1.\" $NetBSD: mktemp.3,v 1.32 2021/10/28 09:51:39 kim Exp $ 2.\" 3.\" Copyright (c) 1989, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)mktemp.3 8.1 (Berkeley) 6/4/93 31.\" 32.Dd July 25, 2021 33.Dt MKTEMP 3 34.Os 35.Sh NAME 36.Nm mktemp , 37.Nm mkstemp , 38.Nm mkstemps , 39.Nm mkostemp , 40.Nm mkostemps , 41.Nm mkdtemp 42.Nd make unique temporary file or directory name 43.Sh LIBRARY 44.Lb libc 45.Sh SYNOPSIS 46.In stdlib.h 47.Ft char * 48.Fn mktemp "char *template" 49.Ft int 50.Fn mkstemp "char *template" 51.Ft int 52.Fn mkostemp "char *template" "int oflags" 53.Ft int 54.Fn mkostemps "char *template" "int suffixlen" "int oflags" 55.Ft char * 56.Fn mkdtemp "char *template" 57.In unistd.h 58.Ft int 59.Fn mkstemps "char *template" "int suffixlen" 60.Sh DESCRIPTION 61The 62.Fn mktemp 63function 64takes the given file name template and overwrites a portion of it 65to create a file name. 66This file name is unique and suitable for use 67by the application. 68The template may be any file name with some number of 69.Sq Li X 70characters appended to it, for example 71.Pa /tmp/temp.XXXXXX . 72The trailing 73.Sq Li X 74characters in the template are replaced with a unique letter and number 75combination. 76.Fn mktemp 77can return depends on the number of 78.Sq Li X 79characters provided. 80Although the 81.Nx 82implementation of the functions will accept any number of trailing 83.Sq Li X 84characters, for portability reasons one should use only six. 85Using six 86.Sq Li X 87characters will result in 88.Fn mktemp 89testing roughly 62 ** 6 (56800235584) combinations. 90.Pp 91The 92.Fn mkstemp 93function 94makes the same replacement to the template and creates the template file, 95mode 0600, returning a file descriptor opened for reading and writing. 96This avoids the race between testing for a file's existence and opening it 97for use. 98The 99.Fn mkostemp 100function 101is like 102.Fn mkstemp 103but allows specifying additional 104.Xr open 2 105flags (defined in 106.In fcntl.h ) . 107The permitted flags are 108.Dv O_APPEND , 109.Dv O_DIRECT , 110.Dv O_SHLOCK , 111.Dv O_EXLOCK , 112.Dv O_SYNC 113and 114.Dv O_CLOEXEC . 115.Pp 116The 117.Fn mkstemps 118and 119.Fn mkostemps 120functions act the same as 121.Fn mkstemp 122and 123.Fn mkostemp 124respectively, 125except they permit a suffix to exist in the template. 126The template should be of the form 127.Pa /tmp/tmpXXXXXXsuffix . 128The 129.Fn mkstemps 130and 131.Fn mkostemps 132function 133are told the length of the suffix string. 134.Pp 135The 136.Fn mkdtemp 137function 138is similar to 139.Fn mkstemp , 140but it creates a mode 0700 directory instead and returns the path. 141.Pp 142Please note that the permissions of the file or directory being created are 143subject to the restrictions imposed by the 144.Xr umask 2 145system call. 146It may thus happen that the created file is unreadable and/or unwritable. 147.Sh RETURN VALUES 148The 149.Fn mktemp 150and 151.Fn mkdtemp 152functions 153return a pointer to the template on success and 154.Dv NULL 155on failure. 156The 157.Fn mkstemp , 158.Fn mkostemp , 159.Fn mkstemps 160and 161.Fn mkostemps 162functions 163returns \-1 if no suitable file could be created. 164If either call fails an error code is placed in the global variable 165.Va errno . 166.Sh EXAMPLES 167Quite often a programmer will want to replace a use of 168.Fn mktemp 169with 170.Fn mkstemp , 171usually to avoid the problems described above. 172Doing this correctly requires a good understanding of the code in question. 173.Pp 174For instance, code of this form: 175.Bd -literal -offset indent 176char sfn[15] = ""; 177FILE *sfp; 178 179strlcpy(sfn, "/tmp/ed.XXXXXX", sizeof sfn); 180if (mktemp(sfn) == NULL || (sfp = fopen(sfn, "w+")) == NULL) { 181 fprintf(stderr, "%s: %s\en", sfn, strerror(errno)); 182 return (NULL); 183} 184return (sfp); 185.Ed 186.Pp 187should be rewritten like this: 188.Bd -literal -offset indent 189char sfn[15] = ""; 190FILE *sfp; 191int fd = -1; 192 193strlcpy(sfn, "/tmp/ed.XXXXXX", sizeof sfn); 194if ((fd = mkstemp(sfn)) == -1 || 195 (sfp = fdopen(fd, "w+")) == NULL) { 196 if (fd != -1) { 197 unlink(sfn); 198 close(fd); 199 } 200 fprintf(stderr, "%s: %s\en", sfn, strerror(errno)); 201 return (NULL); 202} 203return (sfp); 204.Ed 205.Pp 206Often one will find code which uses 207.Fn mktemp 208very early on, perhaps to globally initialize the template nicely, but the 209code which calls 210.Xr open 2 211or 212.Xr fopen 3 213on that filename will occur much later. 214(In almost all cases, the use of 215.Xr fopen 3 216will mean that the flags 217.Dv O_CREAT 218| 219.Dv O_EXCL 220are not given to 221.Xr open 2 , 222and thus a symbolic link race becomes possible, hence making 223necessary the use of 224.Xr fdopen 3 225as seen above). 226Furthermore, one must be careful about code which opens, closes, and then 227re-opens the file in question. 228Finally, one must ensure that upon error the temporary file is 229removed correctly. 230.Pp 231There are also cases where modifying the code to use 232.Fn mktemp , 233in concert with 234.Xr open 2 235using the flags 236.Dv O_CREAT 237| 238.Dv O_EXCL , 239is better, as long as the code retries a new template if 240.Xr open 2 241fails with an 242.Va errno 243of 244.Er EEXIST . 245.Sh ERRORS 246The 247.Fn mkstemp , 248.Fn mkostemp , 249.Fn mkstemps , 250.Fn mkostemps 251and 252.Fn mkdtemp 253functions 254may set 255.Va errno 256to one of the following values: 257.Bl -tag -width Er 258.It Bq Er ENOTDIR 259The pathname portion of the template is not an existing directory. 260.El 261.Pp 262The 263.Fn mktemp , 264.Fn mkstemp 265and 266.Fn mkdtemp 267functions 268may also set 269.Va errno 270to any value specified by the 271.Xr stat 2 272function. 273.Pp 274The 275.Fn mkstemp 276function 277may also set 278.Va errno 279to any value specified by the 280.Xr open 2 281function. 282.Pp 283The 284.Fn mkdtemp 285function 286may also set 287.Va errno 288to any value specified by the 289.Xr mkdir 2 290function. 291.Sh SEE ALSO 292.Xr chmod 2 , 293.Xr getpid 2 , 294.Xr open 2 , 295.Xr stat 2 , 296.Xr umask 2 297.Sh STANDARDS 298The 299.Fn mktemp 300conforms to 301.St -p1003.1-2001 . 302It was however removed from the specification in the 303.St -p1003.1-2008 304revision. 305The 306.Fn mkstemp 307and 308.Fn mkdtemp 309functions conform to 310.St -p1003.1-2004 311and 312.St -p1003.1-2008 , 313respectively. 314.Sh HISTORY 315A 316.Fn mktemp 317function appeared in 318.At v7 . 319.Pp 320The 321.Fn mkstemp 322function appeared in 323.Bx 4.4 . 324.Pp 325The 326.Fn mkdtemp 327function appeared in 328.Nx 1.4 . 329The 330.Fn mkstemps 331function first appeared in 332.Ox 2.4 , 333and later in 334.Fx 3.4 335and 336.Nx 7.0 . 337The 338.Fn mkostemp 339and 340.Fn mkostemps 341functions appeared in 342.Fx 10.0 343and 344.Nx 7.0 . 345.Sh BUGS 346For 347.Fn mktemp 348there is an obvious race between file name selection and file 349creation and deletion: the program is typically written to call 350.Xr tmpnam 3 , 351.Xr tempnam 3 , 352or 353.Fn mktemp . 354Subsequently, the program calls 355.Xr open 2 356or 357.Xr fopen 3 358and erroneously opens a file (or symbolic link, fifo or other 359device) that the attacker has created in the expected file location. 360Hence 361.Fn mkstemp 362is recommended, since it atomically creates the file. 363An attacker can guess the filenames produced by 364.Fn mktemp . 365Whenever it is possible, 366.Fn mkstemp 367or 368.Fn mkdtemp 369should be used instead. 370.Pp 371For this reason, 372.Xr ld 1 373will output a warning message whenever it links code that uses 374.Fn mktemp . 375.Pp 376The 377.Fn mkdtemp 378function is nonstandard and should not be used if portability is required. 379.Sh SECURITY CONSIDERATIONS 380The use of 381.Fn mktemp 382should generally be avoided, as a hostile process can exploit a race 383condition in the time between the generation of a temporary filename by 384.Fn mktemp 385and the invoker's use of the temporary name. 386A link-time warning will be issued advising the use of 387.Fn mkstemp 388or 389.Fn mkdtemp 390instead. 391