[apple/libc.git] / stdio / mktemp.3

.\" Copyright (c) 1989, 1991, 1993
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\"    must display the following acknowledgement:
.\"	This product includes software developed by the University of
.\"	California, Berkeley and its contributors.
.\" 4. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"     @(#)mktemp.3	8.1 (Berkeley) 6/4/93
.\" $FreeBSD: src/lib/libc/stdio/mktemp.3,v 1.20 2004/02/20 04:08:28 green Exp $
.\"
.Dd February 11, 1998
.Dt MKTEMP 3
.Os
.Sh NAME
.Nm mkdtemp ,
.Nm mkstemp ,
.Nm mktemp ,
.Nm mktemps
.Nd make temporary file name (unique)
.Sh LIBRARY
.Lb libc
.Sh SYNOPSIS
.In unistd.h
.Ft char *
.Fo mkdtemp
.Fa "char *template"
.Fc
.Ft int
.Fo mkstemps
.Fa "char *template"
.Fa "int suffixlen"
.Fc
.In stdlib.h
.Ft int
.Fo mkstemp
.Fa "char *template"
.Fc
.Ft char *
.Fo mktemp
.Fa "char *template"
.Fc
.Sh DESCRIPTION
The
.Fn mktemp
function
takes the given file name template and overwrites a portion of it
to create a file name.
This file name is guaranteed not to exist at the time of function invocation
and is suitable for use
by the application.
The template may be any file name with some number of
.Ql X Ns s
appended
to it, for example
.Pa /tmp/temp.XXXXXX .
The trailing
.Ql X Ns s
are replaced with a
unique alphanumeric combination.
The number of unique file names
.Fn mktemp
can return depends on the number of
.Ql X Ns s
provided; six
.Ql X Ns s
will
result in
.Fn mktemp
selecting one of 56800235584 (62 ** 6) possible temporary file names.
.Pp
The
.Fn mkstemp
function
makes the same replacement to the template and creates the template file,
mode 0600, returning a file descriptor opened for reading and writing.
This avoids the race between testing for a file's existence and opening it
for use.
.Pp
The
.Fn mkstemps
function acts the same as
.Fn mkstemp ,
except it permits a suffix to exist in the template.
The template should be of the form
.Pa /tmp/tmpXXXXXXsuffix .
The
.Fn mkstemps
function
is told the length of the suffix string.
.Pp
The
.Fn mkdtemp
function makes the same replacement to the template as in
.Fn mktemp
and creates the template directory, mode 0700.
.Sh RETURN VALUES
The
.Fn mktemp
and
.Fn mkdtemp
functions return a pointer to the template on success and
.Dv NULL
on failure.
The
.Fn mkstemp
and
.Fn mkstemps
functions
return \-1 if no suitable file could be created.
If either call fails an error code is placed in the global variable
.Va errno .
.Sh ERRORS
The
.Fn mkstemp ,
.Fn mkstemps
and
.Fn mkdtemp
functions
may set
.Va errno
to one of the following values:
.Bl -tag -width Er
.It Bq Er ENOTDIR
The pathname portion of the template is not an existing directory.
.El
.Pp
The
.Fn mkstemp ,
.Fn mkstemps ,
and
.Fn mkdtemp
functions
may also set
.Va errno
to any value specified by the
.Xr stat 2
function.
.Pp
The
.Fn mkstemp
and
.Fn mkstemps
functions
may also set
.Va errno
to any value specified by the
.Xr open 2
function.
.Pp
The
.Fn mkdtemp
function
may also set
.Va errno
to any value specified by the
.Xr mkdir 2
function.
.Sh NOTES
A common problem that results in a core dump is that the programmer
passes in a read-only string to
.Fn mktemp ,
.Fn mkstemp ,
.Fn mkstemps ,
or
.Fn mkdtemp .
This is common with programs that were developed before
.St -isoC
compilers were common.
For example, calling
.Fn mkstemp
with an argument of
.Qq /tmp/tempfile.XXXXXX
will result in a core dump due to
.Fn mkstemp
attempting to modify the string constant that was given.
If the program in question makes heavy use of that type
of function call, you do have the option of compiling the program
so that it will store string constants in a writable segment of memory.
See
.Xr gcc 1
for more information.
.Sh BUGS
This family of functions produces filenames which can be guessed,
though the risk is minimized when large numbers of
.Ql X Ns s
are used to
increase the number of possible temporary filenames.
This makes the race in
.Fn mktemp ,
between testing for a file's existence (in the
.Fn mktemp
function call)
and opening it for use
(later in the user application)
particularly dangerous from a security perspective.
Whenever it is possible,
.Fn mkstemp
should be used instead, since it does not have the race condition.
If
.Fn mkstemp
cannot be used, the filename created by
.Fn mktemp
should be created using the
.Dv O_EXCL
flag to
.Xr open 2
and the return status of the call should be tested for failure.
This will ensure that the program does not continue blindly
in the event that an attacker has already created the file
with the intention of manipulating or reading its contents.
.Pp
The implementation of these functions calls
.Xr arc4random 3 ,
which is not reentrant.
You must provide your own locking around this and other consumers of the
.Xr arc4random 3
API.
.Sh LEGACY SYNOPSIS
.Fd #include <unistd.h>
.Pp
The include file
.In unistd.h
is necessary and sufficient for all functions.
.Sh SEE ALSO
.Xr chmod 2 ,
.Xr getpid 2 ,
.Xr mkdir 2 ,
.Xr open 2 ,
.Xr stat 2 ,
.Xr compat 5
.Sh HISTORY
A
.Fn mktemp
function appeared in
.At v7 .
The
.Fn mkstemp
function appeared in
.Bx 4.4 .
The
.Fn mkdtemp
function first appeared in
.Ox 2.2 ,
and later in
.Fx 3.2 .
The
.Fn mkstemps
function first appeared in
.Ox 2.4 ,
and later in
.Fx 3.4 .
Commit	Line	Data
224c7076 A	1	.\" Copyright (c) 1989, 1991, 1993
	2	.\" The Regents of the University of California. All rights reserved.
	3	.\"
	4	.\" Redistribution and use in source and binary forms, with or without
	5	.\" modification, are permitted provided that the following conditions
	6	.\" are met:
	7	.\" 1. Redistributions of source code must retain the above copyright
	8	.\" notice, this list of conditions and the following disclaimer.
	9	.\" 2. Redistributions in binary form must reproduce the above copyright
	10	.\" notice, this list of conditions and the following disclaimer in the
	11	.\" documentation and/or other materials provided with the distribution.
	12	.\" 3. All advertising materials mentioning features or use of this software
	13	.\" must display the following acknowledgement:
	14	.\" This product includes software developed by the University of
	15	.\" California, Berkeley and its contributors.
	16	.\" 4. Neither the name of the University nor the names of its contributors
	17	.\" may be used to endorse or promote products derived from this software
	18	.\" without specific prior written permission.
	19	.\"
	20	.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
	21	.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	22	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	23	.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
	24	.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	25	.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	26	.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	27	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	28	.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	29	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	30	.\" SUCH DAMAGE.
	31	.\"
	32	.\" @(#)mktemp.3 8.1 (Berkeley) 6/4/93
	33	.\" $FreeBSD: src/lib/libc/stdio/mktemp.3,v 1.20 2004/02/20 04:08:28 green Exp $
	34	.\"
	35	.Dd February 11, 1998
	36	.Dt MKTEMP 3
	37	.Os
	38	.Sh NAME
	39	.Nm mkdtemp ,
	40	.Nm mkstemp ,
	41	.Nm mktemp ,
	42	.Nm mktemps
	43	.Nd make temporary file name (unique)
	44	.Sh LIBRARY
	45	.Lb libc
	46	.Sh SYNOPSIS
	47	.In unistd.h
	48	.Ft char *
	49	.Fo mkdtemp
	50	.Fa "char *template"
	51	.Fc
	52	.Ft int
	53	.Fo mkstemps
	54	.Fa "char *template"
	55	.Fa "int suffixlen"
	56	.Fc
	57	.In stdlib.h
	58	.Ft int
	59	.Fo mkstemp
	60	.Fa "char *template"
	61	.Fc
	62	.Ft char *
	63	.Fo mktemp
	64	.Fa "char *template"
65	.Fc
66	.Sh DESCRIPTION
67	The
68	.Fn mktemp
69	function
70	takes the given file name template and overwrites a portion of it
71	to create a file name.
72	This file name is guaranteed not to exist at the time of function invocation
73	and is suitable for use
74	by the application.
75	The template may be any file name with some number of
76	.Ql X Ns s
77	appended
78	to it, for example
79	.Pa /tmp/temp.XXXXXX .
80	The trailing
81	.Ql X Ns s
82	are replaced with a
83	unique alphanumeric combination.
84	The number of unique file names
85	.Fn mktemp
86	can return depends on the number of
87	.Ql X Ns s
88	provided; six
89	.Ql X Ns s
90	will
91	result in
92	.Fn mktemp
93	selecting one of 56800235584 (62 ** 6) possible temporary file names.
94	.Pp
95	The
96	.Fn mkstemp
97	function
98	makes the same replacement to the template and creates the template file,
99	mode 0600, returning a file descriptor opened for reading and writing.
100	This avoids the race between testing for a file's existence and opening it
101	for use.
102	.Pp
103	The
104	.Fn mkstemps
105	function acts the same as
106	.Fn mkstemp ,
107	except it permits a suffix to exist in the template.
108	The template should be of the form
109	.Pa /tmp/tmpXXXXXXsuffix .
110	The
111	.Fn mkstemps
112	function
113	is told the length of the suffix string.
114	.Pp
115	The
116	.Fn mkdtemp
117	function makes the same replacement to the template as in
118	.Fn mktemp
119	and creates the template directory, mode 0700.
120	.Sh RETURN VALUES
121	The
122	.Fn mktemp
123	and
124	.Fn mkdtemp
125	functions return a pointer to the template on success and
126	.Dv NULL
127	on failure.
128	The
129	.Fn mkstemp
130	and
131	.Fn mkstemps
132	functions
133	return \-1 if no suitable file could be created.
134	If either call fails an error code is placed in the global variable
135	.Va errno .
136	.Sh ERRORS
137	The
138	.Fn mkstemp ,
139	.Fn mkstemps
140	and
141	.Fn mkdtemp
142	functions
143	may set
144	.Va errno
145	to one of the following values:
146	.Bl -tag -width Er
147	.It Bq Er ENOTDIR
148	The pathname portion of the template is not an existing directory.
149	.El
150	.Pp
151	The
152	.Fn mkstemp ,
153	.Fn mkstemps ,
154	and
155	.Fn mkdtemp
156	functions
157	may also set
158	.Va errno
159	to any value specified by the
160	.Xr stat 2
161	function.
162	.Pp
163	The
164	.Fn mkstemp
165	and
166	.Fn mkstemps
167	functions
168	may also set
169	.Va errno
170	to any value specified by the
171	.Xr open 2
172	function.
173	.Pp
174	The
175	.Fn mkdtemp
176	function
177	may also set
178	.Va errno
179	to any value specified by the
180	.Xr mkdir 2
181	function.
182	.Sh NOTES
183	A common problem that results in a core dump is that the programmer
184	passes in a read-only string to
185	.Fn mktemp ,
186	.Fn mkstemp ,
187	.Fn mkstemps ,
188	or
189	.Fn mkdtemp .
190	This is common with programs that were developed before
191	.St -isoC
192	compilers were common.
193	For example, calling
194	.Fn mkstemp
195	with an argument of
196	.Qq /tmp/tempfile.XXXXXX
197	will result in a core dump due to
198	.Fn mkstemp
199	attempting to modify the string constant that was given.
200	If the program in question makes heavy use of that type
201	of function call, you do have the option of compiling the program
202	so that it will store string constants in a writable segment of memory.
203	See
204	.Xr gcc 1
205	for more information.
206	.Sh BUGS
207	This family of functions produces filenames which can be guessed,
208	though the risk is minimized when large numbers of
209	.Ql X Ns s
210	are used to
211	increase the number of possible temporary filenames.
212	This makes the race in
213	.Fn mktemp ,
214	between testing for a file's existence (in the
215	.Fn mktemp
216	function call)
217	and opening it for use
218	(later in the user application)
219	particularly dangerous from a security perspective.
220	Whenever it is possible,
221	.Fn mkstemp
222	should be used instead, since it does not have the race condition.
223	If
224	.Fn mkstemp
225	cannot be used, the filename created by
226	.Fn mktemp
227	should be created using the
228	.Dv O_EXCL
229	flag to
230	.Xr open 2
231	and the return status of the call should be tested for failure.
232	This will ensure that the program does not continue blindly
233	in the event that an attacker has already created the file
234	with the intention of manipulating or reading its contents.
235	.Pp
236	The implementation of these functions calls
237	.Xr arc4random 3 ,
238	which is not reentrant.
239	You must provide your own locking around this and other consumers of the
240	.Xr arc4random 3
241	API.
242	.Sh LEGACY SYNOPSIS
243	.Fd #include <unistd.h>
244	.Pp
245	The include file
246	.In unistd.h
247	is necessary and sufficient for all functions.
248	.Sh SEE ALSO
249	.Xr chmod 2 ,
250	.Xr getpid 2 ,
251	.Xr mkdir 2 ,
252	.Xr open 2 ,
253	.Xr stat 2 ,
254	.Xr compat 5
255	.Sh HISTORY
256	A
257	.Fn mktemp
258	function appeared in
259	.At v7 .
260	The
261	.Fn mkstemp
262	function appeared in
263	.Bx 4.4 .
264	The
265	.Fn mkdtemp
266	function first appeared in
267	.Ox 2.2 ,
268	and later in
269	.Fx 3.2 .
270	The
271	.Fn mkstemps
272	function first appeared in
273	.Ox 2.4 ,
274	and later in
275	.Fx 3.4 .