From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-14941-mason-zsh=primenet.com.au@sunsite.dk>
Received: (qmail 9388 invoked from network); 16 Jun 2001 03:09:52 -0000
Received: from sunsite.dk (130.225.51.30)
  by ns1.primenet.com.au with SMTP; 16 Jun 2001 03:09:52 -0000
Received: (qmail 8124 invoked by alias); 16 Jun 2001 03:09:20 -0000
Mailing-List: contact zsh-workers-help@sunsite.dk; run by ezmlm
Precedence: bulk
X-No-Archive: yes
X-Seq: 14941
Received: (qmail 8113 invoked from network); 16 Jun 2001 03:09:19 -0000
X-Authentication-Warning: candle.brasslantern.com: schaefer set sender to lantern@shell10.ba.best.com using -f
From: "Bart Schaefer" <schaefer@candle.brasslantern.com>
Message-Id: <1010616030727.ZM4354@candle.brasslantern.com>
Date: Sat, 16 Jun 2001 03:07:27 +0000
In-Reply-To: <Pine.LNX.4.33L2.0106151654030.8874-100000@phong.blorf.net>
Comments: In reply to Wayne Davison <wayned@users.sourceforge.net>
        "Re: PATCH: 4.1.0: mkstemp" (Jun 15,  4:56pm)
References: <Pine.LNX.4.33L2.0106151654030.8874-100000@phong.blorf.net>
X-Mailer: Z-Mail (5.0.0 30July97)
To: Wayne Davison <wayned@users.sourceforge.net>,
        Peter Stephenson <pws@pwstephenson.fsnet.co.uk>
Subject: Re: PATCH: 4.1.0: mkstemp
Cc: Zsh hackers list <zsh-workers@sunsite.auc.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

On Jun 15,  4:56pm, Wayne Davison wrote:
} Subject: Re: PATCH: 4.1.0: mkstemp
}
} On Sat, 16 Jun 2001, Peter Stephenson wrote:
} > gcc has taken to complaining about using mktemp() instead of mkstemp().
} 
} Since mkstemp() returns a file handle, not a file name, I reverted the
} code in util.c back to how it was.

You should have made a ChangeLog entry, or deleted PWS's ...

We could, of course, do this:

#ifdef HAVE_MKSTEMP
    if (close(mkstemp(ret = dyncat(unmeta(s), "XXXXXX"))) < 0 ||
    	unlink(ret) < 0)
    	ret = NULL;
#else
    ...

strictly for purposes of silencing silly warnings.  However, it is the
case that zsh always uses mktemp() safely -- it always opens the file
with O_CREAT|O_EXCL after generating the name, so it'll simply fail if
someone else manages to create the name first; zsh can't be duped into
using a file owned by someone else as long as $TMPPREFIX does not refer
to an NFS filesystem (in which case even mkstemp() is not safe, as far
as I can tell).

I suppose one could conceivably use this behavior to do a crude DoS attack
on a zsh user on systems where mktemp() is predictable.  Of course, the
create/unlink trick above makes it possible to actually watch for the name
to appear and then re-create it immediately after it vanishes, which is
probably worse than if it were never created in the first place.

I was just checking through the code that uses gettempname(), and there
is only one instance where we absolutely couldn't use mkstemp() instead:
The case of wanting to create a temporary FIFO.  There we'd have to do
an unlink() before the mkfifo(), which makes mkstemp() no improvement.

-- 
Bart Schaefer                                 Brass Lantern Enterprises
http://www.well.com/user/barts              http://www.brasslantern.com

Zsh: http://www.zsh.org | PHPerl Project: http://phperl.sourceforge.net