b6cbf7203b
This patch imports the unmodified current version of NetBSD libc. The NetBSD includes are in /nbsd_include, while the libc code itself is split between lib/nbsd_libc and common/lib/libc.
262 lines
6.4 KiB
Groff
262 lines
6.4 KiB
Groff
.\" $NetBSD: tmpnam.3,v 1.17 2010/04/30 04:55:10 jruoho Exp $
|
|
.\"
|
|
.\" Copyright (c) 1988, 1991, 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" This code is derived from software contributed to Berkeley by
|
|
.\" the American National Standards Committee X3, on Information
|
|
.\" Processing Systems.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" @(#)tmpnam.3 8.2 (Berkeley) 11/17/93
|
|
.\"
|
|
.Dd April 30, 2010
|
|
.Dt TMPFILE 3
|
|
.Os
|
|
.Sh NAME
|
|
.Nm tempnam ,
|
|
.Nm tmpfile ,
|
|
.Nm tmpnam
|
|
.Nd temporary file routines
|
|
.Sh LIBRARY
|
|
.Lb libc
|
|
.Sh SYNOPSIS
|
|
.In stdio.h
|
|
.Ft FILE *
|
|
.Fn tmpfile void
|
|
.Ft char *
|
|
.Fn tmpnam "char *str"
|
|
.Ft char *
|
|
.Fn tempnam "const char *tmpdir" "const char *prefix"
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Fn tmpfile
|
|
function
|
|
returns a pointer to a stream associated with a file descriptor returned
|
|
by the routine
|
|
.Xr mkstemp 3 .
|
|
The created file is unlinked before
|
|
.Fn tmpfile
|
|
returns, causing the file to be automatically deleted when the last
|
|
reference to it is closed.
|
|
The file is opened with the access value
|
|
.Ql w+ .
|
|
.Pp
|
|
The
|
|
.Fn tmpnam
|
|
function
|
|
returns a pointer to a file name, in the
|
|
.Dv P_tmpdir
|
|
directory, which
|
|
did not reference an existing file at some indeterminate point in the
|
|
past.
|
|
.Dv P_tmpdir
|
|
is defined in the include file
|
|
.In stdio.h .
|
|
If the argument
|
|
.Fa s
|
|
is
|
|
.Pf non- Dv NULL ,
|
|
the file name is copied to the buffer it references.
|
|
Otherwise, the file name is copied to a static buffer.
|
|
In either case,
|
|
.Fn tmpnam
|
|
returns a pointer to the file name.
|
|
.Pp
|
|
The buffer referenced by
|
|
.Fa s
|
|
is expected to be at least
|
|
.Dv L_tmpnam
|
|
bytes in length.
|
|
.Dv L_tmpnam
|
|
is defined in the include file
|
|
.In stdio.h .
|
|
.Pp
|
|
The
|
|
.Fn tempnam
|
|
function
|
|
is similar to
|
|
.Fn tmpnam ,
|
|
but provides the ability to specify the directory which will
|
|
contain the temporary file and the file name prefix.
|
|
.Pp
|
|
The environment variable
|
|
.Ev TMPDIR
|
|
(if set), the argument
|
|
.Fa tmpdir
|
|
(if
|
|
.Pf non- Dv NULL ) ,
|
|
the directory
|
|
.Dv P_tmpdir ,
|
|
and the directory
|
|
.Pa /tmp
|
|
are tried, in the listed order, as directories in which to store the
|
|
temporary file.
|
|
.Pp
|
|
The argument
|
|
.Fa prefix ,
|
|
if
|
|
.Pf non- Dv NULL ,
|
|
is used to specify a file name prefix, which will be the
|
|
first part of the created file name.
|
|
.Fn tempnam
|
|
allocates memory in which to store the file name; the returned pointer
|
|
may be used as a subsequent argument to
|
|
.Xr free 3 .
|
|
.Sh RETURN VALUES
|
|
The
|
|
.Fn tmpfile
|
|
function
|
|
returns a pointer to an open file stream on success, and a
|
|
.Dv NULL
|
|
pointer
|
|
on error.
|
|
.Pp
|
|
The
|
|
.Fn tmpnam
|
|
and
|
|
.Fn tempnam
|
|
functions
|
|
return a pointer to a file name on success, and a
|
|
.Dv NULL
|
|
pointer
|
|
on error.
|
|
.Sh ERRORS
|
|
The
|
|
.Fn tmpfile
|
|
function
|
|
may fail and set the global variable
|
|
.Va errno
|
|
for any of the errors specified for the library functions
|
|
.Xr fdopen 3
|
|
or
|
|
.Xr mkstemp 3 .
|
|
.Pp
|
|
The
|
|
.Fn tmpnam
|
|
function
|
|
may fail and set
|
|
.Va errno
|
|
for any of the errors specified for the library function
|
|
.Xr mktemp 3 .
|
|
.Pp
|
|
The
|
|
.Fn tempnam
|
|
function
|
|
may fail and set
|
|
.Va errno
|
|
for any of the errors specified for the library functions
|
|
.Xr malloc 3
|
|
or
|
|
.Xr mktemp 3 .
|
|
.Sh SEE ALSO
|
|
.Xr mkstemp 3 ,
|
|
.Xr mktemp 3
|
|
.Sh STANDARDS
|
|
The
|
|
.Fn tmpfile
|
|
and
|
|
.Fn tmpnam
|
|
functions
|
|
conform to
|
|
.St -ansiC .
|
|
All described functions also conform to
|
|
.St -p1003.1-2001 ,
|
|
albeit the
|
|
.Fn tempnam
|
|
and
|
|
.Fn tmpnam
|
|
functions have been marked as obsolete in the
|
|
.St -p1003.1-2008
|
|
revision.
|
|
.Sh BUGS
|
|
These interfaces are provided for
|
|
.At V
|
|
and
|
|
.Tn ANSI
|
|
compatibility only.
|
|
The
|
|
.Xr mkstemp 3
|
|
interface is strongly preferred.
|
|
.Sh SECURITY CONSIDERATIONS
|
|
There are four important problems with these interfaces (as well as
|
|
with the historic
|
|
.Xr mktemp 3
|
|
interface).
|
|
First, there is an obvious race between file name selection and file
|
|
creation and deletion: the program is typically written to call
|
|
.Fn tmpnam ,
|
|
.Fn tempnam ,
|
|
or
|
|
.Xr mktemp 3 .
|
|
Subsequently, the program calls
|
|
.Xr open 2
|
|
or
|
|
.Xr fopen 3
|
|
and erroneously opens a file (or symbolic link, or fifo or other
|
|
device) that the attacker has placed in the expected file location.
|
|
Hence
|
|
.Xr mkstemp 3
|
|
is recommended, since it atomically creates the file.
|
|
.Pp
|
|
Second, most historic implementations provide only a limited number
|
|
of possible temporary file names (usually 26) before file names will
|
|
start being recycled.
|
|
Third, the
|
|
.At V
|
|
implementations of these functions (and of
|
|
.Xr mktemp 3 )
|
|
use the
|
|
.Xr access 2
|
|
system call to determine whether or not the temporary file may be created.
|
|
This has obvious ramifications for setuid or setgid programs, complicating
|
|
the portable use of these interfaces in such programs.
|
|
Finally, there is no specification of the permissions with which the
|
|
temporary files are created.
|
|
.Pp
|
|
This implementation of
|
|
.Fn tmpfile
|
|
does not have these flaws,
|
|
and that of
|
|
.Fn tmpnam
|
|
and
|
|
.Fn tempnam
|
|
only have the first limitation, but portable software
|
|
cannot depend on that.
|
|
In particular, the
|
|
.Fn tmpfile
|
|
interface should not be used in software expected to be used on other systems
|
|
if there is any possibility that the user does not wish the temporary file to
|
|
be publicly readable and writable.
|
|
.Pp
|
|
A link-time warning will be issued if
|
|
.Fn tmpnam
|
|
or
|
|
.Fn tempnam
|
|
is used, and advises the use of
|
|
.Fn mkstemp
|
|
instead.
|