Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

``mktemp() possibly used unsafely''

1 view

Skip to first unread message

Timothy J Luoma

unread,

May 4, 1998, 3:00:00 AM5/4/98

to zsh-w...@math.gatech.edu

I just compiled 3.05 on a NetBSD 1.3 machine and saw this warning:

utils.o: warning: mktemp() possibly used unsafely, consider using mkstemp ()

What is the danger here? How do I change to mkstemp ?

TjL

Zoltan Hidvegi

unread,

May 5, 1998, 3:00:00 AM5/5/98

to Timothy J Luoma

> utils.o: warning: mktemp() possibly used unsafely, consider using mkstemp ()
>
> What is the danger here? How do I change to mkstemp ?

Do not worry, mktemp is just fine if you know how to use it. It is a
common mistake to use fopen or open with improper flags on the result of
mktemp. A bad guy can guess the result of mktemp, and may try to create
a symlink with that name to some precious file, like your mailbox or
.rhosts file before your open is executed (but after mktemp has
finished). Zsh always uses open(name, O_WRONLY | O_CREAT | O_EXCL, 0600)
to open such a file since 2.6-beta14. Besides zsh also uses mktemp to
create temporary fifos for process substitution in which case mkstemp is
not really appropriate.

Ironically there has been a bug in the GNU libc and derivatives
(i.e. Linux libc 5) which created mkstemp files with 0666 permissions,
which means that mktemp when used properly can be more secure than
mkstemp.

Zoli

0 new messages