Re: [PATCH] Re: Insecure tempfile creation

[Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>]

On Jan 7, 10:48pm, Danek Duvall wrote:
} Subject: Re: [PATCH] Re: Insecure tempfile creation
}
} On Wed, Jan 07, 2015 at 10:22:20PM -0800, Bart Schaefer wrote:
} 
} > On Wed, Jan 7, 2015 at 2:03 PM, Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx> wrote:
} > > Coming back to this, it has occurred to me that
} > >
} > >         mv -f =(:) ${TMPPREFIX:-/tmp/zsh}foo$$
} > >
} > 
} > Hmm.  Yup, we need "ln -Fh" instead of "mv -f".  Are the -F and -h
} > options of "ln" fairly standard?
} 
} Neither exists on Solaris ln.  GNU coreutils ln doesn't seem to have -h,
} either.  And -F just seems like a bad idea, supported or not.

-F on MacOS (where I was reading the manual) is like -f in coreutils,
not like -F in coreutils (sigh).  And -h is --no-dereference.  

} What about mktemp?

That doesn't help; it's exactly the same as =(:) for this purpose.  The
"mv" trick above is used where we need to create a file with a specific
name -- if we did not need a specific name, we could just use the name
created by =(:) directly.

Fortunately, we have the zsh/files module which provides a buitin "ln"
with well-defined semantics.  Hopefully that's good enough.