On Sat, Apr 20, 2013 at 12:45:44PM -0500, Derek Martin wrote: > On Sat, Apr 20, 2013 at 12:09:49PM -0000, Mutt wrote: > > mk[sd]temp() exist as handy temp creators that avoid foot shooting. > > But if you care about the resultant filename, you can make your > > own. That's mentioned in the open(.. O_CREAT|O_EXCL ..) in the spec > > below. > > Sure, you can make your own custom temp file creator, but the whole > point of having a library function is that getting this right is much > harder than it seems at first glance, and the OS should make it easy > for you. But besides, that IS what Mutt has... its own custom temp > file creator. Which uses mktemp() to generate file names. Which is > totally fine. > > > # mkstemp() - secure family > > http://pubs.opengroup.org/onlinepubs/9699919799/functions/mkstemp.html > > # mktemp() - insecure, removed from spec > > mktemp() IS NOT insecure. The way it has been used over the years is. > The warning is, in fact, a lie; it's an overreaction to a related but > DIFFERENT problem. Writing your own random filename generator would > essentially amount to re-writing mktemp(), except that it would likely > be less secure (potentially due to insufficient randomness, etc.), > unless you knew what you were doing. So replacing mktemp() is > pointless. So long as the weakness is documented (which it is), and > the way to use it correctly is understood (which it is), there's no > problem with mktemp().
So true. The Solaris OS developers spend a lot of time and energy getting things like this right (and these are some smart peeps). The vast majority of the time, rolling one's own is a mistake. -- Will Fiveash
