[darcs-devel] security question about msktemp

David Roundy droundy at darcs.net
Sun Apr 17 06:25:17 PDT 2005


On Sat, Apr 16, 2005 at 10:51:07PM +0200, Tomasz Zielonka wrote:
> On Sat, Apr 16, 2005 at 10:34:44AM -0400, David Roundy wrote:
> > This is a question for people who know better than me about security
> > issues.
> > 
> > Is it unstafe to close the file descriptor that is returned by mkstemp,
> > and instead just reopen the file based on the filename mkstemp returns?
> > 
> > If this is safe, we could eliminate the last occurrence of openFd,
> > which is one of the ugly ghc-specific bits of code, which also requires
> > an ugly workaround to deal with API changes.  There would be much
> > rejoicing... :)
> 
> Can't we simply use System.Posix.Temp.mkstemp?
>     
>     mkstemp :: String -> IO (String,Handle)
> 
> It seems to be present both in Hugs and GHC.

Hmmm.  That would indeed be an option.  We'd still have to emulate it on
windows, though, which would still be a pain.  I'd rather eliminate it
entirely, if we can.  And my (very brief) look through the code suggests
that we can.  We only use it in the working directory, as far as I can
tell, where we don't need a high level of security.  And most of the time
we ignore the Handle anyways, which means that if we *were* creating the
file in a /tmp directory, it wouldn't be secure even if we *do* use
mkstemp.
-- 
David Roundy
http://www.darcs.net




More information about the darcs-devel mailing list