@barubary You do not read a directory race-free in the snapshot sense.A directory fd gives you a stable ref to THAT directory object, not a stable list of its children.You CAN dodirfd = openat2(parentfd, "subdir", ...);getdents64(dirfd, ...); // or fdopendir/readdiropenat(dirfd, name, ...); // act relative to the same directoryThat avoids races involving CWD, replaced parent paths, symlinked path components, and “I checked one path but opened another”. The entries themselves can still change while you read. Another process can create, delete, rename, or replace name after readdir() returns it and before openat() uses it. Linux does not make readdir() a frozen transaction. A directory fd pins the directory, not its contents.So you'dopen directory by fdread entry name as bytesopenat(dirfd, entry_name, flags that express intent)fstat the returned fddecide based on the object actually openedoperate on the fd, not the pathFor recursive traversal, you extend the same rule: open child directories with openat() or openat2(), reject symlinks with flags/resolution constraints, keep dirfds on a stack, and perform later operations relative to those dirfds. The oss-sec report’s uutils examples are mostly failures of this kind: path-based second operations, permission changes after creation, missing O_NOFOLLOW, missing O_EXCL, or creating too broadly and tightening later.A truly race-free directory listing would mean one of three things:A filesystem snapshot.Kernel support for transactional directory enumeration plus later object resolution against that transaction.Locking/excluding all concurrent mutation, which Unix generally does not provide as a normal directory API.None of that is desireable, because it will scale like shit.A snapshot is desirable for backups, indexing, forensics, package database consistency, and reproducible tree copies. But then the right answer is usually “use a filesystem snapshot”, not “make readdir() magic”.
I
