Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: [PATCH] replacement for mktemp and mkstemp code in Src/utils.c

X-seq: zsh-workers 44236
From: Matthew Martin <phy1729@xxxxxxxxx>
To: Clinton Bunch <cdb_zsh@xxxxxxxxxxx>
Subject: Re: [PATCH] replacement for mktemp and mkstemp code in Src/utils.c
Date: Fri, 19 Apr 2019 23:33:50 -0500
Cc: zsh-workers@xxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=ZIeBwqv7bOQYRWvI8AIz/loz7ykeaaCcWcu9a33plUM=; b=cFDSNVeHR8WXFPZ93dhoq48SfpUU83jLSPR7VmAsGq0P/W3nw9Lug36cFd2t98Ol5w Gnpy6jbocvCyHoBDs7mYOG/fiRzb81J2q7I7iwDP+OfT9a05uQWzcN1C+Uo2MQvBkYZX IIlSVn1f+/R2NvuE6xb0y0lNRUb3Swc3BHpp9kKEFRVFWtHWp3yWnOJ92/Id4HLBd2wi pWd8fvRKQmHEi6S0gMw/8ZpovLw6fmmdqSDrudrS3RYNMxZWoULHm0nDmp6dgzpuXnnB rDORqIQwK5O4dT2/viCSxy1NWiRYZefjbpXUwGeH2pMim9HKY2TLy6I2YZTrauXNwTJd J1GQ==
In-reply-to: <b72ceb70-aa91-4230-98fe-1ba5cdf0bb46@zentaur.org>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mail-followup-to: Clinton Bunch <cdb_zsh@xxxxxxxxxxx>, zsh-workers@xxxxxxx
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <b72ceb70-aa91-4230-98fe-1ba5cdf0bb46@zentaur.org>

On Fri, Apr 19, 2019 at 02:54:47PM -0500, Clinton Bunch wrote:
> On at least one system mktemp produces very predictable names:
> 
> % () { print File: $1; cat $1 } =(print "Hello World")
> File: /tmp/zsh010785
> Hello World
> % () { print File: $1; cat $1 } =(print "Hello World")
> File: /tmp/zsh010785
> Hello World
> % () { print File: $1; cat $1 } =(print "Hello World")
> File: /tmp/zsh010785
> Hello World
> % echo $$
> 10785
> 
> This provides an alternate implementation for generating and opening temp
> file names.  I considered only using this implementation on known bad
> systems, but I have no way of knowing all of them (or testing for them in
> configure).  I see no reason to expect system implementations of mktemp or
> mkstemp to be significantly faster than mine unless written in assembly
> (which seems unlikely).

I would strongly prefer using the implementation only on known bad
systems (or prodding the relevant vendors to fix their system). I don't
think speed should be the main consideration here; rather the primary
concern should be security. While your patch is certainly better than
using the native mktemp on at least one system, it would be worse than
the native mktemp on say FreeBSD which uses arc4random_uniform which
does not require a user provided seed nor does it have modulo bias.

Follow-Ups:
- Re: [PATCH] replacement for mktemp and mkstemp code in Src/utils.c
  - From: Mikael Magnusson

References:
- [PATCH] replacement for mktemp and mkstemp code in Src/utils.c
  - From: Clinton Bunch

Messages sorted by: Reverse Date, Date, Thread, Author