[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [security question] creating tempfiles]

On Fri, 02 Apr 1999, Wichert Akkerman wrote:

> In general please do use tempfile if possible, since it is a known
> safe method.

I know that there are mktemp(1) and tempfile(1) in Debian but these
programs aren't available on _every_ Unix system. So they are no real
alternative for my needs.

Don't forget, that these two programs create only one file, but I
often need a temporary directory (which additionally makes cleaning up
many temp files at once much easier).

> From: alan@lxorguk.ukuu.org.uk (Alan Cox)

> mkdir will follow dangling symlinks on some platforms

That's a very bad news. Any idea, which platforms have this bug? mkdir 
from the GNU File Utilities doesn't seem to have this bug...

> > tmpdir=${TMPDIR-/tmp}/foo.$$
> > mkdir $tmpdir || exit 1
> > trap "rm -rf $tmpdir; exit" 0 1 2 3 15

> There is a tool called mktemp specifically designed for this. its an
> openbsd tool - very useful for script writers

But it only supports files (not directories) and it isn't available
on every system. But I use sh-scripts especially to write portable
"programs". When the user has to install mktemp first, this is a big

> On some platforms, the program called 'mktemp' is a security
> disaster area - it chooses a predictable name and makes the file
> unsafely. On RedHat Linux it's fine though.

That's another reason for not using mktemp.

Isn't there any alternative method for creating secure temporary
directories/files only with sh internals or binaries which are
available on _every_ system?



 * roland@spinnaker.de * http://www.spinnaker.de/ *
 PGP: 1024/DD08DD6D   2D E7 CC DE D5 8D 78 BE  3C A0 A4 F1 4B 09 CE AF

Reply to: