tmpfile and pledge

Thu, 25 Apr 2019 06:00:20 -0700 

When playing with tmpfile(3) and pledge(2) I found that tmppath is not  
enough for tmpfile to succeed, since it needs fchmod support. This is
logical considering the current implementation, but counter-intuitive
with the tmppath pledge.

The fchmod line was added by deraadt@ in r1.5 back in 1998, based on
std conformance mentioned by cas...@holland.sun.com. The texts that
I've consulted didn't mention anything about permission sets on the
file and unlinking the file immediately after creation doesn't allow
other applications to open it again (as far as I'm aware).
Unfortunately I can't find the original conversation, so I don't know
what I'm missing here.

Is there a sound reason to keep this code here that I'm overlooking
or can we please remove it?

While here I also trimmed the memcpy dance which seems to work just
find when applying it directly.

martijn@

Index: tmpfile.c
===================================================================
RCS file: /cvs/src/lib/libc/stdio/tmpfile.c,v
retrieving revision 1.11
diff -u -p -r1.11 tmpfile.c
--- tmpfile.c   31 Aug 2015 02:53:57 -0000      1.11
+++ tmpfile.c   25 Apr 2019 12:55:23 -0000
@@ -31,8 +31,6 @@
  * SUCH DAMAGE.
  */
 
-#include <sys/types.h>
-#include <sys/stat.h>
 #include <unistd.h>
 #include <signal.h>
 #include <errno.h>
@@ -47,24 +45,14 @@ tmpfile(void)
        sigset_t set, oset;
        FILE *fp;
        int fd, sverrno;
-#define        TRAILER "tmp.XXXXXXXXXX"
-       char buf[sizeof(_PATH_TMP) + sizeof(TRAILER)];
-
-       (void)memcpy(buf, _PATH_TMP, sizeof(_PATH_TMP) - 1);
-       (void)memcpy(buf + sizeof(_PATH_TMP) - 1, TRAILER, sizeof(TRAILER));
+       char buf[] = _PATH_TMP "tmp.XXXXXXXXXX";
 
        sigfillset(&set);
        (void)sigprocmask(SIG_BLOCK, &set, &oset);
 
        fd = mkstemp(buf);
-       if (fd != -1) {
-               mode_t u;
-
+       if (fd != -1)
                (void)unlink(buf);
-               u = umask(0);
-               (void)umask(u);
-               (void)fchmod(fd, 0666 & ~u);
-       }
 
        (void)sigprocmask(SIG_SETMASK, &oset, NULL);
 
Index: tmpnam.3
===================================================================
RCS file: /cvs/src/lib/libc/stdio/tmpnam.3,v
retrieving revision 1.21
diff -u -p -r1.21 tmpnam.3
--- tmpnam.3    28 Feb 2015 21:51:57 -0000      1.21
+++ tmpnam.3    25 Apr 2019 12:55:23 -0000
@@ -57,15 +57,6 @@ The created file is unlinked before
 .Fn tmpfile
 returns, causing the file to be automatically deleted when the last
 reference to it is closed.
-Since
-.Xr mkstemp 3
-creates the file with mode
-.Dv S_IRUSR | S_IWUSR ,
-after the unlink,
-.Xr fchown 2
-and
-.Xr umask 2
-are used to set the file mode to the expected value.
 The file is opened with the access value
 .Ql w+ .
 .Pp

Reply via email to