- * intend to; namely the "target" of the hard link. To truly prevent
- * that sort of mischief, we should be using file descriptors for
- * the target and its parent directory. Then modulo a tiny race
- * condition, we would be sure that "path" and "parent" don't change
- * their nature between the time that we test them and when we
- * utilize them. For contrast, the same attacker is free to replace
- * "path" with a hard link after is_hardlink_safe() has returned
- * "true" below.
- *
- * Unfortunately, our API is lacking in this area. For example,
- * acl_set_fd() is only capable of setting the ACL_TYPE_ACCESS list,
- * and not the ACL_TYPE_DEFAULT. Apparently the only way to operate
- * on default ACLs is through the path name, which is inherently
- * unreliable since the acl_*_file() calls themselves might follow
- * links (both hard and symbolic).
+ * intend to; namely the "target" of the hard link. There is TOCTOU
+ * race condition here, but the window is as small as possible
+ * between when we open the file descriptor (look above) and when we
+ * fstat it.