Alexandre Duret-Lutz wrote: > Why do you call this unsecure? Either the directory already exists > and your script aborts, or the directory is created with safe permissions. You're right, sorry. I was confused by the presence of $RANDOM. Now I see that the purpose of $RANDOM is only to decrease the probability of failure, not to increase security: Creating a directory with mode 077 is all that's needed for security. > > It would be nice if we could write up the result of this discussion, when > > finished, in the autoconf manual. > > http://www.gnu.org/software/autoconf/manual/autoconf-2.57/html_chapter/autoconf_10.html > > Would be helpful, unless it boils down to "use AS_TMPDIR". Well, there are uses of shell scripts outside of autoconf. autoconf.info chapter 10 is also a valuable handbook for them. References to AS_* macros are less useful in this context. How about this? *** autoconf/doc/autoconf.texi.bak 2004-10-12 13:50:46.000000000 +0200 --- autoconf/doc/autoconf.texi 2004-10-26 20:30:58.000000000 +0200 *************** *** 11581,11586 **** --- 11581,11623 ---- older versions are not thread-safe either). + @item @command{mktemp} + @c ------------------- + @prindex @command{mktemp} + @cindex Creating temporary files + The command @command{mktemp} exists only on a few systems. A portable + way to create a temporary file name into which it is safe to write, + protecting against symlink attacks, is to create a temporary directory + with mode 700 and use a file inside this directory. + + Here is sample code to securely create a temporary directory: + + @example + # Use the environment variable TMPDIR, falling back to /tmp. This allows + # users to specify a different temporary directory, for example, if their + # /tmp is filled up or too small. + : $@{TMPDIR=/tmp@} + @{ + # Use the mktemp program if available. If not available, hide the error + # message. + tmp=`(umask 077 && mktemp -d -q "$TMPDIR/fooXXXXXX") 2>/dev/null` && + test -n "$tmp" && test -d "$tmp" + @} || + @{ + # Use a simple mkdir command. It is guaranteed to fail if the directory + # already exists. $RANDOM is bash specific and expands to empty in shells + # other than bash. Its use does not increase security; rather, it + # minimizes the probability of failure in a very cluttered /tmp directory. + tmp=$TMPDIR/foo$$-$RANDOM + (umask 077 && mkdir "$tmp") + @} || + @{ + echo "$0: cannot create a temporary directory in $TMPDIR" >&2 + @{ (exit 1); exit 1; @} + @} + @end example + + @item @command{mv} @c --------------- @prindex @command{mv} Bruno _______________________________________________ Autoconf mailing list Autoconf@xxxxxxx http://lists.gnu.org/mailman/listinfo/autoconf
