[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH] mktemp: don't use mktemp() function
From: Bartosz_Gołaszewski <bartekgola () gmail ! com>
Date: 2014-12-12 9:31:27
Message-ID: CAFdkumgSAk0xsPxo2E1VWOEHtrSpYgLhV=ejHccbWV8B7RWQyg () mail ! gmail ! com
[Download RAW message or body]
2014-12-11 18:08 GMT+01:00 Rich Felker <dalias@libc.org>:
> How is this an improvement? It increases the code size and performs
> unnecessary and potentially harmful filesystem operations. And it's
> just covering up the "dangerous" issue rather than fixing it -- using
> mkstemp then deleting the file and reusing the name is even MORE
> dangerous than using mktemp, since creating the file even momentarily
> exposed its name to an attacker. Of course if the code using the
> mktemp utility is written correctly, neither is dangerous anyway.
Ok, so submitting this might have been a bit rushed - in fact I
thought that this is the official upstream mktemp:
http://www.mktemp.org/mktemp/ and it does exactly that:
# strace ./mktemp -u
execve("./mktemp", ["./mktemp", "-u"], [/* 40 vars */]) = 0
...
open("/tmp/tmp.AYcTpsHVko", O_RDWR|O_CREAT|O_EXCL, 0600) = 4
close(4) = 0
unlink("/tmp/tmp.AYcTpsHVko") = 0
...
exit_group(0) = ?
But there's also an mktemp implementation in coreutils which doesn't
create any files.
Let's drop it.
Bart
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic