How to securely manipulate user files

Here is a thesis:

The only way to securely do operations on user files is to do them as the user.

(You may also add 'correctly' to this.)

Over and over again I have seen root-run administrative programs and scripts try to manipulate user files in various ways, and over and over again I have seen them have problems and security holes. This is not because they were badly written, it's because there are a lot of race conditions lurking in the underbrush unless you are extraordinarily aware and careful.

The only genuinely reliable way out is to get rid of the entire problem. The problem is that an attacker is tricking you into manipulating the wrong files with special privileges, so get rid of the special privileges; when you manipulate files, do all of the manipulation as the user themselves. As a bonus you will get around any NFS root permission problems, where root actually has less privileges than the regular user does, not more.

(Please don't do this by temporarily switching the user's UID and then switching back, because that way you still have elevated privileges, even if they're latent.)

This is relatively easy in most shell scripts if you make yourself a basic runas command that just setuids (thoroughly) to the user and runs a command for you. The simple use of it is to just run every command that touches user files as the user by putting 'runas $USER' in front of the command. The more advanced usage is to split your shell script or program into multiple scripts, and then use runas in your main script to run the as-user script with appropriate arguments.

(You don't want to use su because it does too much; among other things, it runs a shell, often the user's shell, and users can have broken .bashrcs and .cshrcs. I've been there and stubbed my toe.)