That is not a particularly good example of a TOCTTOU (2-3 Ts, not 4), but the rust standard library does fall a bit short for filesystem operations in that regard. E.g. it doesn't expose the *at syscall family some sort of directory handle. Doubly so if you want to perform the atomic write dance securely inside a specific direcory without being subject symlink substitution.