[apple/libc.git] / stdio / FreeBSD / mktemp.3

.\" Copyright (c) 1989, 1991, 1993
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\"    must display the following acknowledgement:
.\"	This product includes software developed by the University of
.\"	California, Berkeley and its contributors.
.\" 4. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"     @(#)mktemp.3	8.1 (Berkeley) 6/4/93
.\" $FreeBSD: src/lib/libc/stdio/mktemp.3,v 1.20 2004/02/20 04:08:28 green Exp $
.\"
.Dd February 11, 1998
.Dt MKTEMP 3
.Os
.Sh NAME
.Nm mktemp
.Nd make temporary file name (unique)
.Sh LIBRARY
.Lb libc
.Sh SYNOPSIS
.In unistd.h
.Ft char *
.Fn mktemp "char *template"
.Ft int
.Fn mkstemp "char *template"
.Ft int
.Fn mkstemps "char *template" "int suffixlen"
.Ft char *
.Fn mkdtemp "char *template"
.Sh DESCRIPTION
The
.Fn mktemp
function
takes the given file name template and overwrites a portion of it
to create a file name.
This file name is guaranteed not to exist at the time of function invocation
and is suitable for use
by the application.
The template may be any file name with some number of
.Ql X Ns s
appended
to it, for example
.Pa /tmp/temp.XXXXXX .
The trailing
.Ql X Ns s
are replaced with a
unique alphanumeric combination.
The number of unique file names
.Fn mktemp
can return depends on the number of
.Ql X Ns s
provided; six
.Ql X Ns s
will
result in
.Fn mktemp
selecting one of 56800235584 (62 ** 6) possible temporary file names.
.Pp
The
.Fn mkstemp
function
makes the same replacement to the template and creates the template file,
mode 0600, returning a file descriptor opened for reading and writing.
This avoids the race between testing for a file's existence and opening it
for use.
.Pp
The
.Fn mkstemps
function acts the same as
.Fn mkstemp ,
except it permits a suffix to exist in the template.
The template should be of the form
.Pa /tmp/tmpXXXXXXsuffix .
The
.Fn mkstemps
function
is told the length of the suffix string.
.Pp
The
.Fn mkdtemp
function makes the same replacement to the template as in
.Fn mktemp
and creates the template directory, mode 0700.
.Sh RETURN VALUES
The
.Fn mktemp
and
.Fn mkdtemp
functions return a pointer to the template on success and
.Dv NULL
on failure.
The
.Fn mkstemp
and
.Fn mkstemps
functions
return \-1 if no suitable file could be created.
If either call fails an error code is placed in the global variable
.Va errno .
.Sh ERRORS
The
.Fn mkstemp ,
.Fn mkstemps
and
.Fn mkdtemp
functions
may set
.Va errno
to one of the following values:
.Bl -tag -width Er
.It Bq Er ENOTDIR
The pathname portion of the template is not an existing directory.
.El
.Pp
The
.Fn mkstemp ,
.Fn mkstemps
and
.Fn mkdtemp
functions
may also set
.Va errno
to any value specified by the
.Xr stat 2
function.
.Pp
The
.Fn mkstemp
and
.Fn mkstemps
functions
may also set
.Va errno
to any value specified by the
.Xr open 2
function.
.Pp
The
.Fn mkdtemp
function
may also set
.Va errno
to any value specified by the
.Xr mkdir 2
function.
.Sh NOTES
A common problem that results in a core dump is that the programmer
passes in a read-only string to
.Fn mktemp ,
.Fn mkstemp ,
.Fn mkstemps
or
.Fn mkdtemp .
This is common with programs that were developed before
.St -isoC
compilers were common.
For example, calling
.Fn mkstemp
with an argument of
.Qq /tmp/tempfile.XXXXXX
will result in a core dump due to
.Fn mkstemp
attempting to modify the string constant that was given.
If the program in question makes heavy use of that type
of function call, you do have the option of compiling the program
so that it will store string constants in a writable segment of memory.
See
.Xr gcc 1
for more information.
.Sh BUGS
This family of functions produces filenames which can be guessed,
though the risk is minimized when large numbers of
.Ql X Ns s
are used to
increase the number of possible temporary filenames.
This makes the race in
.Fn mktemp ,
between testing for a file's existence (in the
.Fn mktemp
function call)
and opening it for use
(later in the user application)
particularly dangerous from a security perspective.
Whenever it is possible,
.Fn mkstemp
should be used instead, since it does not have the race condition.
If
.Fn mkstemp
cannot be used, the filename created by
.Fn mktemp
should be created using the
.Dv O_EXCL
flag to
.Xr open 2
and the return status of the call should be tested for failure.
This will ensure that the program does not continue blindly
in the event that an attacker has already created the file
with the intention of manipulating or reading its contents.
.Pp
The implementation of these functions calls
.Xr arc4random 3 ,
which is not reentrant.
You must provide your own locking around this and other consumers of the
.Xr arc4random 3
API.
.Sh SEE ALSO
.Xr chmod 2 ,
.Xr getpid 2 ,
.Xr mkdir 2 ,
.Xr open 2 ,
.Xr stat 2
.Sh HISTORY
A
.Fn mktemp
function appeared in
.At v7 .
The
.Fn mkstemp
function appeared in
.Bx 4.4 .
The
.Fn mkdtemp
function first appeared in
.Ox 2.2 ,
and later in
.Fx 3.2 .
The
.Fn mkstemps
function first appeared in
.Ox 2.4 ,
and later in
.Fx 3.4 .
Commit	Line	Data
5b2abdfb A	1	.\" Copyright (c) 1989, 1991, 1993
	2	.\" The Regents of the University of California. All rights reserved.
	3	.\"
	4	.\" Redistribution and use in source and binary forms, with or without
	5	.\" modification, are permitted provided that the following conditions
	6	.\" are met:
	7	.\" 1. Redistributions of source code must retain the above copyright
	8	.\" notice, this list of conditions and the following disclaimer.
	9	.\" 2. Redistributions in binary form must reproduce the above copyright
	10	.\" notice, this list of conditions and the following disclaimer in the
	11	.\" documentation and/or other materials provided with the distribution.
	12	.\" 3. All advertising materials mentioning features or use of this software
	13	.\" must display the following acknowledgement:
	14	.\" This product includes software developed by the University of
	15	.\" California, Berkeley and its contributors.
	16	.\" 4. Neither the name of the University nor the names of its contributors
	17	.\" may be used to endorse or promote products derived from this software
	18	.\" without specific prior written permission.
	19	.\"
	20	.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
	21	.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	22	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	23	.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
	24	.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	25	.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	26	.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	27	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	28	.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	29	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	30	.\" SUCH DAMAGE.
	31	.\"
	32	.\" @(#)mktemp.3 8.1 (Berkeley) 6/4/93
3d9156a7	33	.\" $FreeBSD: src/lib/libc/stdio/mktemp.3,v 1.20 2004/02/20 04:08:28 green Exp $
5b2abdfb A	34	.\"
	35	.Dd February 11, 1998
	36	.Dt MKTEMP 3
	37	.Os
	38	.Sh NAME
	39	.Nm mktemp
	40	.Nd make temporary file name (unique)
	41	.Sh LIBRARY
	42	.Lb libc
	43	.Sh SYNOPSIS
	44	.In unistd.h
	45	.Ft char *
	46	.Fn mktemp "char *template"
	47	.Ft int
	48	.Fn mkstemp "char *template"
	49	.Ft int
	50	.Fn mkstemps "char *template" "int suffixlen"
	51	.Ft char *
	52	.Fn mkdtemp "char *template"
	53	.Sh DESCRIPTION
	54	The
	55	.Fn mktemp
	56	function
	57	takes the given file name template and overwrites a portion of it
	58	to create a file name.
	59	This file name is guaranteed not to exist at the time of function invocation
	60	and is suitable for use
	61	by the application.
	62	The template may be any file name with some number of
	63	.Ql X Ns s
	64	appended
	65	to it, for example
	66	.Pa /tmp/temp.XXXXXX .
	67	The trailing
	68	.Ql X Ns s
	69	are replaced with a
	70	unique alphanumeric combination.
	71	The number of unique file names
	72	.Fn mktemp
	73	can return depends on the number of
	74	.Ql X Ns s
	75	provided; six
	76	.Ql X Ns s
	77	will
	78	result in
	79	.Fn mktemp
	80	selecting one of 56800235584 (62 ** 6) possible temporary file names.
	81	.Pp
	82	The
	83	.Fn mkstemp
	84	function
	85	makes the same replacement to the template and creates the template file,
	86	mode 0600, returning a file descriptor opened for reading and writing.
	87	This avoids the race between testing for a file's existence and opening it
	88	for use.
	89	.Pp
	90	The
	91	.Fn mkstemps
	92	function acts the same as
	93	.Fn mkstemp ,
	94	except it permits a suffix to exist in the template.
	95	The template should be of the form
	96	.Pa /tmp/tmpXXXXXXsuffix .
9385eb3d	97	The
5b2abdfb	98	.Fn mkstemps
9385eb3d	99	function
5b2abdfb A	100	is told the length of the suffix string.
	101	.Pp
	102	The
	103	.Fn mkdtemp
	104	function makes the same replacement to the template as in
9385eb3d	105	.Fn mktemp
5b2abdfb A	106	and creates the template directory, mode 0700.
	107	.Sh RETURN VALUES
	108	The
	109	.Fn mktemp
	110	and
	111	.Fn mkdtemp
	112	functions return a pointer to the template on success and
	113	.Dv NULL
	114	on failure.
	115	The
	116	.Fn mkstemp
	117	and
	118	.Fn mkstemps
	119	functions
	120	return \-1 if no suitable file could be created.
	121	If either call fails an error code is placed in the global variable
	122	.Va errno .
	123	.Sh ERRORS
	124	The
	125	.Fn mkstemp ,
	126	.Fn mkstemps
	127	and
	128	.Fn mkdtemp
	129	functions
	130	may set
	131	.Va errno
	132	to one of the following values:
	133	.Bl -tag -width Er
	134	.It Bq Er ENOTDIR
	135	The pathname portion of the template is not an existing directory.
	136	.El
	137	.Pp
	138	The
	139	.Fn mkstemp ,
	140	.Fn mkstemps
	141	and
	142	.Fn mkdtemp
	143	functions
	144	may also set
	145	.Va errno
	146	to any value specified by the
	147	.Xr stat 2
	148	function.
	149	.Pp
	150	The
	151	.Fn mkstemp
	152	and
	153	.Fn mkstemps
	154	functions
	155	may also set
	156	.Va errno
	157	to any value specified by the
	158	.Xr open 2
	159	function.
	160	.Pp
	161	The
	162	.Fn mkdtemp
	163	function
	164	may also set
	165	.Va errno
	166	to any value specified by the
	167	.Xr mkdir 2
	168	function.
	169	.Sh NOTES
170	A common problem that results in a core dump is that the programmer
171	passes in a read-only string to
172	.Fn mktemp ,
173	.Fn mkstemp ,
174	.Fn mkstemps
175	or
176	.Fn mkdtemp .
177	This is common with programs that were developed before
178	.St -isoC
179	compilers were common.
180	For example, calling
181	.Fn mkstemp
182	with an argument of
183	.Qq /tmp/tempfile.XXXXXX
184	will result in a core dump due to
185	.Fn mkstemp
186	attempting to modify the string constant that was given.
187	If the program in question makes heavy use of that type
188	of function call, you do have the option of compiling the program
189	so that it will store string constants in a writable segment of memory.
190	See
191	.Xr gcc 1
192	for more information.
193	.Sh BUGS
194	This family of functions produces filenames which can be guessed,
195	though the risk is minimized when large numbers of
196	.Ql X Ns s
197	are used to
198	increase the number of possible temporary filenames.
199	This makes the race in
200	.Fn mktemp ,
201	between testing for a file's existence (in the
202	.Fn mktemp
203	function call)
204	and opening it for use
205	(later in the user application)
206	particularly dangerous from a security perspective.
207	Whenever it is possible,
208	.Fn mkstemp
209	should be used instead, since it does not have the race condition.
210	If
211	.Fn mkstemp
212	cannot be used, the filename created by
213	.Fn mktemp
214	should be created using the
215	.Dv O_EXCL
216	flag to
217	.Xr open 2
218	and the return status of the call should be tested for failure.
219	This will ensure that the program does not continue blindly
220	in the event that an attacker has already created the file
221	with the intention of manipulating or reading its contents.
3d9156a7 A	222	.Pp
	223	The implementation of these functions calls
	224	.Xr arc4random 3 ,
	225	which is not reentrant.
	226	You must provide your own locking around this and other consumers of the
	227	.Xr arc4random 3
	228	API.
5b2abdfb A	229	.Sh SEE ALSO
	230	.Xr chmod 2 ,
	231	.Xr getpid 2 ,
	232	.Xr mkdir 2 ,
	233	.Xr open 2 ,
	234	.Xr stat 2
	235	.Sh HISTORY
	236	A
	237	.Fn mktemp
	238	function appeared in
	239	.At v7 .
	240	The
	241	.Fn mkstemp
	242	function appeared in
	243	.Bx 4.4 .
	244	The
	245	.Fn mkdtemp
	246	function first appeared in
	247	.Ox 2.2 ,
	248	and later in
	249	.Fx 3.2 .
	250	The
	251	.Fn mkstemps
	252	function first appeared in
	253	.Ox 2.4 ,
	254	and later in
	255	.Fx 3.4 .