1.\" $NetBSD: mktemp.3,v 1.35 2024/11/02 11:06:15 nia Exp $ 2.\" 3.\" Copyright (c) 1989, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)mktemp.3 8.1 (Berkeley) 6/4/93 31.\" 32.Dd November 2, 2024 33.Dt MKTEMP 3 34.Os 35.Sh NAME 36.Nm mktemp , 37.Nm mkstemp , 38.Nm mkstemps , 39.Nm mkostemp , 40.Nm mkostemps , 41.Nm mkdtemp 42.Nd make unique temporary file or directory name 43.Sh LIBRARY 44.Lb libc 45.Sh SYNOPSIS 46.In stdlib.h 47.Ft char * 48.Fn mktemp "char *template" 49.Ft int 50.Fn mkstemp "char *template" 51.Ft int 52.Fn mkostemp "char *template" "int oflags" 53.Ft int 54.Fn mkostemps "char *template" "int suffixlen" "int oflags" 55.Ft char * 56.Fn mkdtemp "char *template" 57.In unistd.h 58.Ft int 59.Fn mkstemps "char *template" "int suffixlen" 60.Sh DESCRIPTION 61The 62.Fn mktemp 63function 64takes the given file name template and overwrites a portion of it 65to create a file name. 66This file name is unique and suitable for use 67by the application. 68The template may be any file name with some number of 69.Sq Li X 70characters appended to it, for example 71.Pa /tmp/temp.XXXXXX . 72The trailing 73.Sq Li X 74characters in the template are replaced with a unique letter and number 75combination. 76.Fn mktemp 77can return depends on the number of 78.Sq Li X 79characters provided. 80Although the 81.Nx 82implementation of the functions will accept any number of trailing 83.Sq Li X 84characters, for portability reasons one should use only six. 85Using six 86.Sq Li X 87characters will result in 88.Fn mktemp 89testing roughly 62 ** 6 (56800235584) combinations. 90.Pp 91The 92.Fn mkstemp 93function 94makes the same replacement to the template and creates the template file, 95mode 0600, returning a file descriptor opened for reading and writing. 96This avoids the race between testing for a file's existence and opening it 97for use. 98The 99.Fn mkostemp 100function 101is like 102.Fn mkstemp 103but allows specifying additional 104.Xr open 2 105flags (defined in 106.In fcntl.h ) . 107The permitted flags are 108.Dv O_APPEND , 109.Dv O_DIRECT , 110.Dv O_SHLOCK , 111.Dv O_EXLOCK , 112.Dv O_SYNC 113and 114.Dv O_CLOEXEC . 115.Pp 116The 117.Fn mkstemps 118and 119.Fn mkostemps 120functions act the same as 121.Fn mkstemp 122and 123.Fn mkostemp 124respectively, 125except they permit a suffix to exist in the template. 126The template should be of the form 127.Pa /tmp/tmpXXXXXXsuffix . 128The 129.Fn mkstemps 130and 131.Fn mkostemps 132function 133are told the length of the suffix string. 134.Pp 135The 136.Fn mkdtemp 137function 138is similar to 139.Fn mkstemp , 140but it creates a mode 0700 directory instead and returns the path. 141.Pp 142Please note that the permissions of the file or directory being created are 143subject to the restrictions imposed by the 144.Xr umask 2 145system call. 146It may thus happen that the created file is unreadable and/or unwritable. 147.Sh RETURN VALUES 148The 149.Fn mktemp 150and 151.Fn mkdtemp 152functions 153return a pointer to the template on success and 154.Dv NULL 155on failure. 156The 157.Fn mkstemp , 158.Fn mkostemp , 159.Fn mkstemps 160and 161.Fn mkostemps 162functions 163returns \-1 if no suitable file could be created. 164If either call fails an error code is placed in the global variable 165.Va errno . 166.Sh EXAMPLES 167Quite often a programmer will want to replace a use of 168.Fn mktemp 169with 170.Fn mkstemp , 171usually to avoid the problems described above. 172Doing this correctly requires a good understanding of the code in question. 173.Pp 174For instance, code of this form: 175.Bd -literal -offset indent 176char sfn[15] = ""; 177FILE *sfp; 178 179strlcpy(sfn, "/tmp/ed.XXXXXX", sizeof sfn); 180if (mktemp(sfn) == NULL || (sfp = fopen(sfn, "w+")) == NULL) { 181 fprintf(stderr, "%s: %s\en", sfn, strerror(errno)); 182 return (NULL); 183} 184return (sfp); 185.Ed 186.Pp 187should be rewritten like this: 188.Bd -literal -offset indent 189char sfn[15] = ""; 190FILE *sfp; 191int fd = -1; 192 193strlcpy(sfn, "/tmp/ed.XXXXXX", sizeof sfn); 194if ((fd = mkstemp(sfn)) == -1 || 195 (sfp = fdopen(fd, "w+")) == NULL) { 196 if (fd != -1) { 197 unlink(sfn); 198 close(fd); 199 } 200 fprintf(stderr, "%s: %s\en", sfn, strerror(errno)); 201 return (NULL); 202} 203return (sfp); 204.Ed 205.Pp 206Often one will find code which uses 207.Fn mktemp 208very early on, perhaps to globally initialize the template nicely, but the 209code which calls 210.Xr open 2 211or 212.Xr fopen 3 213on that filename will occur much later. 214(In almost all cases, the use of 215.Xr fopen 3 216will mean that the flags 217.Dv O_CREAT 218| 219.Dv O_EXCL 220are not given to 221.Xr open 2 , 222and thus a symbolic link race becomes possible, hence making 223necessary the use of 224.Xr fdopen 3 225as seen above). 226Furthermore, one must be careful about code which opens, closes, and then 227re-opens the file in question. 228Finally, one must ensure that upon error the temporary file is 229removed correctly. 230.Pp 231There are also cases where modifying the code to use 232.Fn mktemp , 233in concert with 234.Xr open 2 235using the flags 236.Dv O_CREAT 237| 238.Dv O_EXCL , 239is better, as long as the code retries a new template if 240.Xr open 2 241fails with an 242.Va errno 243of 244.Er EEXIST . 245.Sh ERRORS 246The 247.Fn mkstemp , 248.Fn mkostemp , 249.Fn mkstemps , 250.Fn mkostemps 251and 252.Fn mkdtemp 253functions 254may set 255.Va errno 256to one of the following values: 257.Bl -tag -width Er 258.It Bq Er ENOTDIR 259The pathname portion of the template is not an existing directory. 260.El 261.Pp 262The 263.Fn mktemp , 264.Fn mkstemp 265and 266.Fn mkdtemp 267functions 268may also set 269.Va errno 270to any value specified by the 271.Xr stat 2 272function. 273.Pp 274The 275.Fn mkstemp 276function 277may also set 278.Va errno 279to any value specified by the 280.Xr open 2 281function. 282.Pp 283The 284.Fn mkdtemp 285function 286may also set 287.Va errno 288to any value specified by the 289.Xr mkdir 2 290function. 291.Sh SEE ALSO 292.Xr chmod 2 , 293.Xr getpid 2 , 294.Xr open 2 , 295.Xr stat 2 , 296.Xr umask 2 297.Sh STANDARDS 298The 299.Fn mktemp 300conforms to 301.St -p1003.1-2001 . 302It was however removed from the specification in the 303.St -p1003.1-2008 304revision. 305The 306.Fn mkstemp 307function conforms to 308.St -p1003.1-2004 . 309The 310.Fn mkdtemp 311function conforms to 312.St -p1003.1-2008 . 313The 314.Fn mkostemp 315function conforms to 316.St -p1003.1-2024 . 317.Sh HISTORY 318A 319.Fn mktemp 320function appeared in 321.At v7 . 322.Pp 323The 324.Fn mkstemp 325function appeared in 326.Bx 4.4 . 327.Pp 328The 329.Fn mkdtemp 330function appeared in 331.Nx 1.4 . 332The 333.Fn mkstemps 334function first appeared in 335.Ox 2.4 , 336and later in 337.Fx 3.4 338and 339.Nx 7.0 . 340The 341.Fn mkostemp 342and 343.Fn mkostemps 344functions appeared in 345.Fx 10.0 346and 347.Nx 7.0 . 348.Sh BUGS 349For 350.Fn mktemp 351there is an obvious race between file name selection and file 352creation and deletion: the program is typically written to call 353.Xr tmpnam 3 , 354.Xr tempnam 3 , 355or 356.Fn mktemp . 357Subsequently, the program calls 358.Xr open 2 359or 360.Xr fopen 3 361and erroneously opens a file (or symbolic link, fifo or other 362device) that the attacker has created in the expected file location. 363Hence 364.Fn mkstemp 365is recommended, since it atomically creates the file. 366An attacker can guess the filenames produced by 367.Fn mktemp . 368Whenever it is possible, 369.Fn mkstemp 370or 371.Fn mkdtemp 372should be used instead. 373.Pp 374For this reason, 375.Xr ld 1 376will output a warning message whenever it links code that uses 377.Fn mktemp . 378.Sh SECURITY CONSIDERATIONS 379The use of 380.Fn mktemp 381should generally be avoided, as a hostile process can exploit a race 382condition in the time between the generation of a temporary filename by 383.Fn mktemp 384and the invoker's use of the temporary name. 385A link-time warning will be issued advising the use of 386.Fn mkstemp 387or 388.Fn mkdtemp 389instead. 390