[11584] in bugtraq
Re: Insecure use of file in /tmp by trn
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Sun Aug 29 23:16:52 1999
Message-Id: <199908280644.AAA21194@cvs.openbsd.org>
Date: Sat, 28 Aug 1999 00:44:19 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: pfaffben@msu.edu
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Tue, 24 Aug 1999 13:09:28 EDT."
<87zozhnm0n.fsf@pfaffben.user.msu.edu>
Funny how the man page does not say that this is derived from OpenBSD.
I'll include the new man page down below to show how we have improved
both the program and the manual page since. It's also good for people
to actually know what the flags mean.
Please note that it is /usr/bin/mktemp, not /bin/mktemp like some
other systems have placed our program.
> Debian uses a program called `mktemp' to create temporary files in
> shell scripts. Other distributions might well adopt this or a similar
> solution. An excerpt from its manpage is enclosed below.
>
> SYNOPSIS
> mktemp [-q] [-u] template
>
> DESCRIPTION
> The mktemp utility takes the given file name template and overwrites a
> portion of it to create a file name. This file name is unique and suit-
> able for use by the application. The template is any file name with six
> `Xs' appended to it, for example /tmp/temp.XXXXXX. The `Xs' are replaced
> with the current process number and/or a unique letter combination.
> Roughly 26 ** 6 combinations are tried.
>
> If mktemp can successfully generate a unique file name, the file is cre-
> ated with mode 0600 (unless the -u flag is given) and the filename is
> printed to standard output.
>
> Debian packages using mktemp in maintainer scripts must depend on de-
> bianutils >= 1.7.
>
> EXAMPLES
> The following sh(1) fragment illustrates a simple use of mktemp where the
> script should quit if it cannot get a safe temporary file.
>
> p=`basename $0`
> TMPFILE=`mktemp /tmp/$p.XXXXXX` || exit 1
> echo "program output" >> $TMPFILE
---------------------------------------
NAME
mktemp - make temporary file name (unique)
SYNOPSIS
mktemp [-d] [-q] [-u] template
DESCRIPTION
The mktemp utility takes the given file name template and overwrites a
portion of it to create a file name. This file name is unique and suit-
able for use by the application. The template may be any file name with
some number of `Xs' appended to it, for example /tmp/temp.XXXXXXXXXX. The
trailing `Xs' are replaced with the current process number and/or a
unique letter combination. The number of unique file names mktemp can
return depends on the number of `Xs' provided; six `Xs' will result in
mktemp testing roughly 26 ** 6 combinations.
If mktemp can successfully generate a unique file name, the file is cre-
ated with mode 0600 (unless the -u flag is given) and the filename is
printed to standard output.
mktemp is provided to allow shell scripts to safely use temporary files.
Traditionally, many shell scripts take the name of the program with the
PID as a suffix and use that as a temporary file name. This kind of nam-
ing scheme is predictable and the race condition it creates is easy for
an attacker to win. A safer, though still inferior approach is to make a
temporary directory using the same naming scheme. While this does allow
one to guarantee that a temporary file will not be subverted, it still
allows a simple denial of service attack. For these reasons it is sug-
gested that mktemp be used instead.
OPTIONS
The available options are as follows:
-d Make a directory instead of a file.
-q Fail silently if an error occurs. This is useful if a script
does not want error output to go to standard error.
-u Operate in ``unsafe'' mode. The temp file will be unlinked be-
fore mktemp exits. This is slightly better than mktemp(3) but
still introduces a race condition. Use of this option is not en-
couraged.
RETURN VALUES
The mktemp utility exits with a value of 0 on success or 1 on failure.
EXAMPLES
The following sh(1) fragment illustrates a simple use of mktemp where the
script should quit if it cannot get a safe temporary file.
TMPFILE=`mktemp /tmp/$0.XXXXXXXXXX` || exit 1
echo "program output" >> $TMPFILE
In this case, we want the script to catch the error ourselves.
TMPFILE=`mktemp -q /tmp/$0.XXXXXXXXXX`
if [ $? -ne 0 ]; then
echo "$0: Can't create temp file, exiting..."
exit 1
fi
Or perhaps you don't want to exit if mktemp is unable to create the file.
In this case you can protect the part of the script thusly.
TMPFILE=`mktemp /tmp/$0.XXXXXXXXXX` && {
# Safe to use $TMPFILE in this block
echo data > $TMPFILE
...
rm -f $TMPFILE
}
SEE ALSO
mkdtemp(3), mkstemp(3), mktemp(3)
HISTORY
The mktemp utility appeared in OpenBSD 2.1.
OpenBSD 2.5 November 20, 1996 2
