mailing list archives
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Fri, 1 Aug 1997 14:05:14 -0600
Therefore, the safest way to create a lock from a shell is to create a
directory (not forgetting umask 077 before that), create the temporary
lock file in the new directory, link that temporary lock to the real lock
and remove the temporary file and directory. That way you get all the
benifits ln and your shell script will be safe.
Yes, we use this method on many places in OpenBSD. Like in mkdep(1).
In other shell scripts, we use our mktemp(1) program. I'm including a
man page so that you can see how to use it...
Anyways, these are important problems to solve. But don't just think
of your shell scripts -- check the regular C programs too. We fixed
roughly 400-500 /tmp races in the OpenBSD tree.
It's one kind of security issue when a symlink is used to whack root,
but it's also a security issue when one user can cause another user's
.login file to get squished. So most of them have been fixed. A few
small ones lurk. (Some are very hard to fix).
mktemp - make temporary file name (unique)
mktemp [-d] [-q] [-u] template
The mktemp utility takes the given file name template and overwrites a
portion of it to create a file name. This file name is unique and suit-
able for use by the application. The template may be any file name with
some number of `Xs' appended to it, for example /tmp/temp.XXXX. The
trailing `Xs' are replaced with the current process number and/or a
unique letter combination. The number of unique file names mktemp can
return depends on the number of `Xs' provided; six `Xs' will result in
mktemp testing roughly 26 ** 6 combinations.
If mktemp can successfully generate a unique file name, the file is cre-
ated with mode 0600 (unless the -u flag is given) and the filename is
printed to standard output.
The available options are as follows:
-d Make a directory instead of a file.
-q Fail silently if an error occurs. This is useful if a script
does not want error output to go to standard error.
-u Operate in ``unsafe'' mode. The temp file will be unlinked be-
fore mktemp exits. This is slightly better than mktemp(3) but
still introduces a race condition. Use of this option is not en-
The mktemp utility exits with a value of 0 on success, and 1 on failure.
The following sh(1) fragment illustrates a simple use of mktemp where the
script should quit if it cannot get a safe temporary file.
TMPFILE=`mktemp /tmp/$0.XXXXXX` || exit 1
echo "program output" >> $TMPFILE
In this case, we want the script to catch the error itself.
TMPFILE=`mktemp -q /tmp/$0.XXXXXX`
if [ $? -ne 0 ]; then
echo "$0: Can't create temp file, exiting..."
Note that one can also check to see that $TMPFILE is zero length instead
of checking $?. This would allow the check to be done later one in the
script (since $? would get clobbered by the next shell command).
The mktemp utility appeared in OpenBSD.
OpenBSD 2.1 November, 20, 1996 1