[apple/libc.git] / stdio / FreeBSD / mktemp.3

.\" Copyright (c) 1989, 1991, 1993
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"     @(#)mktemp.3	8.1 (Berkeley) 6/4/93
.\"
.Dd December 18, 2015
.Dt MKTEMP 3
.Os
.Sh NAME
.Nm mktemp ,
.Nm mkstemp ,
.Nm mkdtemp ,
.Nm mkstemps ,
.Nm mkostemp ,
.Nm mkostemps
.Nd make temporary file name (unique)
.Sh LIBRARY
.Lb libc
.Sh SYNOPSIS
.In unistd.h
.Ft char *
.Fo mktemp
.Fa "char *template"
.Fc
.Ft int
.Fo mkstemp
.Fa "char *template"
.Fc
.Ft char *
.Fo mkdtemp
.Fa "char *template"
.Fc
.Ft int
.Fo mkstemps
.Fa "char *template"
.Fa "int suffixlen"
.Fc
.Ft int
.Fo mkostemp
.Fa "char *template"
.Fa "int oflags"
.Fc
.Ft int
.Fo mkostemps
.Fa "char *template"
.Fa "int suffixlen"
.Fa "int oflags"
.Fc
.Sh DESCRIPTION
The
.Fn mktemp
function
takes the given file name template and overwrites a portion of it
to create a file name.
This file name is guaranteed not to exist at the time of function invocation
and is suitable for use
by the application.
The template may be any file name with some number of
.Ql X Ns s
appended
to it, for example
.Pa /tmp/temp.XXXXXX .
The trailing
.Ql X Ns s
are replaced with a
unique alphanumeric combination.
The number of unique file names
.Fn mktemp
can return depends on the number of
.Ql X Ns s
provided; six
.Ql X Ns s
will
result in
.Fn mktemp
selecting one of 56800235584 (62 ** 6) possible temporary file names.
.Pp
The
.Fn mkstemp
function
makes the same replacement to the template and creates the template file,
mode 0600, returning a file descriptor opened for reading and writing.
This avoids the race between testing for a file's existence and opening it
for use.
.Pp
The
.Fn mkdtemp
function makes the same replacement to the template as in
.Fn mktemp
and creates the template directory, mode 0700.
.Pp
The
.Fn mkostemp
function
is like
.Fn mkstemp
but allows specifying additional
.Xr open 2
flags (defined in
.In fcntl.h ) .
The permitted flags are
.Dv O_APPEND ,
.Dv O_SHLOCK ,
.Dv O_EXLOCK
and
.Dv O_CLOEXEC .
.Pp
The
.Fn mkstemps
and
.Fn mkostemps
functions act the same as
.Fn mkstemp
and
.Fn mkostemp
respectively,
except they permit a suffix to exist in the template.
The template should be of the form
.Pa /tmp/tmpXXXXXXsuffix .
The
.Fn mkstemps
and
.Fn mkostemps
functions
are told the length of the suffix string.
.Sh RETURN VALUES
The
.Fn mktemp
and
.Fn mkdtemp
functions return a pointer to the template on success and
.Dv NULL
on failure.
The
.Fn mkstemp ,
.Fn mkostemp ,
.Fn mkstemps
and
.Fn mkostemps
functions
return \-1 if no suitable file could be created.
If either call fails an error code is placed in the global variable
.Va errno .
.Sh ERRORS
The
.Fn mkstemp ,
.Fn mkostemp ,
.Fn mkstemps ,
.Fn mkostemps ,
and
.Fn mkdtemp
functions
may set
.Va errno
to one of the following values:
.Bl -tag -width Er
.It Bq Er ENOTDIR
The pathname portion of the template is not an existing directory.
.El
.Pp
The
.Fn mkostemp
and
.Fn mkostemps
functions
may also set
.Va errno
to the following value:
.Bl -tag -width Er
.It Bq Er EINVAL
The
.Fa oflags
argument is invalid.
.El
.Pp
The
.Fn mkstemp ,
.Fn mkostemp ,
.Fn mkstemps ,
.Fn mkostemps 
and
.Fn mkdtemp
functions
may also set
.Va errno
to any value specified by the
.Xr stat 2
function.
.Pp
The
.Fn mkstemp ,
.Fn mkostemp ,
.Fn mkstemps
and
.Fn mkostemps 
functions
may also set
.Va errno
to any value specified by the
.Xr open 2
function.
.Pp
The
.Fn mkdtemp
function
may also set
.Va errno
to any value specified by the
.Xr mkdir 2
function.
.Sh NOTES
A common problem that results in a core dump is that the programmer
passes in a read-only string to
.Fn mktemp ,
.Fn mkstemp ,
.Fn mkstemps
or
.Fn mkdtemp .
This is common with programs that were developed before
.St -isoC
compilers were common.
For example, calling
.Fn mkstemp
with an argument of
.Qq /tmp/tempfile.XXXXXX
will result in a core dump due to
.Fn mkstemp
attempting to modify the string constant that was given.
.Sh LEGACY SYNOPSIS
.Fd #include <unistd.h>
.Pp
The include file
.In unistd.h
is necessary and sufficient for all functions.
.Sh SEE ALSO
.Xr chmod 2 ,
.Xr getpid 2 ,
.Xr mkdir 2 ,
.Xr open 2 ,
.Xr stat 2 ,
.Xr compat 5
.Sh STANDARDS
The
.Fn mkstemp
and
.Fn mkdtemp
functions are expected to conform to
.St -p1003.1-2008 .
The
.Fn mktemp
function is expected to conform to
.St -p1003.1-2001
and is not specified by
.St -p1003.1-2008 .
The
.Fn mkostemp ,
.Fn mkstemps
and
.Fn mkostemps
functions do not conform to any standard.
.Sh HISTORY
A
.Fn mktemp
function appeared in
.At v7 .
The
.Fn mkstemp
function appeared in
.Bx 4.4 .
The
.Fn mkdtemp
function first appeared in
.Ox 2.2 ,
and later in
.Fx 3.2 .
The
.Fn mkstemps
function first appeared in
.Ox 2.4 ,
and later in
.Fx 3.4 .
The
.Fn mkostemp
and
.Fn mkostemps
functions appeared in OS X 10.12.
.Sh BUGS
This family of functions produces filenames which can be guessed,
though the risk is minimized when large numbers of
.Ql X Ns s
are used to
increase the number of possible temporary filenames.
This makes the race in
.Fn mktemp ,
between testing for a file's existence (in the
.Fn mktemp
function call)
and opening it for use
(later in the user application)
particularly dangerous from a security perspective.
Whenever it is possible,
.Fn mkstemp
or
.Fn mkostemp
should be used instead, since it does not have the race condition.
If
.Fn mkstemp
cannot be used, the filename created by
.Fn mktemp
should be created using the
.Dv O_EXCL
flag to
.Xr open 2
and the return status of the call should be tested for failure.
This will ensure that the program does not continue blindly
in the event that an attacker has already created the file
with the intention of manipulating or reading its contents.
Commit	Line	Data
5b2abdfb A	1	.\" Copyright (c) 1989, 1991, 1993
	2	.\" The Regents of the University of California. All rights reserved.
	3	.\"
	4	.\" Redistribution and use in source and binary forms, with or without
	5	.\" modification, are permitted provided that the following conditions
	6	.\" are met:
	7	.\" 1. Redistributions of source code must retain the above copyright
	8	.\" notice, this list of conditions and the following disclaimer.
	9	.\" 2. Redistributions in binary form must reproduce the above copyright
	10	.\" notice, this list of conditions and the following disclaimer in the
	11	.\" documentation and/or other materials provided with the distribution.
974e3884	12	.\" 3. Neither the name of the University nor the names of its contributors
5b2abdfb A	13	.\" may be used to endorse or promote products derived from this software
	14	.\" without specific prior written permission.
	15	.\"
	16	.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
	17	.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	18	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	19	.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
	20	.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	21	.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	22	.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	23	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	24	.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	25	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	26	.\" SUCH DAMAGE.
	27	.\"
	28	.\" @(#)mktemp.3 8.1 (Berkeley) 6/4/93
5b2abdfb	29	.\"
974e3884	30	.Dd December 18, 2015
5b2abdfb A	31	.Dt MKTEMP 3
	32	.Os
	33	.Sh NAME
974e3884	34	.Nm mktemp ,
ad3c9f2a	35	.Nm mkstemp ,
974e3884	36	.Nm mkdtemp ,
ad3c9f2a	37	.Nm mkstemps ,
974e3884 A	38	.Nm mkostemp ,
974e3884 A	39	.Nm mkostemps
5b2abdfb A	40	.Nd make temporary file name (unique)
	41	.Sh LIBRARY
	42	.Lb libc
	43	.Sh SYNOPSIS
	44	.In unistd.h
	45	.Ft char *
974e3884 A	46	.Fo mktemp
	47	.Fa "char *template"
	48	.Fc
	49	.Ft int
	50	.Fo mkstemp
	51	.Fa "char *template"
	52	.Fc
	53	.Ft char *
ad3c9f2a A	54	.Fo mkdtemp
	55	.Fa "char *template"
	56	.Fc
5b2abdfb	57	.Ft int
ad3c9f2a A	58	.Fo mkstemps
	59	.Fa "char *template"
	60	.Fa "int suffixlen"
	61	.Fc
5b2abdfb	62	.Ft int
974e3884	63	.Fo mkostemp
ad3c9f2a	64	.Fa "char *template"
974e3884	65	.Fa "int oflags"
ad3c9f2a	66	.Fc
974e3884 A	67	.Ft int
974e3884 A	68	.Fo mkostemps
ad3c9f2a	69	.Fa "char *template"
974e3884 A	70	.Fa "int suffixlen"
974e3884 A	71	.Fa "int oflags"
ad3c9f2a	72	.Fc
5b2abdfb A	73	.Sh DESCRIPTION
	74	The
	75	.Fn mktemp
	76	function
	77	takes the given file name template and overwrites a portion of it
	78	to create a file name.
	79	This file name is guaranteed not to exist at the time of function invocation
	80	and is suitable for use
	81	by the application.
	82	The template may be any file name with some number of
	83	.Ql X Ns s
	84	appended
	85	to it, for example
	86	.Pa /tmp/temp.XXXXXX .
	87	The trailing
	88	.Ql X Ns s
	89	are replaced with a
	90	unique alphanumeric combination.
	91	The number of unique file names
	92	.Fn mktemp
	93	can return depends on the number of
	94	.Ql X Ns s
	95	provided; six
	96	.Ql X Ns s
	97	will
	98	result in
	99	.Fn mktemp
	100	selecting one of 56800235584 (62 ** 6) possible temporary file names.
	101	.Pp
	102	The
	103	.Fn mkstemp
	104	function
	105	makes the same replacement to the template and creates the template file,
	106	mode 0600, returning a file descriptor opened for reading and writing.
	107	This avoids the race between testing for a file's existence and opening it
	108	for use.
	109	.Pp
	110	The
974e3884 A	111	.Fn mkdtemp
	112	function makes the same replacement to the template as in
	113	.Fn mktemp
	114	and creates the template directory, mode 0700.
	115	.Pp
	116	The
	117	.Fn mkostemp
	118	function
	119	is like
	120	.Fn mkstemp
	121	but allows specifying additional
	122	.Xr open 2
	123	flags (defined in
	124	.In fcntl.h ) .
	125	The permitted flags are
	126	.Dv O_APPEND ,
	127	.Dv O_SHLOCK ,
	128	.Dv O_EXLOCK
	129	and
	130	.Dv O_CLOEXEC .
	131	.Pp
	132	The
5b2abdfb	133	.Fn mkstemps
974e3884 A	134	and
	135	.Fn mkostemps
	136	functions act the same as
	137	.Fn mkstemp
	138	and
	139	.Fn mkostemp
	140	respectively,
	141	except they permit a suffix to exist in the template.
5b2abdfb A	142	The template should be of the form
5b2abdfb A	143	.Pa /tmp/tmpXXXXXXsuffix .
9385eb3d	144	The
5b2abdfb	145	.Fn mkstemps
974e3884 A	146	and
	147	.Fn mkostemps
	148	functions
	149	are told the length of the suffix string.
5b2abdfb A	150	.Sh RETURN VALUES
	151	The
	152	.Fn mktemp
	153	and
	154	.Fn mkdtemp
	155	functions return a pointer to the template on success and
	156	.Dv NULL
	157	on failure.
	158	The
974e3884 A	159	.Fn mkstemp ,
974e3884 A	160	.Fn mkostemp ,
5b2abdfb	161	.Fn mkstemps
974e3884 A	162	and
974e3884 A	163	.Fn mkostemps
5b2abdfb A	164	functions
	165	return \-1 if no suitable file could be created.
	166	If either call fails an error code is placed in the global variable
	167	.Va errno .
	168	.Sh ERRORS
	169	The
	170	.Fn mkstemp ,
974e3884 A	171	.Fn mkostemp ,
	172	.Fn mkstemps ,
	173	.Fn mkostemps ,
5b2abdfb A	174	and
	175	.Fn mkdtemp
	176	functions
	177	may set
	178	.Va errno
	179	to one of the following values:
	180	.Bl -tag -width Er
	181	.It Bq Er ENOTDIR
	182	The pathname portion of the template is not an existing directory.
	183	.El
	184	.Pp
	185	The
974e3884 A	186	.Fn mkostemp
	187	and
	188	.Fn mkostemps
	189	functions
	190	may also set
	191	.Va errno
	192	to the following value:
	193	.Bl -tag -width Er
	194	.It Bq Er EINVAL
	195	The
	196	.Fa oflags
	197	argument is invalid.
	198	.El
	199	.Pp
	200	The
5b2abdfb	201	.Fn mkstemp ,
974e3884	202	.Fn mkostemp ,
ad3c9f2a	203	.Fn mkstemps ,
974e3884	204	.Fn mkostemps
5b2abdfb A	205	and
	206	.Fn mkdtemp
	207	functions
	208	may also set
	209	.Va errno
	210	to any value specified by the
	211	.Xr stat 2
	212	function.
	213	.Pp
	214	The
974e3884 A	215	.Fn mkstemp ,
974e3884 A	216	.Fn mkostemp ,
5b2abdfb	217	.Fn mkstemps
974e3884 A	218	and
974e3884 A	219	.Fn mkostemps
5b2abdfb A	220	functions
	221	may also set
	222	.Va errno
	223	to any value specified by the
	224	.Xr open 2
	225	function.
	226	.Pp
	227	The
	228	.Fn mkdtemp
	229	function
	230	may also set
	231	.Va errno
	232	to any value specified by the
	233	.Xr mkdir 2
	234	function.
	235	.Sh NOTES
	236	A common problem that results in a core dump is that the programmer
	237	passes in a read-only string to
	238	.Fn mktemp ,
	239	.Fn mkstemp ,
974e3884	240	.Fn mkstemps
5b2abdfb A	241	or
	242	.Fn mkdtemp .
	243	This is common with programs that were developed before
	244	.St -isoC
	245	compilers were common.
	246	For example, calling
	247	.Fn mkstemp
	248	with an argument of
	249	.Qq /tmp/tempfile.XXXXXX
	250	will result in a core dump due to
	251	.Fn mkstemp
	252	attempting to modify the string constant that was given.
ad3c9f2a A	253	.Sh LEGACY SYNOPSIS
	254	.Fd #include <unistd.h>
	255	.Pp
	256	The include file
	257	.In unistd.h
	258	is necessary and sufficient for all functions.
1f2f436a A	259	.Sh SEE ALSO
	260	.Xr chmod 2 ,
	261	.Xr getpid 2 ,
	262	.Xr mkdir 2 ,
	263	.Xr open 2 ,
ad3c9f2a A	264	.Xr stat 2 ,
ad3c9f2a A	265	.Xr compat 5
974e3884 A	266	.Sh STANDARDS
	267	The
	268	.Fn mkstemp
	269	and
	270	.Fn mkdtemp
	271	functions are expected to conform to
	272	.St -p1003.1-2008 .
	273	The
	274	.Fn mktemp
	275	function is expected to conform to
	276	.St -p1003.1-2001
	277	and is not specified by
	278	.St -p1003.1-2008 .
	279	The
	280	.Fn mkostemp ,
	281	.Fn mkstemps
	282	and
	283	.Fn mkostemps
	284	functions do not conform to any standard.
1f2f436a A	285	.Sh HISTORY
	286	A
	287	.Fn mktemp
	288	function appeared in
	289	.At v7 .
	290	The
	291	.Fn mkstemp
	292	function appeared in
	293	.Bx 4.4 .
	294	The
	295	.Fn mkdtemp
	296	function first appeared in
	297	.Ox 2.2 ,
	298	and later in
	299	.Fx 3.2 .
	300	The
	301	.Fn mkstemps
	302	function first appeared in
	303	.Ox 2.4 ,
	304	and later in
	305	.Fx 3.4 .
974e3884 A	306	The
	307	.Fn mkostemp
	308	and
	309	.Fn mkostemps
	310	functions appeared in OS X 10.12.
5b2abdfb A	311	.Sh BUGS
	312	This family of functions produces filenames which can be guessed,
	313	though the risk is minimized when large numbers of
	314	.Ql X Ns s
	315	are used to
	316	increase the number of possible temporary filenames.
	317	This makes the race in
	318	.Fn mktemp ,
	319	between testing for a file's existence (in the
	320	.Fn mktemp
	321	function call)
	322	and opening it for use
	323	(later in the user application)
	324	particularly dangerous from a security perspective.
	325	Whenever it is possible,
	326	.Fn mkstemp
974e3884 A	327	or
974e3884 A	328	.Fn mkostemp
5b2abdfb A	329	should be used instead, since it does not have the race condition.
	330	If
	331	.Fn mkstemp
	332	cannot be used, the filename created by
	333	.Fn mktemp
	334	should be created using the
	335	.Dv O_EXCL
	336	flag to
	337	.Xr open 2
	338	and the return status of the call should be tested for failure.
	339	This will ensure that the program does not continue blindly
	340	in the event that an attacker has already created the file
	341	with the intention of manipulating or reading its contents.