<<Anchor(faq62)>>
== How do I create a temporary file in a secure manner? ==
There does not appear to be any single command that simply ''works'' everywhere.  `tempfile` is not portable.  `mktemp` exists more widely (but still not ubiquitously), but it may require a `-c` switch to create the file in advance; or it may create the file by default and barf if `-c` is supplied.  Some systems don't have either command (Solaris, POSIX).  POSIX systems are supposed to have `m4` which has the ability to create a temporary file, but some systems may not install `m4` by default, or their implementation of `m4` may be missing this feature.

The traditional answer has usually been something like this:

{{{#!highlight bash
# Do not use!  Race condition!
tempfile=/tmp/myname.$$
trap 'rm -f -- "$tempfile"; exit 1' 1 2 3 15
rm -f -- "$tempfile"
touch -- "$tempfile"
}}}

The problem with this is: if the file already exists (for example, as a symlink to `/etc/passwd`), then the script may write things in places they should not be written.  Even if you remove the file immediately before using it, you still have a RaceCondition: someone could re-create a malicious symlink in the interval between your shell commands.


<<Anchor(HOME)>>
=== Use your $HOME ===
The best ''portable'' answer is to put your temporary files ''in your home directory'' (or some other private directory, e.g. `$XDG_RUNTIME_DIR`) where nobody else has write access.  Then at least you don't have to worry about malicious users.  Simplistic PID-based schemes (or hostname + PID for shared file systems) should be enough to prevent conflicts with your own scripts.

If you're implementing a daemon which runs under a user account with no home directory, why not simply ''make a private directory for your daemon'' at the same time you're installing the code?

Unfortunately, people don't seem to like that answer.  They demand that their temporary files should be in `/tmp` or `/var/tmp`.  For those people, there is no clean answer, so they must choose a hack they can live with.


<<Anchor(tempdir)>>
=== Make a temporary directory ===
If you can't use $HOME, the next best answer is to create a private '''directory''' to hold your temp file(s), instead of creating the files directly inside a world-writable sandbox like `/tmp` or `/var/tmp`.  The `mkdir` command is atomic, and only reports success if it actually created the directory.  So long as we ''do not'' use the `-p` option, we can be assured that it actually created a brand new directory, rather than following a symlink to danger.

Here is one example of this approach:

{{{#!highlight bash
# Bash

i=0 tempdir=
trap '[[ $tempdir ]] && rm -rf -- "$tempdir"' EXIT

while ((++i <= 10)); do
  tempdir=${TMPDIR:-/tmp}//$RANDOM-$$
  mkdir -m 700 -- "$tempdir" 2>/dev/null && break
done

if ((i > 10)); then
  printf 'Could not create temporary directory\n' >&2
  exit 1
fi
}}}

Instead of `RANDOM`, `awk` can be used to generate a random number in a POSIX compatible way:

{{{#!highlight bash
# POSIX

i=0 tempdir=
cleanup() {
  [ "$tempdir" ] && rm -rf -- "$tempdir"
  if [ "$1" != EXIT ]; then
    trap - "$1"         # reset trap, and
    kill "-$1" "$$"     # resend signal to self
  fi
}
for sig in EXIT HUP INT TERM; do
  trap "cleanup $sig" "$sig"
done

while [ "$i" -lt 10 ]; do
  tempdir=${TMPDIR:-/tmp}//$(awk 'BEGIN { srand (); print rand() }')-$$
  mkdir -m 700 -- "$tempdir" 2>/dev/null && break
  sleep 1
  i=$((i+1))
done

if [ "$i" -ge 10 ]; then
  printf 'Could not create temporary directory\n' >&2
  exit 1
fi
}}}

Note however that `srand()` seeds the random number generator using seconds since the epoch which is fairly easy for an adversary to predict and perform a denial of service attack.  (Historical awk implementations that predate POSIX may not even use the time of day for `srand()`, so don't count on this if you're on an ancient system.)

Some systems have a 14-character filename limit, so avoid the temptation to string `$RANDOM` together more than twice.  You're relying on the atomicity of `mkdir` for your security, ''not'' the obscurity of your random name.  If someone fills up `/tmp` with hundreds of thousands of random-number files to thwart you, you've got bigger issues.

In some systems (like Linux):

 * You have available the {{{mktemp}}} command and you can use its {{{-d}}} option so that it creates temporary directores only accessible for you, with random characters inside their names to make it almost impossible for an attacker to guess the directory name beforehand.
 * You can create filenames longer than 14 characters in {{{/tmp}}}.

{{{#!highlight bash
# Bash on Linux

unset -v tempdir
trap '[ "$tempdir" ] && rm -rf -- "$tempdir"' EXIT
tempdir=$(mktemp -d -- "${TMPDIR:-/tmp}//XXXXXXXXXXXXXXXXXXXXXXXXXXXXX") ||
  { printf 'ERROR creating a temporary file\n' >&2; exit 1; }
}}}

And then you can create your particular files inside the temporary directory.


<<Anchor(nonportable-tools)>>
=== Use platform-specific tools ===
If you're writing a script for only a specific set of systems, and if those systems have a `mktemp` or `tempfile` tool which works correctly, you can use that.  Make sure that your tool actually ''creates'' the temporary file, and does not simply give you an unused name.  The options will vary from system to system, so you will have to write your script with that in mind.  Since some platforms have ''none'' of these tools, this is not a portable solution, but it's often good enough, especially if your script is only targeting a specific operating system.

Here's an example using Linux's `mktemp`:

{{{#!highlight bash
# Bash on Linux

unset -v tmpfile
trap '[[ $tmpfile ]] && rm -f -- "$tmpfile"' EXIT
tmpfile=$(mktemp)
}}}


<<Anchor(m4)>>
=== Using m4 ===
The `m4` approach is ''theoretically'' POSIX-standard, but not in practice -- it may not work on MacOS, as its version of `m4` is too old (as of July, 2021).  Nevertheless, here's an example.  Note that `mkstemp` requires a template, including a path prefix, or else it creates the temporary file in the current directory.

{{{#!highlight bash
# Bash

die() { printf >&2 '%s\n' "$*"; exit 1; }

unset -v tmpfile
trap '[[ $tmpfile ]] && rm -f -- "$tmpfile"' EXIT
tmpfile=$(m4 - <<< 'mkstemp(/tmp/foo-XXXXXX)') ||
  die "couldn't create temporary file"
}}}

Or, alternatively:

{{{#!highlight bash
# Bash

die() { printf >&2 '%s\n' "$*"; exit 1; }

unset -v tmpfile
trap '[[ $tmpfile ]] && rm -f -- "$tmpfile"' EXIT

: "${TMPDIR:=/tmp}"
tmpfile=$TMPDIR//$(HOME=$TMPDIR cd && m4 - <<< 'mkstemp(foo-XXXXXX)') ||
  die "couldn't create temporary file"
}}}


<<Anchor(other)>>
=== Other approaches ===
Another not-quite-serious suggestion is to include C code in the script that implements a `mktemp(1)` command based on the `mktemp(3)` library function, compile it, and use that in the script.  But this has a couple problems:

 * The useless Solaris systems where we would need this probably don't have a C compiler either.
 * Chicken and egg problem: we need a temporary file name to hold the compiler's output.