[src/trunk]: src/lib/libc/stdio bring in EXAMPLES and BUGS from openbsd.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/lib/libc/stdio bring in EXAMPLES and BUGS from openbsd.
From: yamt <yamt%NetBSD.org@localhost>
Date: Fri, 24 Jan 2020 11:50:41 +0000

details:   https://anonhg.NetBSD.org/src/rev/e6637212cb39
branches:  trunk
changeset: 535103:e6637212cb39
user:      yamt <yamt%NetBSD.org@localhost>
date:      Sat Aug 10 09:32:19 2002 +0000

description:
bring in EXAMPLES and BUGS from openbsd.

diffstat:

 lib/libc/stdio/mktemp.3 |  119 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 118 insertions(+), 1 deletions(-)

diffs (147 lines):

diff -r d198190b2025 -r e6637212cb39 lib/libc/stdio/mktemp.3
--- a/lib/libc/stdio/mktemp.3   Sat Aug 10 09:17:49 2002 +0000
+++ b/lib/libc/stdio/mktemp.3   Sat Aug 10 09:32:19 2002 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: mktemp.3,v 1.15 2002/02/07 07:00:26 ross Exp $
+.\"    $NetBSD: mktemp.3,v 1.16 2002/08/10 09:32:19 yamt Exp $
 .\"
 .\" Copyright (c) 1989, 1991, 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -78,6 +78,10 @@
 result in
 .Fn mktemp
 testing roughly 26 ** 6 combinations.
+At least 6
+.So Li X
+.Sc Ns s
+should be used, though 10 is much better.
 .Pp
 The
 .Fn mkstemp
@@ -114,6 +118,85 @@
 returns \-1 if no suitable file could be created.
 If either call fails an error code is placed in the global variable
 .Va errno .
+.Sh EXAMPLES
+Quite often a programmer will want to replace a use of
+.Fn mktemp
+with
+.Fn mkstemp ,
+usually to avoid the problems described above.
+Doing this correctly requires a good understanding of the code in question.
+.Pp
+For instance, code of this form:
+.Bd -literal -offset indent
+char sfn[15] = "";
+FILE *sfp;
+
+strcpy(sfn, "/tmp/ed.XXXXXX");
+if (mktemp(sfn) == NULL || (sfp = fopen(sfn, "w+")) == NULL) {
+        fprintf(stderr, "%s: %s\en", sfn, strerror(errno));
+        return (NULL);
+}
+return (sfp);
+.Ed
+.Pp
+should be rewritten like this:
+.Bd -literal -offset indent
+char sfn[15] = "";
+FILE *sfp;
+int fd = -1;
+
+strlcpy(sfn, "/tmp/ed.XXXXXX", sizeof sfn);
+if ((fd = mkstemp(sfn)) == -1 ||
+    (sfp = fdopen(fd, "w+")) == NULL) {
+        if (fd != -1) {
+                unlink(sfn);
+                close(fd);
+        }
+        fprintf(stderr, "%s: %s\en", sfn, strerror(errno));
+        return (NULL);
+}
+return (sfp);
+.Ed
+.Pp
+Often one will find code which uses
+.Fn mktemp
+very early on, perhaps to globally initialize the template nicely, but the
+code which calls
+.Xr open 2
+or
+.Xr fopen 3
+on that filename will occur much later.
+(In almost all cases, the use of
+.Xr fopen 3
+will mean that the flags
+.Dv O_CREAT
+|
+.Dv O_EXCL
+are not given to
+.Xr open 2 ,
+and thus a symbolic link race becomes possible, hence making
+necessary the use of
+.Xr fdopen 3
+as seen above).
+Furthermore, one must be careful about code which opens, closes, and then
+re-opens the file in question.
+Finally, one must ensure that upon error the temporary file is
+removed correctly.
+.Pp
+There are also cases where modifying the code to use
+.Fn mktemp ,
+in concert with
+.Xr open 2
+using the flags
+.Dv O_CREAT
+|
+.Dv O_EXCL ,
+is better, as long as the code retries a new template if
+.Xr open 2
+fails with an
+.Va errno
+of
+.Er EEXIST .
 .Sh ERRORS
 The
 .Fn mktemp ,
@@ -179,6 +262,40 @@
 .Fn mkdtemp
 function appeared in
 .Nx 1.4 .
+.Sh BUGS
+For
+.Fn mktemp
+there is an obvious race between file name selection and file
+creation and deletion: the program is typically written to call
+.Xr tmpnam 3 ,
+.Xr tempnam 3 ,
+or
+.Fn mktemp .
+Subsequently, the program calls
+.Xr open 2
+or
+.Xr fopen 3
+and erroneously opens a file (or symbolic link, fifo or other
+device) that the attacker has created in the expected file location.
+Hence
+.Fn mkstemp
+is recommended, since it atomically creates the file.
+An attacker can guess the filenames produced by
+.Fn mktemp .
+Whenever it is possible,
+.Fn mkstemp
+or
+.Fn mkdtemp
+should be used instead.
+.Pp
+For this reason,
+.Xr ld 8
+will output a warning message whenever it links code that uses the
+.Fn mktemp .
+.Pp
+The
+.Fn mkdtemp
+function is nonstandard and should not be used if portability is required.
 .Sh SECURITY CONSIDERATIONS
 The use of
 .Fn mktemp

Prev by Date: [src/trunk]: src/usr.bin/finger Obey the locale settings of the user when dec...
Next by Date: [src/trunk]: src/sys/arch/powerpc/powerpc Switch vmap*buf back to using pmap_...
Previous by Thread: [src/trunk]: src/usr.bin/finger Obey the locale settings of the user when dec...
Next by Thread: [src/trunk]: src/sys/arch/powerpc/powerpc Switch vmap*buf back to using pmap_...
Indexes:

Home | Main Index | Thread Index | Old Index