Page History

According to its C99 definition, the effect of calling Invoking remove() on an open file is implementation-defined. Therefore, care must be taken when remove() is called on Removing an open file is sometimes recommended to hide the names of temporary files that may be prone to attack. (See FIO21-C. Do not create temporary files in shared directories.)

In cases requiring the removal of an open file, a . It is often the case that removing a file that is open can help mitigate file input/output race conditions. In these cases, the intended implementations need to be considered and an alternate, more strongly defined function, such as The Open Group's the POSIX unlink() function, should be usedconsidered. To be strictly conforming and portable, remove() should not be called on an open file.

...

Noncompliant Code Example

The following non-compliant code illustrates This noncompliant code example shows a case where a file is removed after while it is first opened.still open:

char *file_name;
FILE *file;

/* ...Initialize file_name */

file = fopen("myfile"file_name, "w+");
if (fopenfile == NULL) {
  /* Handle error condition */
}
remove("myfile");

/* ... */

Some implementations, such as Visual Studio C++ 2005 compiled code running on Microsoft Windows XP, will not allow the call to remove() to succeed, leaving the file resident on disk after execution has completed.

Compliant Solution

The following compliant solution waits until the process has completed using the file to remove it.

FILE *file;

/* ... */

file = fopen("myfile", "w+");
if (fopen == NULL
if (remove(file_name) != 0) {
  /* Handle error condition */
}

/* Finish usingContinue performing I/O operations on file */

removefclose("myfile"file);

Some implementations will not remove the file specified by file_name because the stream is still open.

Implementation Details

Code compiled for Microsoft Windows prevents the remove() call from succeeding when the file is open, meaning that the file link will remain after execution completes.

Compliant Solution (POSIX)

In this This compliant solution intended for POSIX environments, The Open Group's uses the POSIX unlink() function to remove the file. The unlink() function (which is guaranteed by The Open Group Base Specifications Issue 6 to unlink the file from the file system hierarchy but keep the file on disk until all open instances of it the file are closed ) is used[IEEE Std 1003.1:2013].

FILE *file;
char
#include <unistd.h>

FILE *file_name;

/* ...Initialize file_name */

file = fopen("myfile"file_name, "w+");
if (fopenfile == NULL) {
  /* Handle error condition */
}
unlink("myfile");
if (unlink(file_name) != 0) {
  /* Handle error condition */
}

/* ...Continue performing I/O operations on file */

fclose(file);

Note that there is a race window between the fopen() call and the unlink() call, which could be exploited. This exploitation can be mitigated if the operations occur in a secure directory; see FIO45-C. Avoid TOCTOU race conditions while accessing files for more information.

Risk Assessment

Calling remove() on an open file has different implications for different implementations and may cause abnormal termination if the closed removed file is written to or read from, or it may result in unintended information disclosure from files not actually deleting a file deleted as intended.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.4.1, "The remove function"

Related Guidelines

Bibliography

...

Image Added Image Added Image AddedFIO07-A. Prefer fseek() to rewind()      09. Input Output (FIO)       FIO09-A. fflush() should be called after writing to an output stream if data integrity is important