2012/9/6 Eric Blake <ebl...@redhat.com>: > On 09/05/2012 10:23 AM, Paolo Bonzini wrote: >> And finally, the whole get_tmp_filename is unsafe because there is a >> race window between closing and reopening the file, if the directory is >> writable and does not have the sticky bit. >> >> So the patch is an improvement, but there is still something unpleasing >> in this code... > > I absolutely agree that there is a nasty race here. If you aren't going > to use the fd, then mktemp() is sufficient (and just as racy, but then > you are at least honest that you don't care about the race); in all Yes, using mktemp() in get_tmp_filename() is ok because we dont care about race, but for old gcc version, e.g. for version 4.4, we will get a annoying unsecure warning "warning: the use of `mktemp' is dangerous, better use `mkstemp'", which breaks build.
> other situations, if you want a temporary file name but want to avoid a > race, then it feels like you should be returning the fd from mkstemp() > still open (or at a bare minimum, auditing ALL callers to make sure they > only use the temporary name with O_CREAT|O_EXCL, and that they retry in > a loop in case they lose the race, at which point they are reinventing > the loop already done on their behalf by mkstemp()...). > > -- > Eric Blake ebl...@redhat.com +1-919-301-3266 > Libvirt virtualization library http://libvirt.org > -- Best Regards, Dunrong Huang
