On 09/05/2012 10:23 AM, Paolo Bonzini wrote: > And finally, the whole get_tmp_filename is unsafe because there is a > race window between closing and reopening the file, if the directory is > writable and does not have the sticky bit. > > So the patch is an improvement, but there is still something unpleasing > in this code...
I absolutely agree that there is a nasty race here. If you aren't going to use the fd, then mktemp() is sufficient (and just as racy, but then you are at least honest that you don't care about the race); in all other situations, if you want a temporary file name but want to avoid a race, then it feels like you should be returning the fd from mkstemp() still open (or at a bare minimum, auditing ALL callers to make sure they only use the temporary name with O_CREAT|O_EXCL, and that they retry in a loop in case they lose the race, at which point they are reinventing the loop already done on their behalf by mkstemp()...). -- Eric Blake ebl...@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
