Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: ``mktemp() possibly used unsafely''



> utils.o: warning: mktemp() possibly used unsafely, consider using mkstemp ()
> 
> What is the danger here?  How do I change to mkstemp ?

Do not worry, mktemp is just fine if you know how to use it.  It is a
common mistake to use fopen or open with improper flags on the result of
mktemp.  A bad guy can guess the result of mktemp, and may try to create
a symlink with that name to some precious file, like your mailbox or
.rhosts file before your open is executed (but after mktemp has
finished).  Zsh always uses open(name, O_WRONLY | O_CREAT | O_EXCL, 0600)
to open such a file since 2.6-beta14.  Besides zsh also uses mktemp to
create temporary fifos for process substitution in which case mkstemp is
not really appropriate.

Ironically there has been a bug in the GNU libc and derivatives
(i.e. Linux libc 5) which created mkstemp files with 0666 permissions,
which means that mktemp when used properly can be more secure than
mkstemp.

Zoli



Messages sorted by: Reverse Date, Date, Thread, Author