[PATCH] Warn when using mktemp

Brooks Moses brooks@codesourcery.com
Sat Mar 14 12:21:00 GMT 2009

Corinna Vinschen wrote, at 3/13/2009 1:49 PM:
> On Mar 13 14:54, Brooks Moses wrote:
>>   Doing a Google
>> search on "mktemp mkstemp dangerous" mostly finds mailing-list threads
>> of people who are annoyed by the warning.
> That's the idea of this warning at least on BSD and on Linux.  And I'd
> like to see this warning on Cygwin as well.  Cygwin has a link time
> warning for this but on one hand it's using STABS while the new GCC
> for Cygwin now creates Dwarf2, and on the other hand this warning is
> not even visible when linking an application using mktemp.

Fair enough.  I am thinking of the small embedded case where there isn't
even support for multiple threads, much less multiple users (one of whom
might be an attacker).  However, I suppose mktemp usage is fairly rare
in those cases.

> +Never use <<mktemp>>.  The generated filenames are easy to guess and
> +there's a race between the test if the file exists and the creation
> +of the file.  In combination this makes <<mktemp>> prone to attacks
> +and using it is a security risk.  Whenever possible use <<mkstemp>>
> +instead.  It doesn't suffer the race condition.
> +

I find "race" a bit misleading in that it's not a race between those two
operations such that they might get misordered, so much as a gap that
can then allow a race between us creating the file and someone else
creating it.  Maybe "a gap between the test if the file exists and the
creation of the file, during which another process may create a file
with the same name"?

In any case, I'm bikeshedding to some extent; regardless of these
suggestions, the patch in general looks good to me, and I'd also be
happy with it as it stands if you're tired of iterating.  :)

- Brooks

More information about the Newlib mailing list