File descriptors offer a safer alternative to path-based file operations, eliminating risks like path traversal and symlink attacks. Traditional methods of opening files via strings expose developers to vulnerabilities where an attacker can manipulate paths to access sensitive data, such as private SSH keys. For instance, a path like `../.ssh/id_ed25519` could bypass security checks if not normalized. The TOCTOU (time-of-check to time-of-use) race condition exacerbates this issue, allowing attackers to alter file system structures between path resolution and file access. Developers must prioritize using file descriptors (fds) instead of paths to maintain secure references to files. Tools like Openat2 and libraries such as libglnx enforce fd-centric workflows, ensuring paths are resolved safely within controlled directories.

The core problem stems from path-based APIs, which are ubiquitous in standard libraries like POSIX and GLib/Gio. These tools lack built-in safeguards against symlink resolution or directory changes during file access. For example, converting an fd to a path for mounting operations can reintroduce vulnerabilities if the path is symlinked by an attacker. This flaw is particularly critical in security-sensitive contexts, such as apps handling user-uploaded archives. The libglnx library addresses this by providing fd-based operations (e.g., `glnx_chaseat`) that resolve paths relative to a trusted directory fd, preventing unauthorized redirection. Its `GLNX_CHASE_RESOLVE_BENEATH` flag ensures all path components remain within a specified directory, even if symlinks exist. While cross-platform abstractions like Rust’s path-based systems offer convenience, they inherit these security gaps, making fd-first approaches essential for robust security.

Adopting fd-centric practices is not just a technical improvement but a necessity for modern development. By avoiding path strings altogether, developers can eliminate race conditions and symlink exploitation. The Openat2 syscall and libraries like libglnx provide practical implementations, but their adoption requires a cultural shift. Developers must retrain themselves to think in terms of file descriptors rather than abstract paths. This shift is especially vital for applications with security boundaries, such as web servers or sandboxed environments. While tools like libglnx simplify fd-based operations, broader adoption depends on ecosystem support. Until path-based APIs are redesigned with security in mind, developers must embrace fd-first paradigms to protect against evolving threats. The lesson is clear: paths are inherently insecure, and file descriptors are the only reliable way to ensure safe file access.