lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Wednesday, July 13, 2011 08:34:15 PM Patrick Donnelly wrote:
> On Wed, Jul 13, 2011 at 8:17 PM, Steve Litt 
<slitt@troubleshooters.com> wrote:
> > On Saturday, July 02, 2011 06:29:52 AM HyperHacker wrote:
> >> The 5.1 manual states, for os.tmpname():
> >> > On some systems (POSIX), this function also creates a file
> >> > with that name, to avoid security risks. (Someone else might
> >> > create the file with wrong permissions in the time between
> >> > getting the name and creating the file.)
> >> 
> >> But what stops someone from removing that file and creating
> >> their own, or changing its permissions? It doesn't seem like
> >> this really mitigates the risk at all.
> > 
> > I think the assumption is you'll use the file very quickly and
> > then erase it, making it very hard for someone to switch out the
> > file during the short time you'll be using it.
> > 
> > I rolled my own temp file maker that in my opinion is better than
> > those offered by Lua's distribution:
> > 
> > http://www.troubleshooters.com/codecorn/lua/luaos.htm#_Temporary_
> > Files
> > 
> > Be careful -- I think the "%%%" in the error message should be
> > "@@@".
> 
> Your file maker is not better. There is a race condition between
> the test to check for the existence of the desired file and the
> opening of the file for writing (which creates it).
> 
> This is why Lua and everyone else uses mkstemp [1].
> 
> [1]
> http://pubs.opengroup.org/onlinepubs/009695399/functions/mkstemp.h
> tml

Cool! Where's the documentation on the Lua implementation of 
mkstemp()?

Thanks

SteveT

Steve Litt
Author: The Key to Everyday Excellence
http://www.troubleshooters.com/bookstore/key_excellence.htm
Twitter: http://www.twitter.com/stevelitt