tmpnam.3 diff - stdio/tmpnam.3 - Libc source code Libc-763.13

stdio/tmpnam.3 Libc-763.13 ⇄ Libc-262
--- Libc/Libc-763.13/stdio/tmpnam.3
+++ Libc/Libc-262/stdio/tmpnam.3
@@ -13,6 +13,10 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
 .\" 4. Neither the name of the University nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
@@ -30,9 +34,9 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     @(#)tmpnam.3	8.2 (Berkeley) 11/17/93
-.\" $FreeBSD: src/lib/libc/stdio/tmpnam.3,v 1.20 2007/03/16 21:46:24 maxim Exp $
-.\"
-.Dd November 12, 2008
+.\" $FreeBSD: src/lib/libc/stdio/tmpnam.3,v 1.10 2001/10/01 16:08:59 ru Exp $
+.\"
+.Dd November 17, 1993
 .Dt TMPFILE 3
 .Os
 .Sh NAME
@@ -45,18 +49,11 @@
 .Sh SYNOPSIS
 .In stdio.h
 .Ft FILE *
-.Fo tmpfile
-.Fa "void"
-.Fc
+.Fn tmpfile void
 .Ft char *
-.Fo tmpnam
-.Fa "char *s"
-.Fc
+.Fn tmpnam "char *str"
 .Ft char *
-.Fo tempnam
-.Fa "const char *dir"
-.Fa "const char *pfx"
-.Fc
+.Fn tempnam "const char *tmpdir" "const char *prefix"
 .Sh DESCRIPTION
 The
 .Fn tmpfile
@@ -70,13 +67,12 @@
 reference to it is closed.
 The file is opened with the access value
 .Ql w+ .
-If the environment variable
+The file is created in the directory determined by the environment variable
 .Ev TMPDIR
-is defined,
-the file is created in the specified directory.
-The default location, if
+if set.
+The default location if
 .Ev TMPDIR
-is not set, is
+is not set is
 .Pa /tmp .
 .Pp
 The
@@ -89,9 +85,9 @@
 past.
 .Dv P_tmpdir
 is defined in the include file
-.In stdio.h .
+.Aq Pa stdio.h .
 If the argument
-.Fa s
+.Fa str
 is
 .Pf non- Dv NULL ,
 the file name is copied to the buffer it references.
@@ -101,13 +97,13 @@
 returns a pointer to the file name.
 .Pp
 The buffer referenced by
-.Fa s
+.Fa str
 is expected to be at least
 .Dv L_tmpnam
 bytes in length.
 .Dv L_tmpnam
 is defined in the include file
-.In stdio.h .
+.Aq Pa stdio.h .
 .Pp
 The
 .Fn tempnam
@@ -117,30 +113,26 @@
 but provides the ability to specify the directory which will
 contain the temporary file and the file name prefix.
 .Pp
-The argument
-.Fa dir
+The environment variable
+.Ev TMPDIR
+(if set), the argument
+.Fa tmpdir
 (if
 .Pf non- Dv NULL ) ,
 the directory
 .Dv P_tmpdir ,
-the environment variable
-.Ev TMPDIR
-(if set),
-the directory
+and the directory
 .Pa /tmp
-and finally, the current directory,
 are tried, in the listed order, as directories in which to store the
 temporary file.
 .Pp
 The argument
-.Fa pfx ,
+.Fa prefix ,
 if
 .Pf non- Dv NULL ,
 is used to specify a file name prefix, which will be the
 first part of the created file name.
-The
-.Fn tempnam
-function
+.Fn Tempnam
 allocates memory in which to store the file name; the returned pointer
 may be used as a subsequent argument to
 .Xr free 3 .
@@ -162,43 +154,6 @@
 .Dv NULL
 pointer
 on error.
-.Sh ENVIRONMENT
-.Bl -tag -width Ds
-.It Ev TMPDIR
-.Pf [ Fn tempnam
-only]
-If set,
-the directory in which the temporary file is stored.
-.Ev TMPDIR
-is ignored for processes
-for which
-.Xr issetugid 2
-is true.
-.El
-.Sh COMPATIBILITY
-These interfaces are provided from System V and
-.Tn ANSI
-compatibility only.
-.Pp
-Most historic implementations of these functions provide
-only a limited number of possible temporary file names
-(usually 26)
-before file names will start being recycled.
-System V implementations of these functions
-(and of
-.Xr mktemp 3 )
-use the
-.Xr access 2
-system call to determine whether or not the temporary file
-may be created.
-This has obvious ramifications for setuid or setgid programs,
-complicating the portable use of these interfaces in such programs.
-.Pp
-The
-.Fn tmpfile
-interface should not be used in software expected to be used on other systems
-if there is any possibility that the user does not wish the temporary file to
-be publicly readable and writable.
 .Sh ERRORS
 The
 .Fn tmpfile
@@ -227,30 +182,6 @@
 .Xr malloc 3
 or
 .Xr mktemp 3 .
-.Sh SECURITY CONSIDERATIONS
-The
-.Fn tmpnam
-and
-.Fn tempnam
-functions are susceptible to a race condition
-occurring between the selection of the file name
-and the creation of the file,
-which allows malicious users
-to potentially overwrite arbitrary files in the system,
-depending on the level of privilege of the running program.
-Additionally, there is no means by which
-file permissions may be specified.
-It is strongly suggested that
-.Xr mkstemp 3
-be used in place of these functions.
-(See
-the FSA.)
-.Sh LEGACY DESCRIPTION
-In legacy mode, the order directories are tried by the
-.Fn tempnam
-function is different; the environment variable
-.Ev TMPDIR
-(if defined) is used first.
 .Sh SEE ALSO
 .Xr mkstemp 3 ,
 .Xr mktemp 3
@@ -262,3 +193,37 @@
 functions
 conform to
 .St -isoC .
+.Sh BUGS
+These interfaces are provided for System V and
+.Tn ANSI
+compatibility only.
+The
+.Xr mkstemp 3
+interface is strongly preferred.
+.Pp
+There are four important problems with these interfaces (as well as
+with the historic
+.Xr mktemp 3
+interface).
+First, there is an obvious race between file name selection and file
+creation and deletion.
+Second, most historic implementations provide only a limited number
+of possible temporary file names (usually 26) before file names will
+start being recycled.
+Third, the System V implementations of these functions (and of
+.Xr mktemp 3 )
+use the
+.Xr access 2
+function to determine whether or not the temporary file may be created.
+This has obvious ramifications for setuid or setgid programs, complicating
+the portable use of these interfaces in such programs.
+Finally, there is no specification of the permissions with which the
+temporary files are created.
+.Pp
+This implementation does not have these flaws, but portable software
+cannot depend on that.
+In particular, the
+.Fn tmpfile
+interface should not be used in software expected to be used on other systems
+if there is any possibility that the user does not wish the temporary file to
+be publicly readable and writable.