6579
Comment: igli: add usage of TMPDIR and trap to POSIX-sh variant. add -n to [ ] in POSIX variant using mktemp as unsafe without it.
|
← Revision 44 as of 2023-04-28 01:07:11 ⇥
7247
added user-friendly anchors
|
Deletions are marked like this. | Additions are marked like this. |
Line 3: | Line 3: |
There does not appear to be any single command that simply ''works'' everywhere. `tempfile` is not portable. `mktemp` exists more widely (but still not ubiquitously), but it may require a `-c` switch to create the file in advance; or it may create the file by default and barf if `-c` is supplied. Some systems don't have either command (Solaris, POSIX). | There does not appear to be any single command that simply ''works'' everywhere. `tempfile` is not portable. `mktemp` exists more widely (but still not ubiquitously), but it may require a `-c` switch to create the file in advance; or it may create the file by default and barf if `-c` is supplied. Some systems don't have either command (Solaris, POSIX). POSIX systems are supposed to have `m4` which has the ability to create a temporary file, but some systems may not install `m4` by default, or their implementation of `m4` may be missing this feature. |
Line 7: | Line 7: |
{{{ # Do not use! Race condition! tempfile=/tmp/myname.$$ trap 'rm -f "$tempfile"; exit 1' 1 2 3 15 rm -f "$tempfile" touch "$tempfile" |
{{{#!highlight bash # Do not use! Race condition! tempfile=/tmp/myname.$$ trap 'rm -f -- "$tempfile"; exit 1' 1 2 3 15 rm -f -- "$tempfile" touch -- "$tempfile" |
Line 14: | Line 14: |
Line 16: | Line 17: |
The best ''portable'' answer is to put your temporary files ''in your home directory'' (or some other private directory) where nobody else has write access. Then at least you don't have to worry about malicious users. Simplistic PID-based schemes (or hostname + PID for shared file systems) should be enough to prevent conflicts with your own scripts. | <<Anchor(HOME)>> === Use your $HOME === The best ''portable'' answer is to put your temporary files ''in your home directory'' (or some other private directory, e.g. `$XDG_RUNTIME_DIR`) where nobody else has write access. Then at least you don't have to worry about malicious users. Simplistic PID-based schemes (or hostname + PID for shared file systems) should be enough to prevent conflicts with your own scripts. If you're implementing a daemon which runs under a user account with no home directory, why not simply ''make a private directory for your daemon'' at the same time you're installing the code? |
Line 20: | Line 26: |
=== Making a temporary directory === | <<Anchor(tempdir)>> === Make a temporary directory === If you can't use $HOME, the next best answer is to create a private '''directory''' to hold your temp file(s), instead of creating the files directly inside a world-writable sandbox like `/tmp` or `/var/tmp`. The `mkdir` command is atomic, and only reports success if it actually created the directory. So long as we ''do not'' use the `-p` option, we can be assured that it actually created a brand new directory, rather than following a symlink to danger. Here is one example of this approach: {{{#!highlight bash # Bash i=0 tempdir= trap '[[ $tempdir ]] && rm -rf -- "$tempdir"' EXIT while ((++i <= 10)); do tempdir=${TMPDIR:-/tmp}//$RANDOM-$$ mkdir -m 700 -- "$tempdir" 2>/dev/null && break done if ((i > 10)); then printf 'Could not create temporary directory\n' >&2 exit 1 fi }}} Instead of `RANDOM`, `awk` can be used to generate a random number in a POSIX compatible way: {{{#!highlight bash # POSIX i=0 tempdir= cleanup() { [ "$tempdir" ] && rm -rf -- "$tempdir" if [ "$1" != EXIT ]; then trap - "$1" # reset trap, and kill "-$1" "$$" # resend signal to self fi } for sig in EXIT HUP INT TERM; do trap "cleanup $sig" "$sig" done while [ "$i" -lt 10 ]; do tempdir=${TMPDIR:-/tmp}//$(awk 'BEGIN { srand (); print rand() }')-$$ mkdir -m 700 -- "$tempdir" 2>/dev/null && break sleep 1 i=$((i+1)) done if [ "$i" -ge 10 ]; then printf 'Could not create temporary directory\n' >&2 exit 1 fi }}} Note however that `srand()` seeds the random number generator using seconds since the epoch which is fairly easy for an adversary to predict and perform a denial of service attack. (Historical awk implementations that predate POSIX may not even use the time of day for `srand()`, so don't count on this if you're on an ancient system.) Some systems have a 14-character filename limit, so avoid the temptation to string `$RANDOM` together more than twice. You're relying on the atomicity of `mkdir` for your security, ''not'' the obscurity of your random name. If someone fills up `/tmp` with hundreds of thousands of random-number files to thwart you, you've got bigger issues. |
Line 26: | Line 89: |
{{{ # POSIX |
{{{#!highlight bash # Bash on Linux |
Line 29: | Line 92: |
# Set $TMPDIR to "/tmp" only if it didn't have a value previously : ${TMPDIR:=/tmp} # We can find about $TMPDIR in http://www.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html # Create a private temporary directory inside $TMPDIR # Remove the temporary directory when the script finishes unset temporary_dir trap '[ -n "$temporary_dir" ] && rm -rf "$temporary_dir"' EXIT save_mask=$(umask) umask 077 temporary_dir=$(mktemp -d "$TMPDIR/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX") || { echo "ERROR creating a temporary file" >&2; exit 1; } umask "$save_mask" |
unset -v tempdir trap '[ "$tempdir" ] && rm -rf -- "$tempdir"' EXIT tempdir=$(mktemp -d -- "${TMPDIR:-/tmp}//XXXXXXXXXXXXXXXXXXXXXXXXXXXXX") || { printf 'ERROR creating a temporary file\n' >&2; exit 1; } |
Line 45: | Line 98: |
And then you can create your particular files inside the temporary folder. | And then you can create your particular files inside the temporary directory. |
Line 47: | Line 100: |
---- A different suggestion which does not require a `mktemp` command: a temporary directory can be created that is unlikely to match an existing directory using the {{{RANDOM}}} variable as follows: |
|
Line 50: | Line 101: |
{{{ temp_dir=/tmp/$RANDOM mkdir "$temp_dir" }}} This will make a directory of the form: {{{/tmp/20445/}}}. To decrease the chance of collision with an existing directory, the {{{RANDOM}}} variable can be used a number of times, or combined with the process ID: |
<<Anchor(nonportable-tools)>> === Use platform-specific tools === If you're writing a script for only a specific set of systems, and if those systems have a `mktemp` or `tempfile` tool which works correctly, you can use that. Make sure that your tool actually ''creates'' the temporary file, and does not simply give you an unused name. The options will vary from system to system, so you will have to write your script with that in mind. Since some platforms have ''none'' of these tools, this is not a portable solution, but it's often good enough, especially if your script is only targeting a specific operating system. |
Line 56: | Line 105: |
{{{ temp_dir=/tmp/$RANDOM-$$ mkdir -m 700 "$temp_dir" || { echo "failed to create temp_dir" >&2; exit 1; } |
Here's an example using Linux's `mktemp`: {{{#!highlight bash # Bash on Linux unset -v tmpfile trap '[[ $tmpfile ]] && rm -f -- "$tmpfile"' EXIT tmpfile=$(mktemp) |
Line 61: | Line 115: |
This will make a directory of the form {{{/tmp/24953-2875/}}}. This avoids a race condition because the `mkdir` is atomic, as we see in [[BashFAQ/045|FAQ #45]]. It is imperative that you check the result of `mkdir`; if it fails to create the directory, obviously you cannot proceed. | |
Line 63: | Line 116: |
(Some systems have a 14-character filename limit, so avoid the temptation to string `$RANDOM` together more than twice. You're relying on the atomicity of `mkdir` for your security, ''not'' the obscurity of your random name. If someone fills up `/tmp` with hundreds of thousands of random-number files to thwart you, you've got bigger issues.) | <<Anchor(m4)>> === Using m4 === The `m4` approach is ''theoretically'' POSIX-standard, but not in practice -- it may not work on MacOS, as its version of `m4` is too old (as of July, 2021). Nevertheless, here's an example. Note that `mkstemp` requires a template, including a path prefix, or else it creates the temporary file in the current directory. |
Line 65: | Line 120: |
---- Instead of {{{RANDOM}}}, `awk` can be used to generate a random number in a POSIX compatible way: |
{{{#!highlight bash # Bash |
Line 68: | Line 123: |
{{{ temp_dir=/tmp/$(awk 'BEGIN { srand (); print rand() }') mkdir -m 700 "$temp_dir" |
die() { printf >&2 '%s\n' "$*"; exit 1; } unset -v tmpfile trap '[[ $tmpfile ]] && rm -f -- "$tmpfile"' EXIT tmpfile=$(m4 - <<< 'mkstemp(/tmp/foo-XXXXXX)') || die "couldn't create temporary file" |
Line 73: | Line 131: |
Note, however that "srand()" seeds the random number generator using seconds since the epoch which is fairly easy for an adversary to predict and perform a denial of service attack. | Or, alternatively: |
Line 75: | Line 133: |
Combining the above we can use: {{{ # POSIX temp_dir=${TMPDIR:=/tmp}/$(awk -v p=$$ 'BEGIN { srand(); s = rand(); sub(/^0./, "", s); printf("%X_%X", p, s) }') trap '[ -d "$temp_dir" ] && rm -fr "$temp_dir"' EXIT mkdir -m 700 "$temp_dir" || { echo '!! unable to create a tempdir' >&2; exit 1; } |
{{{#!highlight bash # Bash die() { printf >&2 '%s\n' "$*"; exit 1; } unset -v tmpfile trap '[[ $tmpfile ]] && rm -f -- "$tmpfile"' EXIT : "${TMPDIR:=/tmp}" tmpfile=$TMPDIR//$(HOME=$TMPDIR cd && m4 - <<< 'mkstemp(foo-XXXXXX)') || die "couldn't create temporary file" |
Line 82: | Line 145: |
Since the default awk numeric format is %g which equates to 6 digits after the decimal point, we have a 6 digit trail. 999,999 is F423F which gives us one character back, another for the {{{_}}} and 8 available for a prefixed pid on a 14-char filesystem. An unsigned 32-bit pid will be a maximum of 8 hex digits, so the above should stand a chance in most places one might encounter such an fs. And of course we bail out as greycat mentioned when the creation fails. | |
Line 84: | Line 146: |
. ''Isn't this getting just a bit silly?'' -- GreyCat | |
Line 86: | Line 147: |
. ''No more so than the unportable approach given above. It answers your repeated point about a 14-char limit on filenames, and allows for use of /tmp, which some admins prefer, and can be useful if your script is not a defined program with a specific name, where I agree the better approach is to have a defined directory, under $HOME or elsewhere. As a minor point, the pid prefix enables a degree of control over/ knowledge of any tempdirs created. Personally I'd rather have this combined with the trap calls and use of $TMPDIR, portable to POSIX sh, than a mktemp invocation which I can't rely on.'' -- igli |
<<Anchor(other)>> |
Line 89: | Line 149: |
I reiterate that the best solution is to use your `$HOME` directory to hold your private files. If you're implementing a daemon or something, which runs under a user account with no home directory, why not simply ''make a private directory for your daemon'' at the same time you're installing the code? ---- |
How do I create a temporary file in a secure manner?
There does not appear to be any single command that simply works everywhere. tempfile is not portable. mktemp exists more widely (but still not ubiquitously), but it may require a -c switch to create the file in advance; or it may create the file by default and barf if -c is supplied. Some systems don't have either command (Solaris, POSIX). POSIX systems are supposed to have m4 which has the ability to create a temporary file, but some systems may not install m4 by default, or their implementation of m4 may be missing this feature.
The traditional answer has usually been something like this:
The problem with this is: if the file already exists (for example, as a symlink to /etc/passwd), then the script may write things in places they should not be written. Even if you remove the file immediately before using it, you still have a RaceCondition: someone could re-create a malicious symlink in the interval between your shell commands.
Use your $HOME
The best portable answer is to put your temporary files in your home directory (or some other private directory, e.g. $XDG_RUNTIME_DIR) where nobody else has write access. Then at least you don't have to worry about malicious users. Simplistic PID-based schemes (or hostname + PID for shared file systems) should be enough to prevent conflicts with your own scripts.
If you're implementing a daemon which runs under a user account with no home directory, why not simply make a private directory for your daemon at the same time you're installing the code?
Unfortunately, people don't seem to like that answer. They demand that their temporary files should be in /tmp or /var/tmp. For those people, there is no clean answer, so they must choose a hack they can live with.
Make a temporary directory
If you can't use $HOME, the next best answer is to create a private directory to hold your temp file(s), instead of creating the files directly inside a world-writable sandbox like /tmp or /var/tmp. The mkdir command is atomic, and only reports success if it actually created the directory. So long as we do not use the -p option, we can be assured that it actually created a brand new directory, rather than following a symlink to danger.
Here is one example of this approach:
Instead of RANDOM, awk can be used to generate a random number in a POSIX compatible way:
1 # POSIX
2
3 i=0 tempdir=
4 cleanup() {
5 [ "$tempdir" ] && rm -rf -- "$tempdir"
6 if [ "$1" != EXIT ]; then
7 trap - "$1" # reset trap, and
8 kill "-$1" "$$" # resend signal to self
9 fi
10 }
11 for sig in EXIT HUP INT TERM; do
12 trap "cleanup $sig" "$sig"
13 done
14
15 while [ "$i" -lt 10 ]; do
16 tempdir=${TMPDIR:-/tmp}//$(awk 'BEGIN { srand (); print rand() }')-$$
17 mkdir -m 700 -- "$tempdir" 2>/dev/null && break
18 sleep 1
19 i=$((i+1))
20 done
21
22 if [ "$i" -ge 10 ]; then
23 printf 'Could not create temporary directory\n' >&2
24 exit 1
25 fi
Note however that srand() seeds the random number generator using seconds since the epoch which is fairly easy for an adversary to predict and perform a denial of service attack. (Historical awk implementations that predate POSIX may not even use the time of day for srand(), so don't count on this if you're on an ancient system.)
Some systems have a 14-character filename limit, so avoid the temptation to string $RANDOM together more than twice. You're relying on the atomicity of mkdir for your security, not the obscurity of your random name. If someone fills up /tmp with hundreds of thousands of random-number files to thwart you, you've got bigger issues.
In some systems (like Linux):
You have available the mktemp command and you can use its -d option so that it creates temporary directores only accessible for you, with random characters inside their names to make it almost impossible for an attacker to guess the directory name beforehand.
You can create filenames longer than 14 characters in /tmp.
And then you can create your particular files inside the temporary directory.
Use platform-specific tools
If you're writing a script for only a specific set of systems, and if those systems have a mktemp or tempfile tool which works correctly, you can use that. Make sure that your tool actually creates the temporary file, and does not simply give you an unused name. The options will vary from system to system, so you will have to write your script with that in mind. Since some platforms have none of these tools, this is not a portable solution, but it's often good enough, especially if your script is only targeting a specific operating system.
Here's an example using Linux's mktemp:
Using m4
The m4 approach is theoretically POSIX-standard, but not in practice -- it may not work on MacOS, as its version of m4 is too old (as of July, 2021). Nevertheless, here's an example. Note that mkstemp requires a template, including a path prefix, or else it creates the temporary file in the current directory.
Or, alternatively:
Other approaches
Another not-quite-serious suggestion is to include C code in the script that implements a mktemp(1) command based on the mktemp(3) library function, compile it, and use that in the script. But this has a couple problems:
- The useless Solaris systems where we would need this probably don't have a C compiler either.
- Chicken and egg problem: we need a temporary file name to hold the compiler's output.