Re: Insecure use of file in /tmp by trn

[deraadt () CVS OPENBSD ORG (Theo de Raadt)]

Funny how the man page does not say that this is derived from OpenBSD.

I'll include the new man page down below to show how we have improved
both the program and the manual page since.  It's also good for people
to actually know what the flags mean.

Please note that it is /usr/bin/mktemp, not /bin/mktemp like some
other systems have placed our program.

> Debian uses a program called `mktemp' to create temporary files in
> shell scripts.  Other distributions might well adopt this or a similar
> solution.  An excerpt from its manpage is enclosed below.
>
> SYNOPSIS
>      mktemp [-q] [-u] template
>
> DESCRIPTION
>      The mktemp utility takes the given file name template and overwrites a
>      portion of it to create a file name.  This file name is unique and suit-
>      able for use by the application.  The template is any file name with six
>      `Xs' appended to it, for example /tmp/temp.XXXXXX. The `Xs' are replaced
>      with the current process number and/or a unique letter combination.
>      Roughly 26 ** 6 combinations are tried.
>
>      If mktemp can successfully generate a unique file name, the file is cre-
>      ated with mode 0600 (unless the -u flag is given) and the filename is
>      printed to standard output.
>
>      Debian packages using mktemp in maintainer scripts must depend on de-
>      bianutils >= 1.7.
>
> EXAMPLES
>      The following sh(1) fragment illustrates a simple use of mktemp where the
>      script should quit if it cannot get a safe temporary file.
>
>            p=`basename $0`
>            TMPFILE=`mktemp /tmp/$p.XXXXXX` || exit 1
>            echo "program output" >> $TMPFILE

---------------------------------------
NAME
     mktemp - make temporary file name (unique)

SYNOPSIS
     mktemp [-d] [-q] [-u] template

DESCRIPTION
     The mktemp utility takes the given file name template and overwrites a
     portion of it to create a file name.  This file name is unique and suit-
     able for use by the application.  The template may be any file name with
     some number of `Xs' appended to it, for example /tmp/temp.XXXXXXXXXX. The
     trailing `Xs' are replaced with the current process number and/or a
     unique letter combination.  The number of unique file names mktemp can
     return depends on the number of `Xs' provided; six `Xs' will result in
     mktemp testing roughly 26 ** 6 combinations.

     If mktemp can successfully generate a unique file name, the file is cre-
     ated with mode 0600 (unless the -u flag is given) and the filename is
     printed to standard output.

     mktemp is provided to allow shell scripts to safely use temporary files.
     Traditionally, many shell scripts take the name of the program with the
     PID as a suffix and use that as a temporary file name.  This kind of nam-
     ing scheme is predictable and the race condition it creates is easy for
     an attacker to win.  A safer, though still inferior approach is to make a
     temporary directory using the same naming scheme.  While this does allow
     one to guarantee that a temporary file will not be subverted, it still
     allows a simple denial of service attack.  For these reasons it is sug-
     gested that mktemp be used instead.

OPTIONS
     The available options are as follows:

     -d      Make a directory instead of a file.

     -q      Fail silently if an error occurs.  This is useful if a script
             does not want error output to go to standard error.

     -u      Operate in ``unsafe'' mode.  The temp file will be unlinked be-
             fore mktemp exits.  This is slightly better than mktemp(3) but
             still introduces a race condition.  Use of this option is not en-
             couraged.

RETURN VALUES
     The mktemp utility exits with a value of 0 on success or 1 on failure.

EXAMPLES
     The following sh(1) fragment illustrates a simple use of mktemp where the
     script should quit if it cannot get a safe temporary file.

           TMPFILE=`mktemp /tmp/$0.XXXXXXXXXX` || exit 1
           echo "program output" >> $TMPFILE

     In this case, we want the script to catch the error ourselves.

           TMPFILE=`mktemp -q /tmp/$0.XXXXXXXXXX`
           if [ $? -ne 0 ]; then
                   echo "$0: Can't create temp file, exiting..."
                   exit 1
           fi

     Or perhaps you don't want to exit if mktemp is unable to create the file.
     In this case you can protect the part of the script thusly.

           TMPFILE=`mktemp /tmp/$0.XXXXXXXXXX` && {
                   # Safe to use $TMPFILE in this block
                   echo data > $TMPFILE
                   ...
                   rm -f $TMPFILE
           }

SEE ALSO
     mkdtemp(3),  mkstemp(3),  mktemp(3)

HISTORY
     The mktemp utility appeared in OpenBSD 2.1.

OpenBSD 2.5                    November 20, 1996                             2