tmpnam.3 diff - stdio/tmpnam.3 - Libc source code Libc-262

stdio/tmpnam.3 Libc-262 ⇄ Libc-583
--- Libc/Libc-262/stdio/tmpnam.3
+++ Libc/Libc-583/stdio/tmpnam.3
@@ -34,9 +34,9 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     @(#)tmpnam.3	8.2 (Berkeley) 11/17/93
-.\" $FreeBSD: src/lib/libc/stdio/tmpnam.3,v 1.10 2001/10/01 16:08:59 ru Exp $
-.\"
-.Dd November 17, 1993
+.\" $FreeBSD: src/lib/libc/stdio/tmpnam.3,v 1.16 2004/06/21 19:38:25 mpp Exp $
+.\"
+.Dd November 12, 2008
 .Dt TMPFILE 3
 .Os
 .Sh NAME
@@ -49,11 +49,18 @@
 .Sh SYNOPSIS
 .In stdio.h
 .Ft FILE *
-.Fn tmpfile void
+.Fo tmpfile
+.Fa void
+.Fc
 .Ft char *
-.Fn tmpnam "char *str"
+.Fo tmpnam
+.Fa "char *s"
+.Fc
 .Ft char *
-.Fn tempnam "const char *tmpdir" "const char *prefix"
+.Fo tempnam
+.Fa "const char *dir"
+.Fa "const char *pfx"
+.Fc
 .Sh DESCRIPTION
 The
 .Fn tmpfile
@@ -67,12 +74,13 @@
 reference to it is closed.
 The file is opened with the access value
 .Ql w+ .
-The file is created in the directory determined by the environment variable
-.Ev TMPDIR
-if set.
-The default location if
-.Ev TMPDIR
-is not set is
+If the environment variable
+.Ev TMPDIR
+is defined,
+the file is created in the specified directory.
+The default location, if
+.Ev TMPDIR
+is not set, is
 .Pa /tmp .
 .Pp
 The
@@ -85,9 +93,9 @@
 past.
 .Dv P_tmpdir
 is defined in the include file
-.Aq Pa stdio.h .
+.In stdio.h .
 If the argument
-.Fa str
+.Fa s
 is
 .Pf non- Dv NULL ,
 the file name is copied to the buffer it references.
@@ -97,13 +105,13 @@
 returns a pointer to the file name.
 .Pp
 The buffer referenced by
-.Fa str
+.Fa s
 is expected to be at least
 .Dv L_tmpnam
 bytes in length.
 .Dv L_tmpnam
 is defined in the include file
-.Aq Pa stdio.h .
+.In stdio.h .
 .Pp
 The
 .Fn tempnam
@@ -113,26 +121,30 @@
 but provides the ability to specify the directory which will
 contain the temporary file and the file name prefix.
 .Pp
-The environment variable
-.Ev TMPDIR
-(if set), the argument
-.Fa tmpdir
+The argument
+.Fa dir
 (if
 .Pf non- Dv NULL ) ,
 the directory
 .Dv P_tmpdir ,
-and the directory
+the environment variable
+.Ev TMPDIR
+(if set),
+the directory
 .Pa /tmp
+and finally, the current directory,
 are tried, in the listed order, as directories in which to store the
 temporary file.
 .Pp
 The argument
-.Fa prefix ,
+.Fa pfx ,
 if
 .Pf non- Dv NULL ,
 is used to specify a file name prefix, which will be the
 first part of the created file name.
-.Fn Tempnam
+The
+.Fn tempnam
+function
 allocates memory in which to store the file name; the returned pointer
 may be used as a subsequent argument to
 .Xr free 3 .
@@ -182,6 +194,54 @@
 .Xr malloc 3
 or
 .Xr mktemp 3 .
+.Sh SECURITY CONSIDERATIONS
+The
+.Fn tmpnam
+and
+.Fn tempnam
+functions are susceptible to a race condition
+occurring between the selection of the file name
+and the creation of the file,
+which allows malicious users
+to potentially overwrite arbitrary files in the system,
+depending on the level of privilege of the running program.
+Additionally, there is no means by which
+file permissions may be specified.
+It is strongly suggested that
+.Xr mkstemp 3
+be used in place of these functions.
+(See
+the FSA.)
+.Sh COMPATIBILITY
+These interfaces are provided from System V and
+.Tn ANSI
+compatibility only.
+.Pp
+Most historic implementations of these functions provide
+only a limited number of possible temporary file names
+(usually 26)
+before file names will start being recycled.
+System V implementations of these functions
+(and of
+.Xr mktemp 3 )
+use the
+.Xr access 2
+system call to determine whether or not the temporary file
+may be created.
+This has obvious ramifications for setuid or setgid programs,
+complicating the portable use of these interfaces in such programs.
+.Pp
+The
+.Fn tmpfile
+interface should not be used in software expected to be used on other systems
+if there is any possibility that the user does not wish the temporary file to
+be publicly readable and writable.
+.Sh LEGACY DESCRIPTION
+In legacy mode, the order directories are tried by the
+.Fn tempnam
+function is different; the environment variable
+.Ev TMPDIR
+(if defined) is used first.
 .Sh SEE ALSO
 .Xr mkstemp 3 ,
 .Xr mktemp 3
@@ -193,37 +253,3 @@
 functions
 conform to
 .St -isoC .
-.Sh BUGS
-These interfaces are provided for System V and
-.Tn ANSI
-compatibility only.
-The
-.Xr mkstemp 3
-interface is strongly preferred.
-.Pp
-There are four important problems with these interfaces (as well as
-with the historic
-.Xr mktemp 3
-interface).
-First, there is an obvious race between file name selection and file
-creation and deletion.
-Second, most historic implementations provide only a limited number
-of possible temporary file names (usually 26) before file names will
-start being recycled.
-Third, the System V implementations of these functions (and of
-.Xr mktemp 3 )
-use the
-.Xr access 2
-function to determine whether or not the temporary file may be created.
-This has obvious ramifications for setuid or setgid programs, complicating
-the portable use of these interfaces in such programs.
-Finally, there is no specification of the permissions with which the
-temporary files are created.
-.Pp
-This implementation does not have these flaws, but portable software
-cannot depend on that.
-In particular, the
-.Fn tmpfile
-interface should not be used in software expected to be used on other systems
-if there is any possibility that the user does not wish the temporary file to
-be publicly readable and writable.