[Python-Dev] Remove tempfile.mktemp() (original) (raw)

Cameron Simpson cs at cskk.id.au
Sat Mar 23 19:59:35 EDT 2019

On 20Mar2019 12:53, Jeroen Demeyer <J.Demeyer at UGent.be> wrote:

On 2019-03-20 12:45, Victor Stinner wrote:

You can watch the /tmp directory using inotify and "discover" immediately the "secret" filename, it doesn't depend on the amount of entropy used to generate the filename. That's not the problem. The security issue here is guessing the filename before it's created and putting a different file or symlink in place. So I actually do think that mktemp() could be made secure by using a longer name generated by a secure random generator.

I know it is days later, but to add a little nuance: the security issue is guessing the filename before it is used. Consider:

path = tempfile.mktemp() with open(path, "w"): write some secret stuff ... call_other_function(path)

If an attacker gets in after the open (which creates the file) by using something like inotify to observe the pathname instead of guessing and supplants the file then, call_other_function is then subverted.

Also, the common examples are attackers who are not the user making the tempfile, in which case the default mktemp is sort of secure with the above because it gets made in /tmp which on a modern POSIX system prevents other uses from removing/renaming a file. (And Eryk I think described the Windows situation which is similarly protected).

However, mktemp somewhere else is not so protected.

And the attacker might be malware running as the orignal user (yes the game may already be overin that case for other reasons).

However, I wanted to make the point that the security issue isn't around creation but use - trusting the mktemp pathname to be the same state as it was earlier.

Cheers, Cameron Simpson <cs at cskk.id.au>

More information about the Python-Dev mailing list