[apple/libc.git] / stdio / mktemp.3

.\" Copyright (c) 1989, 1991, 1993
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\"    must display the following acknowledgement:
.\"	This product includes software developed by the University of
.\"	California, Berkeley and its contributors.
.\" 4. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"     @(#)mktemp.3	8.1 (Berkeley) 6/4/93
.\" $FreeBSD: src/lib/libc/stdio/mktemp.3,v 1.17 2001/10/01 16:08:59 ru Exp $
.\"
.Dd February 11, 1998
.Dt MKTEMP 3
.Os
.Sh NAME
.Nm mktemp
.Nd make temporary file name (unique)
.Sh LIBRARY
.Lb libc
.Sh SYNOPSIS
.In unistd.h
.Ft char *
.Fn mktemp "char *template"
.Ft int
.Fn mkstemp "char *template"
.Ft int
.Fn mkstemps "char *template" "int suffixlen"
.Ft char *
.Fn mkdtemp "char *template"
.Sh DESCRIPTION
The
.Fn mktemp
function
takes the given file name template and overwrites a portion of it
to create a file name.
This file name is guaranteed not to exist at the time of function invocation
and is suitable for use
by the application.
The template may be any file name with some number of
.Ql X Ns s
appended
to it, for example
.Pa /tmp/temp.XXXXXX .
The trailing
.Ql X Ns s
are replaced with a
unique alphanumeric combination.
The number of unique file names
.Fn mktemp
can return depends on the number of
.Ql X Ns s
provided; six
.Ql X Ns s
will
result in
.Fn mktemp
selecting one of 56800235584 (62 ** 6) possible temporary file names.
.Pp
The
.Fn mkstemp
function
makes the same replacement to the template and creates the template file,
mode 0600, returning a file descriptor opened for reading and writing.
This avoids the race between testing for a file's existence and opening it
for use.
.Pp
The
.Fn mkstemps
function acts the same as
.Fn mkstemp ,
except it permits a suffix to exist in the template.
The template should be of the form
.Pa /tmp/tmpXXXXXXsuffix .
.Fn mkstemps
is told the length of the suffix string.
.Pp
The
.Fn mkdtemp
function makes the same replacement to the template as in
.Xr mktemp 3
and creates the template directory, mode 0700.
.Sh RETURN VALUES
The
.Fn mktemp
and
.Fn mkdtemp
functions return a pointer to the template on success and
.Dv NULL
on failure.
The
.Fn mkstemp
and
.Fn mkstemps
functions
return \-1 if no suitable file could be created.
If either call fails an error code is placed in the global variable
.Va errno .
.Sh ERRORS
The
.Fn mkstemp ,
.Fn mkstemps
and
.Fn mkdtemp
functions
may set
.Va errno
to one of the following values:
.Bl -tag -width Er
.It Bq Er ENOTDIR
The pathname portion of the template is not an existing directory.
.El
.Pp
The
.Fn mkstemp ,
.Fn mkstemps
and
.Fn mkdtemp
functions
may also set
.Va errno
to any value specified by the
.Xr stat 2
function.
.Pp
The
.Fn mkstemp
and
.Fn mkstemps
functions
may also set
.Va errno
to any value specified by the
.Xr open 2
function.
.Pp
The
.Fn mkdtemp
function
may also set
.Va errno
to any value specified by the
.Xr mkdir 2
function.
.Sh NOTES
A common problem that results in a core dump is that the programmer
passes in a read-only string to
.Fn mktemp ,
.Fn mkstemp ,
.Fn mkstemps
or
.Fn mkdtemp .
This is common with programs that were developed before
.St -isoC
compilers were common.
For example, calling
.Fn mkstemp
with an argument of
.Qq /tmp/tempfile.XXXXXX
will result in a core dump due to
.Fn mkstemp
attempting to modify the string constant that was given.
If the program in question makes heavy use of that type
of function call, you do have the option of compiling the program
so that it will store string constants in a writable segment of memory.
See
.Xr gcc 1
for more information.
.Sh BUGS
This family of functions produces filenames which can be guessed,
though the risk is minimized when large numbers of
.Ql X Ns s
are used to
increase the number of possible temporary filenames.
This makes the race in
.Fn mktemp ,
between testing for a file's existence (in the
.Fn mktemp
function call)
and opening it for use
(later in the user application)
particularly dangerous from a security perspective.
Whenever it is possible,
.Fn mkstemp
should be used instead, since it does not have the race condition.
If
.Fn mkstemp
cannot be used, the filename created by
.Fn mktemp
should be created using the
.Dv O_EXCL
flag to
.Xr open 2
and the return status of the call should be tested for failure.
This will ensure that the program does not continue blindly
in the event that an attacker has already created the file
with the intention of manipulating or reading its contents.
.Sh SEE ALSO
.Xr chmod 2 ,
.Xr getpid 2 ,
.Xr mkdir 2 ,
.Xr open 2 ,
.Xr stat 2
.Sh HISTORY
A
.Fn mktemp
function appeared in
.At v7 .
The
.Fn mkstemp
function appeared in
.Bx 4.4 .
The
.Fn mkdtemp
function first appeared in
.Ox 2.2 ,
and later in
.Fx 3.2 .
The
.Fn mkstemps
function first appeared in
.Ox 2.4 ,
and later in
.Fx 3.4 .
Commit	Line	Data
5b2abdfb A	1	.\" Copyright (c) 1989, 1991, 1993
	2	.\" The Regents of the University of California. All rights reserved.
	3	.\"
	4	.\" Redistribution and use in source and binary forms, with or without
	5	.\" modification, are permitted provided that the following conditions
	6	.\" are met:
	7	.\" 1. Redistributions of source code must retain the above copyright
	8	.\" notice, this list of conditions and the following disclaimer.
	9	.\" 2. Redistributions in binary form must reproduce the above copyright
	10	.\" notice, this list of conditions and the following disclaimer in the
	11	.\" documentation and/or other materials provided with the distribution.
	12	.\" 3. All advertising materials mentioning features or use of this software
	13	.\" must display the following acknowledgement:
	14	.\" This product includes software developed by the University of
	15	.\" California, Berkeley and its contributors.
	16	.\" 4. Neither the name of the University nor the names of its contributors
	17	.\" may be used to endorse or promote products derived from this software
	18	.\" without specific prior written permission.
	19	.\"
	20	.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
	21	.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	22	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	23	.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
	24	.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	25	.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	26	.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	27	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	28	.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	29	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	30	.\" SUCH DAMAGE.
	31	.\"
	32	.\" @(#)mktemp.3 8.1 (Berkeley) 6/4/93
	33	.\" $FreeBSD: src/lib/libc/stdio/mktemp.3,v 1.17 2001/10/01 16:08:59 ru Exp $
	34	.\"
	35	.Dd February 11, 1998
	36	.Dt MKTEMP 3
	37	.Os
	38	.Sh NAME
	39	.Nm mktemp
	40	.Nd make temporary file name (unique)
	41	.Sh LIBRARY
	42	.Lb libc
	43	.Sh SYNOPSIS
	44	.In unistd.h
	45	.Ft char *
	46	.Fn mktemp "char *template"
	47	.Ft int
	48	.Fn mkstemp "char *template"
	49	.Ft int
	50	.Fn mkstemps "char *template" "int suffixlen"
	51	.Ft char *
	52	.Fn mkdtemp "char *template"
	53	.Sh DESCRIPTION
	54	The
	55	.Fn mktemp
	56	function
	57	takes the given file name template and overwrites a portion of it
	58	to create a file name.
	59	This file name is guaranteed not to exist at the time of function invocation
	60	and is suitable for use
	61	by the application.
	62	The template may be any file name with some number of
	63	.Ql X Ns s
	64	appended
65	to it, for example
66	.Pa /tmp/temp.XXXXXX .
67	The trailing
68	.Ql X Ns s
69	are replaced with a
70	unique alphanumeric combination.
71	The number of unique file names
72	.Fn mktemp
73	can return depends on the number of
74	.Ql X Ns s
75	provided; six
76	.Ql X Ns s
77	will
78	result in
79	.Fn mktemp
80	selecting one of 56800235584 (62 ** 6) possible temporary file names.
81	.Pp
82	The
83	.Fn mkstemp
84	function
85	makes the same replacement to the template and creates the template file,
86	mode 0600, returning a file descriptor opened for reading and writing.
87	This avoids the race between testing for a file's existence and opening it
88	for use.
89	.Pp
90	The
91	.Fn mkstemps
92	function acts the same as
93	.Fn mkstemp ,
94	except it permits a suffix to exist in the template.
95	The template should be of the form
96	.Pa /tmp/tmpXXXXXXsuffix .
97	.Fn mkstemps
98	is told the length of the suffix string.
99	.Pp
100	The
101	.Fn mkdtemp
102	function makes the same replacement to the template as in
103	.Xr mktemp 3
104	and creates the template directory, mode 0700.
105	.Sh RETURN VALUES
106	The
107	.Fn mktemp
108	and
109	.Fn mkdtemp
110	functions return a pointer to the template on success and
111	.Dv NULL
112	on failure.
113	The
114	.Fn mkstemp
115	and
116	.Fn mkstemps
117	functions
118	return \-1 if no suitable file could be created.
119	If either call fails an error code is placed in the global variable
120	.Va errno .
121	.Sh ERRORS
122	The
123	.Fn mkstemp ,
124	.Fn mkstemps
125	and
126	.Fn mkdtemp
127	functions
128	may set
129	.Va errno
130	to one of the following values:
131	.Bl -tag -width Er
132	.It Bq Er ENOTDIR
133	The pathname portion of the template is not an existing directory.
134	.El
135	.Pp
136	The
137	.Fn mkstemp ,
138	.Fn mkstemps
139	and
140	.Fn mkdtemp
141	functions
142	may also set
143	.Va errno
144	to any value specified by the
145	.Xr stat 2
146	function.
147	.Pp
148	The
149	.Fn mkstemp
150	and
151	.Fn mkstemps
152	functions
153	may also set
154	.Va errno
155	to any value specified by the
156	.Xr open 2
157	function.
158	.Pp
159	The
160	.Fn mkdtemp
161	function
162	may also set
163	.Va errno
164	to any value specified by the
165	.Xr mkdir 2
166	function.
167	.Sh NOTES
168	A common problem that results in a core dump is that the programmer
169	passes in a read-only string to
170	.Fn mktemp ,
171	.Fn mkstemp ,
172	.Fn mkstemps
173	or
174	.Fn mkdtemp .
175	This is common with programs that were developed before
176	.St -isoC
177	compilers were common.
178	For example, calling
179	.Fn mkstemp
180	with an argument of
181	.Qq /tmp/tempfile.XXXXXX
182	will result in a core dump due to
183	.Fn mkstemp
184	attempting to modify the string constant that was given.
185	If the program in question makes heavy use of that type
186	of function call, you do have the option of compiling the program
187	so that it will store string constants in a writable segment of memory.
188	See
189	.Xr gcc 1
190	for more information.
191	.Sh BUGS
192	This family of functions produces filenames which can be guessed,
193	though the risk is minimized when large numbers of
194	.Ql X Ns s
195	are used to
196	increase the number of possible temporary filenames.
197	This makes the race in
198	.Fn mktemp ,
199	between testing for a file's existence (in the
200	.Fn mktemp
201	function call)
202	and opening it for use
203	(later in the user application)
204	particularly dangerous from a security perspective.
205	Whenever it is possible,
206	.Fn mkstemp
207	should be used instead, since it does not have the race condition.
208	If
209	.Fn mkstemp
210	cannot be used, the filename created by
211	.Fn mktemp
212	should be created using the
213	.Dv O_EXCL
214	flag to
215	.Xr open 2
216	and the return status of the call should be tested for failure.
217	This will ensure that the program does not continue blindly
218	in the event that an attacker has already created the file
219	with the intention of manipulating or reading its contents.
220	.Sh SEE ALSO
221	.Xr chmod 2 ,
222	.Xr getpid 2 ,
223	.Xr mkdir 2 ,
224	.Xr open 2 ,
225	.Xr stat 2
226	.Sh HISTORY
227	A
228	.Fn mktemp
229	function appeared in
230	.At v7 .
231	The
232	.Fn mkstemp
233	function appeared in
234	.Bx 4.4 .
235	The
236	.Fn mkdtemp
237	function first appeared in
238	.Ox 2.2 ,
239	and later in
240	.Fx 3.2 .
241	The
242	.Fn mkstemps
243	function first appeared in
244	.Ox 2.4 ,
245	and later in
246	.Fx 3.4 .