xref: /netbsd-src/lib/libc/stdio/mktemp.3 (revision b1c86f5f087524e68db12794ee9c3e3da1ab17a0)

.\"	$NetBSD: mktemp.3,v 1.28 2010/05/14 03:22:49 joerg Exp $
.\"
.\" Copyright (c) 1989, 1991, 1993
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"     @(#)mktemp.3	8.1 (Berkeley) 6/4/93
.\"
.Dd April 29, 2010
.Dt MKTEMP 3
.Os
.Sh NAME
.Nm mktemp ,
.Nm mkstemp ,
.Nm mkdtemp
.Nd make unique temporary file or directory name
.Sh LIBRARY
.Lb libc
.Sh SYNOPSIS
.In stdlib.h
.Ft char *
.Fn mktemp "char *template"
.Ft int
.Fn mkstemp "char *template"
.Ft char *
.Fn mkdtemp "char *template"
.Sh DESCRIPTION
The
.Fn mktemp
function
takes the given file name template and overwrites a portion of it
to create a file name.
This file name is unique and suitable for use
by the application.
The template may be any file name with some number of
.So Li X
.Sc Ns s
appended
to it, for example
.Pa /tmp/temp.XXXXXX .
The trailing
.So Li X
.Sc Ns s
are replaced with the current process number and/or a
unique letter combination.
The number of unique file names
.Fn mktemp
can return depends on the number of
.So Li X
.Sc Ns s
provided.
Although the
.Nx
implementation of the functions will accept any number of trailing
.So Li X
.Sc Ns s ,
for portability reasons one should use only six.
Using six
.So Li X
.Sc Ns s
will result in
.Fn mktemp
testing roughly 26 ** 6 (308915776) combinations.
.Pp
The
.Fn mkstemp
function
makes the same replacement to the template and creates the template file,
mode 0600, returning a file descriptor opened for reading and writing.
This avoids the race between testing for a file's existence and opening it
for use.
.Pp
The
.Fn mkdtemp
function
is similar to
.Fn mkstemp ,
but it creates a mode 0700 directory instead and returns the path.
.Pp
Please note that the permissions of the file or directory being created are
subject to the restrictions imposed by the
.Xr umask 2
system call.
It may thus happen that the created file is unreadable and/or unwritable.
.Sh RETURN VALUES
The
.Fn mktemp
and
.Fn mkdtemp
functions
return a pointer to the template on success and
.Dv NULL
on failure.
The
.Fn mkstemp
function
returns \-1 if no suitable file could be created.
If either call fails an error code is placed in the global variable
.Va errno .
.Sh EXAMPLES
Quite often a programmer will want to replace a use of
.Fn mktemp
with
.Fn mkstemp ,
usually to avoid the problems described above.
Doing this correctly requires a good understanding of the code in question.
.Pp
For instance, code of this form:
.Bd -literal -offset indent
char sfn[15] = "";
FILE *sfp;

strlcpy(sfn, "/tmp/ed.XXXXXX", sizeof sfn);
if (mktemp(sfn) == NULL || (sfp = fopen(sfn, "w+")) == NULL) {
        fprintf(stderr, "%s: %s\en", sfn, strerror(errno));
        return (NULL);
}
return (sfp);
.Ed
.Pp
should be rewritten like this:
.Bd -literal -offset indent
char sfn[15] = "";
FILE *sfp;
int fd = -1;

strlcpy(sfn, "/tmp/ed.XXXXXX", sizeof sfn);
if ((fd = mkstemp(sfn)) == -1 ||
    (sfp = fdopen(fd, "w+")) == NULL) {
        if (fd != -1) {
                unlink(sfn);
                close(fd);
        }
        fprintf(stderr, "%s: %s\en", sfn, strerror(errno));
        return (NULL);
}
return (sfp);
.Ed
.Pp
Often one will find code which uses
.Fn mktemp
very early on, perhaps to globally initialize the template nicely, but the
code which calls
.Xr open 2
or
.Xr fopen 3
on that filename will occur much later.
(In almost all cases, the use of
.Xr fopen 3
will mean that the flags
.Dv O_CREAT
|
.Dv O_EXCL
are not given to
.Xr open 2 ,
and thus a symbolic link race becomes possible, hence making
necessary the use of
.Xr fdopen 3
as seen above).
Furthermore, one must be careful about code which opens, closes, and then
re-opens the file in question.
Finally, one must ensure that upon error the temporary file is
removed correctly.
.Pp
There are also cases where modifying the code to use
.Fn mktemp ,
in concert with
.Xr open 2
using the flags
.Dv O_CREAT
|
.Dv O_EXCL ,
is better, as long as the code retries a new template if
.Xr open 2
fails with an
.Va errno
of
.Er EEXIST .
.Sh ERRORS
The
.Fn mktemp ,
.Fn mkstemp
and
.Fn mkdtemp
functions
may set
.Va errno
to one of the following values:
.Bl -tag -width Er
.It Bq Er ENOTDIR
The pathname portion of the template is not an existing directory.
.El
.Pp
The
.Fn mktemp ,
.Fn mkstemp
and
.Fn mkdtemp
functions
may also set
.Va errno
to any value specified by the
.Xr stat 2
function.
.Pp
The
.Fn mkstemp
function
may also set
.Va errno
to any value specified by the
.Xr open 2
function.
.Pp
The
.Fn mkdtemp
function
may also set
.Va errno
to any value specified by the
.Xr mkdir 2
function.
.Sh SEE ALSO
.Xr chmod 2 ,
.Xr getpid 2 ,
.Xr open 2 ,
.Xr stat 2 ,
.Xr umask 2
.Sh STANDARDS
The
.Fn mktemp
conforms to
.St -p1003.1-2001 .
It was however removed from the specification in the
.St -p1003.1-2008
revision.
The
.Fn mkstemp
and
.Fn mkdtemp
functions conform to
.St -p1003.1-2004
and
.St -p1003.1-2008 ,
respectively.
.Sh HISTORY
A
.Fn mktemp
function appeared in
.At v7 .
.Pp
The
.Fn mkstemp
function appeared in
.Bx 4.4 .
.Pp
The
.Fn mkdtemp
function appeared in
.Nx 1.4 .
.Sh BUGS
For
.Fn mktemp
there is an obvious race between file name selection and file
creation and deletion: the program is typically written to call
.Xr tmpnam 3 ,
.Xr tempnam 3 ,
or
.Fn mktemp .
Subsequently, the program calls
.Xr open 2
or
.Xr fopen 3
and erroneously opens a file (or symbolic link, fifo or other
device) that the attacker has created in the expected file location.
Hence
.Fn mkstemp
is recommended, since it atomically creates the file.
An attacker can guess the filenames produced by
.Fn mktemp .
Whenever it is possible,
.Fn mkstemp
or
.Fn mkdtemp
should be used instead.
.Pp
For this reason,
.Xr ld 1
will output a warning message whenever it links code that uses
.Fn mktemp .
.Pp
The
.Fn mkdtemp
function is nonstandard and should not be used if portability is required.
.Sh SECURITY CONSIDERATIONS
The use of
.Fn mktemp
should generally be avoided, as a hostile process can exploit a race
condition in the time between the generation of a temporary filename by
.Fn mktemp
and the invoker's use of the temporary name.
A link-time warning will be issued advising the use of
.Fn mkstemp
or
.Fn mkdtemp
instead.