bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "here strings" and tmpfiles


From: Chet Ramey
Subject: Re: "here strings" and tmpfiles
Date: Thu, 11 Apr 2019 15:41:29 -0400
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1

On 4/11/19 12:12 AM, Jason A. Donenfeld wrote:
> I keep forgetting things. The other thing I wanted to bring up is that
> I suspect bash's actual implementation of temporary files is
> problematic and might have some of the classic /tmp and TOCTOU style
> attacks. 

It's a peripheral issue, since the here-document implementation uses a
different function that (usually) calls mkstemp.

But since this function is used for making non-regular files (named pipes),
you pretty much have to use a function that returns a name. If you'd like
to take a run at a better implementation, I'd be glad to take a look at it,
as long as it's portable.

> The first one there uses mktemp(3), which is known to be racy and
> insecure. The GNU man page has a pretty strong warning about it. Maybe
> that's not used in GNU environments though?

Read

http://lists.gnu.org/archive/html/bug-bash/2016-05/msg00062.html

for a different perspective.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    address@hidden    http://tiswww.cwru.edu/~chet/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]