[PATCH 2/2] Use getrandom on try_tempname_len [BZ #15813]
Jakub Jelinek
jakub@redhat.com
Thu Sep 10 21:53:14 GMT 2020
On Thu, Sep 10, 2020 at 02:21:33PM -0700, Paul Eggert wrote:
> > > As I wrote in bugzilla, I think it would be better to use clock_gettime64 ^
> > > pid based "random" source for the initial randomness value, so that it
> > > wouldn't deplete the random entropy pool, and use it only for the retries
> > > (so only in the unlikely case the file exists already).
>
> Isn't part of the goal to avoid collisions even in the first try, to avoid
> attacks by name-guessers on not-so-well-written callers? If so, we should
> use getrandom even for the first try (with GRND_NONBLOCK of course).
>
> Generating a file name ought to be a reasonably-rare action, and I wouldn't
> worry too much about entropy pool exhaustion from such a small request.
Given that the file is (attempted to be) opened with O_CREAT | O_EXCL, the
only harm I can see is DDOS, but for that one needs to create all the
TMP_MAX files in the sequence, not just the first one.
So it really doesn't matter how much unpredictable the first attempt is, as
long as the following filenames aren't (easily) predictable.
Jakub
More information about the Libc-alpha
mailing list