Hello Bastien,
On Fri, 29 Jan 2021 at 10:18, Bastien ROUCARIES
<roucaries.bast...@gmail.com> wrote:
>
> Hi,
> Le mer. 27 janv. 2021 à 22:28, Michael Kerrisk (man-pages)
> <mtk.manpa...@gmail.com> a écrit :
> >
> > Salut Bastien,
> >
> > On 1/27/21 4:48 PM, roucaries.bast...@gmail.com wrote:
> > > From: Bastien Roucariès <ro...@debian.org>
> > >
> > > Do not use for documentation purposes the unsecure mktemp function
> >
> > This message doesn't correspond to the change below (which removes
> > a reference to "tempnam" and adds a reference to "mktemp".
>
> ok
> >
> > But also, I don't think it makes systems more secure to
> > remove the info that tempnam is influence by TMPDIR.
>
> Yes but not documenting obsolete due to insecurity is better from a
> user point of view experience.
> I believe that manpage of insecure function should not be cited for
> documentation purposes (I am a uni teacher and experiment every days
> the
> bad example uses in teaching)
So, the first thing. AFAIK, the only library function that relies on
TMPDIR is tempnam(). Removing that name will leave a zero-length list
of functions in this sentence.
Secondly, I agree that we should deemphasize undesirable functions.
But if we discuss TMPDIR, it seems silly not to mention the only
function (AFAIK) that uses it.
Finally, the real solution to these sorts of problems is to properly
document the obsolete function, and put a prominent warning in the
documentation, which is exactly what we find in tempnam(3):
DESCRIPTION
Never use this function. Use mkstemp(3) or tmpfile(3) instead.
> > And, this patch is surely not correct. Yes, TMPDIR influences
> > tmpfile(3).
I misspoke there. TMPDIR does not affect tmpfile(), as far as I know.
> > But how does TMPDIR influence mktemp(3), mkstemp(3),
> > and mkdtemp(3), which base the temporary filename on a path
> > supplied by the caller?
> I am sorry
> mkstemp does not need a file path, it need a template. Path is not
> supplied by the caller.
Agreed. I should have said "template".
> The mkstemp manpage may be improved. Do you want a patch for it ?
Improved in what way?
Thanks,
Michael
> File name are implementation dependend and path is $TMPDIR
> >
> > Finally, a request for patches: the format of the
> > subject line should rather be:
> >
> > [PATCH ...] environ.7: Do not document...
> Ok will do
>
> Will redo this patch
> >
> > Thanks,
> >
> > Michael
> >
> > > Signed-off-by: Bastien Roucariès <ro...@debian.org>
> > > ---
> > > man7/environ.7 | 6 +++++-
> > > 1 file changed, 5 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/man7/environ.7 b/man7/environ.7
> > > index 182d823d2..d889310d6 100644
> > > --- a/man7/environ.7
> > > +++ b/man7/environ.7
> > > @@ -191,7 +191,10 @@ and
> > > .IP *
> > > .B TMPDIR
> > > influences the path prefix of names created by
> > > -.BR tempnam (3)
> > > +.BR mktemp (1),
> > > +.BR mkstemp (3),
> > > +.BR mkdtemp (3),
> > > +.BR tmpfile (3),
> > > and other routines, and the temporary directory used by
> > > .BR sort (1)
> > > and other programs.
> > > @@ -289,6 +292,7 @@ should consider renaming their option to
> > > .BR csh (1),
> > > .BR env (1),
> > > .BR login (1),
> > > +.BR mktemp (1),
> > > .BR printenv (1),
> > > .BR sh (1),
> > > .BR tcsh (1),
> > >
> >
> >
> > --
> > Michael Kerrisk
> > Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
> > Linux/UNIX System Programming Training: http://man7.org/training/
>
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
