NetBSD/lib/libc/stdio/tmpnam.3

262 lines
6.4 KiB
Groff

.\" $NetBSD: tmpnam.3,v 1.17 2010/04/30 04:55:10 jruoho Exp $
.\"
.\" Copyright (c) 1988, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
.\"
.\" This code is derived from software contributed to Berkeley by
.\" the American National Standards Committee X3, on Information
.\" Processing Systems.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)tmpnam.3 8.2 (Berkeley) 11/17/93
.\"
.Dd April 30, 2010
.Dt TMPFILE 3
.Os
.Sh NAME
.Nm tempnam ,
.Nm tmpfile ,
.Nm tmpnam
.Nd temporary file routines
.Sh LIBRARY
.Lb libc
.Sh SYNOPSIS
.In stdio.h
.Ft FILE *
.Fn tmpfile void
.Ft char *
.Fn tmpnam "char *str"
.Ft char *
.Fn tempnam "const char *tmpdir" "const char *prefix"
.Sh DESCRIPTION
The
.Fn tmpfile
function
returns a pointer to a stream associated with a file descriptor returned
by the routine
.Xr mkstemp 3 .
The created file is unlinked before
.Fn tmpfile
returns, causing the file to be automatically deleted when the last
reference to it is closed.
The file is opened with the access value
.Ql w+ .
.Pp
The
.Fn tmpnam
function
returns a pointer to a file name, in the
.Dv P_tmpdir
directory, which
did not reference an existing file at some indeterminate point in the
past.
.Dv P_tmpdir
is defined in the include file
.In stdio.h .
If the argument
.Fa s
is
.Pf non- Dv NULL ,
the file name is copied to the buffer it references.
Otherwise, the file name is copied to a static buffer.
In either case,
.Fn tmpnam
returns a pointer to the file name.
.Pp
The buffer referenced by
.Fa s
is expected to be at least
.Dv L_tmpnam
bytes in length.
.Dv L_tmpnam
is defined in the include file
.In stdio.h .
.Pp
The
.Fn tempnam
function
is similar to
.Fn tmpnam ,
but provides the ability to specify the directory which will
contain the temporary file and the file name prefix.
.Pp
The environment variable
.Ev TMPDIR
(if set), the argument
.Fa tmpdir
(if
.Pf non- Dv NULL ) ,
the directory
.Dv P_tmpdir ,
and the directory
.Pa /tmp
are tried, in the listed order, as directories in which to store the
temporary file.
.Pp
The argument
.Fa prefix ,
if
.Pf non- Dv NULL ,
is used to specify a file name prefix, which will be the
first part of the created file name.
.Fn tempnam
allocates memory in which to store the file name; the returned pointer
may be used as a subsequent argument to
.Xr free 3 .
.Sh RETURN VALUES
The
.Fn tmpfile
function
returns a pointer to an open file stream on success, and a
.Dv NULL
pointer
on error.
.Pp
The
.Fn tmpnam
and
.Fn tempnam
functions
return a pointer to a file name on success, and a
.Dv NULL
pointer
on error.
.Sh ERRORS
The
.Fn tmpfile
function
may fail and set the global variable
.Va errno
for any of the errors specified for the library functions
.Xr fdopen 3
or
.Xr mkstemp 3 .
.Pp
The
.Fn tmpnam
function
may fail and set
.Va errno
for any of the errors specified for the library function
.Xr mktemp 3 .
.Pp
The
.Fn tempnam
function
may fail and set
.Va errno
for any of the errors specified for the library functions
.Xr malloc 3
or
.Xr mktemp 3 .
.Sh SEE ALSO
.Xr mkstemp 3 ,
.Xr mktemp 3
.Sh STANDARDS
The
.Fn tmpfile
and
.Fn tmpnam
functions
conform to
.St -ansiC .
All described functions also conform to
.St -p1003.1-2001 ,
albeit the
.Fn tempnam
and
.Fn tmpnam
functions have been marked as obsolete in the
.St -p1003.1-2008
revision.
.Sh BUGS
These interfaces are provided for
.At V
and
.Tn ANSI
compatibility only.
The
.Xr mkstemp 3
interface is strongly preferred.
.Sh SECURITY CONSIDERATIONS
There are four important problems with these interfaces (as well as
with the historic
.Xr mktemp 3
interface).
First, there is an obvious race between file name selection and file
creation and deletion: the program is typically written to call
.Fn tmpnam ,
.Fn tempnam ,
or
.Xr mktemp 3 .
Subsequently, the program calls
.Xr open 2
or
.Xr fopen 3
and erroneously opens a file (or symbolic link, or fifo or other
device) that the attacker has placed in the expected file location.
Hence
.Xr mkstemp 3
is recommended, since it atomically creates the file.
.Pp
Second, most historic implementations provide only a limited number
of possible temporary file names (usually 26) before file names will
start being recycled.
Third, the
.At V
implementations of these functions (and of
.Xr mktemp 3 )
use the
.Xr access 2
system call to determine whether or not the temporary file may be created.
This has obvious ramifications for setuid or setgid programs, complicating
the portable use of these interfaces in such programs.
Finally, there is no specification of the permissions with which the
temporary files are created.
.Pp
This implementation of
.Fn tmpfile
does not have these flaws,
and that of
.Fn tmpnam
and
.Fn tempnam
only have the first limitation, but portable software
cannot depend on that.
In particular, the
.Fn tmpfile
interface should not be used in software expected to be used on other systems
if there is any possibility that the user does not wish the temporary file to
be publicly readable and writable.
.Pp
A link-time warning will be issued if
.Fn tmpnam
or
.Fn tempnam
is used, and advises the use of
.Fn mkstemp
instead.