Hi Karl, Ralf,
>> Is the problem mentioned in the standards the same with the one
>> described here?
>> http://www.linuxsecurity.com/content/view/115462/151/
>>
>> Yes.
>>
>> If yes, then, maybe, advice to use mktemp would be more appropriate?
>>
>> Mentioning mktemp is a good idea. But doesn't noclobber also avoid the
>> security problem (though in an inferior way), because either your
>> program or the attacker's will fail to create the file, with noclobber
>> set.
>
> Right.
>
>> Here's my attempt at a new paragraph:
>>
>> In bash, use @code{set -C} (long name @code{noclobber}) to avoid this
>> problem; the @code{mktemp} utility is a more general solution for
>> creating temporary files from shell scripts (@pxref{mktemp
>> invocation,,, coreutils, GNU Coreutils}).
>
> Sounds better. You could mention that mktemp is available everywhere.
> 'info Autoconf --index mktemp' also has a recommendation for a portable
> alternative. And for the $RANDOM alternative mentioned there, noclobber
> would be a nice additional measure.
>
> Cheers,
> Ralf
Now I see that mktemp is not a substitute for 'noclobber', but a good
addition to it.
Therefore, I suggest a change to the proposed version:
In bash, use @code{set -C} (long name @code{noclobber}) to avoid this
problem. Additionally, you can consider using the @code{mktemp}
utility, a general solution for
creating temporary files from shell scripts (@pxref{mktemp
invocation,,, coreutils, GNU Coreutils}).
--
Michael V. Antosha
http://identi.ca/mivael
