To avoid the race condition, you start off with few permissions, then use chmod to increase them if necessary. Normally, you accept the fewer permissions because that's what the user requested (via umask).

mkdir($qfn, $desired_perms) or die;
chmod($desired_perms, $qfn) or die;  # Override user's umask
[download]

It's messing with umask can lead to race conditions (in asynchronously execute code such as threads and signal handlers).

Very true, very true.

Wasn't thinking of the case of threads and signals. Like you said, however, you start with permissions equal or higher than you want, and reduce the restrictions when ready to open it up, not the other way around.

I just reread my post, and yeah, it did not say what I was thinking. Ugh. The specific cases I was thinking of for security bugs were cases where this sequence of code was executed:

umask(000);
mkdir($dir, 0777); # or creating a file mode 0666, etc
...
...
chmod($dir, $mode);
[download]

or even the same thing with creating files. By restricting the mode to just what you need to be able to set up your files / directories (umask(0077)), and then opening it up once setup is complete (chmod(...)), you can more easily avoid some of these situations. But as you stated, you need to be aware of these restrictions in your asynchronous areas of your code.

--MidLifeXis