mktemp, tempfile & coreutils

Bryan Kadzban bryan at kadzban.is-a-geek.net
Wed Oct 17 19:56:39 PDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Ken Moffat wrote:
> But, I'm half expecting that anything using tempfile will fall back
> to even-less-safe predefined file names if tempfile is either not 
> present or if it returns an error.

Yeah, it wouldn't surprise me either.  But I've done a bit of checking
into scripts:

find {,/usr}/{,s}bin -type f -exec sh -c "file {} | grep text | grep \
- -viq perl && grep tempfile {} /dev/null" \;

to see if any scripts (i.e. text files) include the "tempfile" string.
(The /dev/null is there so grep actually prints a filename; there's
probably a better way to do that, but whatever.  It filters out Perl
because there are lots of references to its tempfile function in Perl
scripts.)

I've found a few, mostly false positives:

- ----

/sbin/generate-modprobe.conf: Calls mktemp first, and tempfile if mktemp
fails (and uses a name based on PID if tempfile fails).

/usr/bin/updatedb: Prints "tempfile failed" if the mktemp call fails.
(Yes, it has the wrong program name.  Oh well.)

/usr/bin/tempfile: Going away, doesn't matter.

/usr/bin/vimtutor: Similar to generate-modprobe.conf: calls mktemp
first, calls tempfile if that fails, and uses "none" if *that* fails.

/usr/bin/mysqlaccess: Perl script.  File thinks it's an awk script,
though, so the grep -v doesn't kill name.

/usr/sbin/grub-install: Checks whether /bin/tempfile is executable
*first*, then /bin/mktemp, and uses names based on the script's PID if
neither is executable.  (I think we should patch this anyway: if nothing
else, to look in /usr/bin as well as /bin.  But preferably to look for
mktemp first, as well.)

- ----

Other than grub-install, it looks like all the scripts on my system will
work fine.  (I'm not sure on compiled programs.  But I'd hope that those
would use the C library mkstemp function instead.)

(Although I should note that this isn't an LFS system.  It's an x86_64
CLFS 1.0.0rc4 (hey! I needed multilib! :-P) with a good number of
packages from BLFS, and a few from beyond BLFS.  I'd say it might be a
good idea for someone else to re-run the test on their machine if
they're running a relatively recent LFS.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHFstmS5vET1Wea5wRAzWzAJ9vyGoOcVsivgS8umGli74tNwDmAACfVB2c
N7crUvFmT0AAevaFxIN/CXE=
=HAUt
-----END PGP SIGNATURE-----



More information about the lfs-dev mailing list