os.tmpname security risk?

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: os.tmpname security risk?
From: HyperHacker <hyperhacker@...>
Date: Sat, 2 Jul 2011 04:29:52 -0600

The 5.1 manual states, for os.tmpname():
> On some systems (POSIX), this function also creates a file with that name, to avoid security risks. (Someone else might create the file with wrong permissions in the time between getting the name and creating the file.)
But what stops someone from removing that file and creating their own,
or changing its permissions? It doesn't seem like this really
mitigates the risk at all.

-- 
Sent from my toaster.

Follow-Ups:
- Re: os.tmpname security risk?, Drake Wilson
- Re: os.tmpname security risk?, steve donovan
- Re: os.tmpname security risk?, Steve Litt

Prev by Date: [ANN] lcurses release 6 released
Next by Date: Re: os.tmpname security risk?
Previous by thread: [ANN] lcurses release 6 released
Next by thread: Re: os.tmpname security risk?
Index(es):
- Date
- Thread