[3858] in bugtraq
Re: mktemp() and friends
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Tue Dec 24 15:50:47 1996
Date: Tue, 24 Dec 1996 12:59:09 -0700
Reply-To: Theo de Raadt <deraadt@cvs.openbsd.org>
From: Theo de Raadt <deraadt@cvs.openbsd.org>
X-To: Benedikt Stockebrand <benedikt@devnull.ruhr.de>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: Your message of "Tue, 24 Dec 1996 02:34:45 +0100."
<87rakgzpvu.fsf@devnull.ruhr.de>
> A more reasonable approach would be to use $UID and/or $$ and/or
> $RANDOM and/or `date +%s` (if you've got a GNU date) in the file name.
> Like /tmp/cron.daily.`date +%s`.$$ --- one of my favourites.
Do not use this technique in shells scripts! This is a security hole!
Yes, I know.... every example shell script on every unix operating
system you've ever used does it wrong. Yes, even such simple stuff as
mkdep(1) gets it wrong. Even those should be fixed!
The best safe technique which I know of (as also demonstrated in the
SNI advisory and in numerous OpenBSD shells scripts) is:
umask 077 # you may want this
DIR=/tmp/_dirname$$
FILE=$DIR/_filename
if ! mkdir $DIR ; then
# be nice if an error happens; ie. warn about DOS attacks
printf "tmp directory %s already exists, looks like:\n" $DIR
ls -alF $DIR
exit 1
fi
# directory will get cleaned on exit or failure
trap 'rm -rf $DIR' 0 1 2 3 4 5 6 7 8 10 11 12 13 14 15
# From this point on you can safely play with $FILE, since you know it
# cannot have been spoofed via symbolic link games.
