Secure Coding mailing list archives
temporary directories
From: ljknews at mac.com (ljknews)
Date: Fri, 29 Dec 2006 15:28:13 -0500
At 1:41 PM -0500 12/29/06, Robert C. Seacord wrote:
I've seen advice here and there to use the mkdtemp() function to create temporary directories, for example: - Kris Kennaway email at http://lwn.net/2000/1221/a/sec-tmp.php3 recommends them - David Wheeler's Secure Programming for Linux and Unix HOWTO at http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO.html mentions it may not be a good idea if tmp cleaners are in use (but this sort of suggests maybe it is ok if they are not.) - HP 03 Tru64 UNIX Protecting Your System Against File Name Spoofing Attacks. January 2003. http://h30097.www3.hp.com/docs/wpapers/spoof_wp/symlink_external.pdf - etc. The mkdtemp() function generates a uniquely-named temporary directory from template. This function appears to work exactly like mktemp() works for files, except of course mktemp() has been widely discredited because of possible TOCTOU conditions and problems generating unique, unpredictable names. So my question is, why is mkdtemp() considered safe? Isn't it also susceptible to race conditions? Is there a reason why these race conditions are not at issue in this case? Or is it only considered safe because there is no alternative?
Not on Unix, but I tend to use temporary names based on the Process ID that is executing. And of course file protection prevents malevolent access. But for a temporary file, I will specify a file that is not in any directory. I presume there is such a capbility in Unix. -- Larry Kilgallen
Current thread:
- Compilers, (continued)
- Compilers Tim Hollebeek (Dec 27)
- Compilers David A. Wheeler (Dec 21)
- Compilers Gary McGraw (Dec 21)
- Compilers SC-L Subscriber Dave Aronson (Dec 27)
- Compilers Leichter, Jerry (Dec 27)
- Compilers David A. Wheeler (Dec 28)
- Compilers Leichter, Jerry (Dec 29)
- temporary directories Robert C. Seacord (Dec 29)
- temporary directories ljknews (Dec 29)
- temporary directories Leichter, Jerry (Dec 29)
- temporary directories ljknews (Dec 29)
- temporary directories Leichter, Jerry (Dec 30)
- temporary directories ljknews (Dec 30)
- temporary directories Florian Weimer (Dec 30)
- temporary directories ljknews (Dec 30)
- Compilers Leichter, Jerry (Dec 29)
- temporary directories der Mouse (Dec 29)
- temporary directories Mark Rockman (Dec 30)