From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 16773 invoked by alias); 8 Jan 2015 08:08:22 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 34167 Received: (qmail 10800 invoked from network); 8 Jan 2015 08:08:11 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 X-CMAE-Score: 0 X-CMAE-Analysis: v=2.1 cv=PYxIXZlY c=1 sm=1 tr=0 a=FT8er97JFeGWzr5TCOCO5w==:117 a=kj9zAlcOel0A:10 a=q2GGsy2AAAAA:8 a=oR5dmqMzAAAA:8 a=-9mUelKeXuEA:10 a=YNv0rlydsVwA:10 a=SDVMPXc927muTHl3HuEA:9 a=CjuIK1q_8ugA:10 From: Bart Schaefer Message-id: <150108000821.ZM7996@torch.brasslantern.com> Date: Thu, 08 Jan 2015 00:08:21 -0800 In-reply-to: <20150108064816.GA17816@lorien.comfychair.org> Comments: In reply to Danek Duvall "Re: [PATCH] Re: Insecure tempfile creation" (Jan 7, 10:48pm) References: <20141222203624.GA24855@tarsus.local2> <141227223029.ZM15959@torch.brasslantern.com> <141227234421.ZM16038@torch.brasslantern.com> <141228004101.ZM28486@torch.brasslantern.com> <20141229004957.GA1737@tarsus.local2> <141228200142.ZM22840@torch.brasslantern.com> <20150107220345.GE1714@tarsus.local2> <20150108064816.GA17816@lorien.comfychair.org> X-Mailer: OpenZMail Classic (0.9.2 24April2005) To: Zsh hackers list Subject: Re: [PATCH] Re: Insecure tempfile creation MIME-version: 1.0 Content-type: text/plain; charset=us-ascii On Jan 7, 10:48pm, Danek Duvall wrote: } Subject: Re: [PATCH] Re: Insecure tempfile creation } } On Wed, Jan 07, 2015 at 10:22:20PM -0800, Bart Schaefer wrote: } } > On Wed, Jan 7, 2015 at 2:03 PM, Daniel Shahaf wrote: } > > Coming back to this, it has occurred to me that } > > } > > mv -f =(:) ${TMPPREFIX:-/tmp/zsh}foo$$ } > > } > } > Hmm. Yup, we need "ln -Fh" instead of "mv -f". Are the -F and -h } > options of "ln" fairly standard? } } Neither exists on Solaris ln. GNU coreutils ln doesn't seem to have -h, } either. And -F just seems like a bad idea, supported or not. -F on MacOS (where I was reading the manual) is like -f in coreutils, not like -F in coreutils (sigh). And -h is --no-dereference. } What about mktemp? That doesn't help; it's exactly the same as =(:) for this purpose. The "mv" trick above is used where we need to create a file with a specific name -- if we did not need a specific name, we could just use the name created by =(:) directly. Fortunately, we have the zsh/files module which provides a buitin "ln" with well-defined semantics. Hopefully that's good enough.