On Tue, May 23, 2006 at 12:24:06AM +0200, Michael Kerrisk wrote: > Justin, > > > On Mon, May 22, 2006 at 02:20:55PM -0400, Christopher W. Curtis wrote: > > > Package: manpages-dev > > > Version: 2.02-2 > > You should really update the package, as it changes pretty quickly. > > BTW, what suite are you running (stable sarge/testing etch/unstable > > sid) that has 2.02-2, or is this not a networked machine? > > > > > Quite simply, the man pages for tempnam.3 and mktemp.3 both say to use > > > mkstemp.3 but that man page says to never use the function and > > > recommends using tmpfile.3. tmpfile.3 seems happy to be called. > > I don't disagree that the situation is not ideal and should be fixed. > > > > > I hope that tmpfile() really is a secure call ... people seem confused. > > The low-level necessary thing is to use open() with flags > > O_CREAT|O_EXCL, which means "create a new file, but fail if it already > > exists". In a unix program, you can just loop around open() with > > various filenames (eg. from sprintf and a counter) to do this. > > glibc fopen() has the "x" flag which does this more portably. > > > > mkstemp.3 > > This guarantees to open the file with O_EXCL (though it doesn't > > mention O_CREAT, and probably should), > > Absolutely no reason to mention O_CREAT... > > > so it is safe. > > Yes, but not for the reason you cite. ...
> > tmpnam.3 (and tmpnam_r.3) > > I think this is one of the classically-buggy functions. Since it > > generates a filename, but doesn't ask the kernel to create that file > > atomically, it is easy to pass its return value to fopen() and be done > > with it; but, again, this is insecure if you don't use "exclusive" > > mode. It should be fine if you do use it, though. > > No! The problem is that between creation of the name and opening > it (in /tmp, a world writable directory), some other program could > create that file or create it as a symlink, causing the original > program to do the wrong thing. Not in exclusive mode.. In my test it didn't matter if it was a dangling symlink, a real symlink, or a file. Exclusive mode fails if the pathname exists in any way: | O_EXCL When used with O_CREAT, if the file already exists it is an | error and the open() will fail. In this context, a symbolic link | exists, regardless of where it points to. Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
