[darcs-devel] security question about msktemp
David Roundy
droundy at darcs.net
Sun Apr 17 06:25:17 PDT 2005
On Sat, Apr 16, 2005 at 10:51:07PM +0200, Tomasz Zielonka wrote:
> On Sat, Apr 16, 2005 at 10:34:44AM -0400, David Roundy wrote:
> > This is a question for people who know better than me about security
> > issues.
> >
> > Is it unstafe to close the file descriptor that is returned by mkstemp,
> > and instead just reopen the file based on the filename mkstemp returns?
> >
> > If this is safe, we could eliminate the last occurrence of openFd,
> > which is one of the ugly ghc-specific bits of code, which also requires
> > an ugly workaround to deal with API changes. There would be much
> > rejoicing... :)
>
> Can't we simply use System.Posix.Temp.mkstemp?
>
> mkstemp :: String -> IO (String,Handle)
>
> It seems to be present both in Hugs and GHC.
Hmmm. That would indeed be an option. We'd still have to emulate it on
windows, though, which would still be a pain. I'd rather eliminate it
entirely, if we can. And my (very brief) look through the code suggests
that we can. We only use it in the working directory, as far as I can
tell, where we don't need a high level of security. And most of the time
we ignore the Handle anyways, which means that if we *were* creating the
file in a /tmp directory, it wouldn't be secure even if we *do* use
mkstemp.
--
David Roundy
http://www.darcs.net
More information about the darcs-devel
mailing list