Re: mktemp() and friends

[avalon () coombs anu edu au (Darren Reed)]

In some mail from Theo de Raadt, sie said:
> > In some mail from Theo de Raadt, sie said:
> > [...]
> > > Has anyone done a major cleanup of /tmp holes (ie. mktemp and friends)?
> >
> > Personally, I think they should all return either "FILE *" or an open
> > file descriptor so even if /tmp isn't +t, you already have opened the
> > file you actually asked for.  But that's just IMHO.
>
> Uhm, +t doesn't actually help much for the race at file creation time.
> You are still symbolic link raceable since mktemp filenames are
> guessable.  The filenames are guessable since the 6 X's are written
> over by not much more than just the pid -- mktemp() wants to generate
> low-collision-rate filenames.

open("/tmp/filename", O_CREAT|O_EXCL) is what I'd like to see used and what I
think that interface should use (this provides an open file descriptor
or -1 if the file is already there, no symbolic link races, etc).  I don't
know if it does or doesn't, but it should.

mktemp/mkstemp/tmpnam/tempnam should not be used and tmpfile should be
implemented as above.

Then there are temporary files used in shell scripts - quite often root
cornjobs get implemented to write to some file in /tmp (I prefer to use
/, ~root or /etc).

Darren