs/tempfile/latest/tempfile/fn.tempfile_in.html
     pub fn new_anonymous(dir: &'d Dir) -> io::Result<File> {
-        new_tempfile(dir, true).map(|v| v.0)
+        new_tempfile(
+            dir,
+            true,
+            #[cfg(unix)]
+            None,
+        )
+        .map(|v| v.0)
     }
 
     /// Get a reference to the underlying file.
@@ -264,13 +297,10 @@ mod test {
         // Test that we created with the right permissions
         #[cfg(any(target_os = "android", target_os = "linux"))]
         {
-            use cap_std::fs_utf8::MetadataExt;
-            use rustix::fs::Mode;
+            use cap_std::fs::MetadataExt;
             let umask = get_process_umask()?;
-            let metadata = tf.as_file().metadata().unwrap();
-            let mode = metadata.mode();
-            let mode = Mode::from_bits_truncate(mode);
-            assert_eq!(0o666 & !umask, mode.bits() & 0o777);
+            let mode = tf.as_file().metadata()?.mode();
+            assert_eq!(0o666 & !umask, mode & 0o777);
         }
         // And that we can write
         tf.write_all(b"hello world")?;
@@ -295,6 +325,29 @@ mod test {
             eprintln!("notice: Detected older Windows");
         }
 
+        // Test that we can create with 0o000 mode
+        #[cfg(any(target_os = "android", target_os = "linux"))]
+        {
+            use cap_std::fs::MetadataExt;
+            let mut tf = TempFile::new_with_mode(&td, 0o000)?;
+            assert_eq!(tf.as_file().metadata()?.mode() & 0o777, 0o000);
+            tf.write_all(b"mode 0")?;
+            tf.replace("testfile")?;
+            let metadata = td.metadata("testfile")?;
+            assert_eq!(metadata.len(), 6);
+            assert_eq!(metadata.mode() & 0o777, 0o000);
+        }
+
+        // Test that mode is limited by umask
+        #[cfg(any(target_os = "android", target_os = "linux"))]
+        {
+            use cap_std::fs::MetadataExt;
+            let tf = TempFile::new_with_mode(&td, 0o777)?;
+            let umask = get_process_umask()?;
+            assert_ne!(umask & 0o777, 0o000);
+            assert_eq!(tf.as_file().metadata()?.mode() & 0o777, 0o777 & !umask);
+        }
+
         td.close()
     }
 }
