Re: fix mktemp (remove mktemp ;)

["Brian O'Mahoney" <omb@khandalf.com>]

No, you have to:
(a) create a unique, pid specific file name /var/tmp/myapp.$$.xyzzy
(b) create it in O_EXCL mode, so you wont smash another's held lock

(b-1) It worked, OK

(b-2) open failed, try ...xyzzz

repeat until (b-1)

There are thousands of examples of how to do this with bash.

Paul Jackson wrote:
> Dave wrote:
> 
>>mktemp is being used here to provide randomness in the filename,
>>not just a uniqueness.
> 
> 
> Ok - useful point.
> 
> How about:
> 
> 	t=${TMPDIR:-/usr/tmp}/gitdiff.$$.$RANDOM
> 
> 
>>all an attacker has to do is create 65535 symlinks in /usr/tmp

the point of the xyzzy seed is to make creating all possible files
in-feasable.

> 
> 
> And how about if I removed the tmp files at the top:
> 
> 	t=${TMPDIR:-/usr/tmp}/gitdiff.$$.$RANDOM
> 	trap 'rm -fr $t.?; trap 0; exit 0' 0 1 2 3 15
> 	rm -fr $t.?
> 
> 	... rest of script ...
> 
> How close does that come to providing the same level of safety, while
> remaining portable over a wider range of systems, and not requiring that
> a separate command be forked?
> 
> 
>>I'd suggest fixing your distributions ...
> 
> 
> It's not just my distro; it's the distros of all git users.
> 
> If apps can avoid depending on inessential details of their
> environment, that's friendlier to all concerned.
> 
> And actually my distro is fine - it's just that I am running an old
> version of it on one of my systems.  Newer versions of the mktemp -t
> option.
> 

-- 
mit freundlichen Grüßen, Brian.

Dr. Brian O'Mahoney
Mobile +41 (0)79 334 8035 Email: omb@bluewin.ch
Bleicherstrasse 25, CH-8953 Dietikon, Switzerland
PGP Key fingerprint = 33 41 A2 DE 35 7C CE 5D  F5 14 39 C9 6D 38 56 D5