But those features of O_DEFEROPEN are the only useful ones.  Other
than posssibly in the future being able to say "give me a no-priv
fd to this object if I can read _or_ write it" I think that O_NONE
is useless for race-avoidance purposes.

Basically, I want it for things like tar.  Currently, for files GNU
tar does:

lstat("./defines.h", {st_mode=S_IFREG|0664, st_size=318, ...}) = 0
open("./defines.h", O_RDONLY|O_LARGEFILE) = 6
read(6, "#define UTIL_LINUX_VERSION \"2.10"..., 318) = 318
fstat(6, {st_mode=S_IFREG|0664, st_size=318, ...}) = 0
close(6)                                = 0

which is fairly easily raceable if you make your directories big
enough.  Make a link at the right time, and tar may well have
backed up /etc/shadow but thought that it was a file that you
owned.

This:

open(path, O_RDONLY|O_DEFEROPEN)	= 6
fstat(6, ...)				= 0
fcntl(6, F_REALLYOPEN)			= 0
read(6, ..., N)				= M
close(6)				= 0

is safe (though we do need O_SYMLINK to complete the picture).

Does anyone know if/how *BSD deal with this?  I can't find anything
but GNU tar under their cvsweb services.

Matthew.