probe_directory

Function probe_directory 

Source
pub fn probe_directory(dir: &Path) -> Result<()>
Expand description

Verify that the calling process can perform the file operations that a RocksDB or maildir style store relies on within dir: create a file, write and fsync it, atomically rename it into place, and unlink it.

It also cross-checks the kernel’s access(2) view of the renamed file against the open(2) view. That cross-check only bites when the real and effective uids differ; when they are the same (tests, non-root deploys, plain root) both syscalls consult one identity and can never disagree, so it is inert. It exists for the specific failure mode of a privilege drop that keeps the real uid as root (to retain a capability) while lowering the effective uid to a service user:

  • access(2) answers using the real uid (root here).
  • open(2), rename(2), and unlink(2) act using the effective (filesystem) uid (the service user here).
  • On a directory whose group and other permission bits have been stripped (for example a root-owned mkdir under a 077 umask, later chowned to the service user), those two identities disagree about whether a file is reachable.

RocksDB decides whether to open an existing database or create a fresh one via an access(2)-style existence check, then does its I/O via open/rename/unlink. When the two disagree it silently creates a brand new database and aborts on the pre-existing write-ahead log, which the operator sees only as an opaque “wal_dir contains existing log file” failure on the second startup. Running this probe first turns that late, cryptic corruption into an early, actionable error.

The check runs as whatever real/effective/filesystem identity the process currently has, so it needs no assumptions about which user or which permission bits are “correct”. On failure the returned error names the directory owner, mode, and the process ids so the operator can see the mismatch.