From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26451 invoked from network); 5 May 1998 05:10:15 -0000 Received: from math.gatech.edu (list@130.207.146.50) by ns1.primenet.com.au with SMTP; 5 May 1998 05:10:15 -0000 Received: (from list@localhost) by math.gatech.edu (8.8.5/8.8.5) id BAA14749; Tue, 5 May 1998 01:06:45 -0400 (EDT) Resent-Date: Tue, 5 May 1998 01:06:45 -0400 (EDT) From: Zoltan Hidvegi Message-Id: <199805050506.AAA01738@hzoli.home> Subject: Re: ``mktemp() possibly used unsafely'' In-Reply-To: <199805050231.WAA27346@luomat.peak.org> from Timothy J Luoma at "May 4, 98 10:31:33 pm" To: luomat+Lists/Zsh/workers@luomat.peak.org (Timothy J Luoma) Date: Tue, 5 May 1998 00:06:26 -0500 (CDT) Cc: zsh-workers@math.gatech.edu X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Resent-Message-ID: <"TKgMI3.0.Lc3.avfJr"@math> Resent-From: zsh-workers@math.gatech.edu X-Mailing-List: archive/latest/3928 X-Loop: zsh-workers@math.gatech.edu Precedence: list Resent-Sender: zsh-workers-request@math.gatech.edu > utils.o: warning: mktemp() possibly used unsafely, consider using mkstemp () > > What is the danger here? How do I change to mkstemp ? Do not worry, mktemp is just fine if you know how to use it. It is a common mistake to use fopen or open with improper flags on the result of mktemp. A bad guy can guess the result of mktemp, and may try to create a symlink with that name to some precious file, like your mailbox or .rhosts file before your open is executed (but after mktemp has finished). Zsh always uses open(name, O_WRONLY | O_CREAT | O_EXCL, 0600) to open such a file since 2.6-beta14. Besides zsh also uses mktemp to create temporary fifos for process substitution in which case mkstemp is not really appropriate. Ironically there has been a bug in the GNU libc and derivatives (i.e. Linux libc 5) which created mkstemp files with 0666 permissions, which means that mktemp when used properly can be more secure than mkstemp. Zoli