Question on os.tempnam() vulnerability

C

cameronwong88

Hello,

Does any one know what kind of security risk these message are
suggesting?
__main__:1: RuntimeWarning: tempnam is a potential security risk to
your program
'/tmp/filed4cJNX'
__main__:1: RuntimeWarning: tmpnam is a potential security risk to
your program'/tmp/fileENAuNw'

Thanks,
~cw
 
F

Fredrik Lundh

Does any one know what kind of security risk these message are
suggesting?

__main__:1: RuntimeWarning: tempnam is a potential security risk to
your program
__main__:1: RuntimeWarning: tmpnam is a potential security risk to
your program
'/tmp/fileENAuNw'

you get a name instead of a file, so someone else can create that file
after you've called tempnam/tmpnam, but before you've actually gotten
around to create the file yourself. which means that anyone on the
machine might be able to mess with your application's data.

use the functions marked as "safe" in the tempfile module instead.

</F>
 
G

Grant Edwards

you get a name instead of a file, so someone else can create that file
after you've called tempnam/tmpnam, but before you've actually gotten
around to create the file yourself. which means that anyone on the
machine might be able to mess with your application's data.

use the functions marked as "safe" in the tempfile module instead.

Under Windows, is there a "safe" way to create a temp file that
has a name that can be passed to a program which will then open
it? I never figured out a way to do that and had to fall back
on the "unsafe" tmpnam method.
 
C

cameronwong88

you get a name instead of a file, so someone else can create that file
after you've called tempnam/tmpnam, but before you've actually gotten
around to create the file yourself. which means that anyone on the
machine might be able to mess with your application's data.

use the functions marked as "safe" in the tempfile module instead.

</F>

Thanks Fredrik, for the clear explanation!!!

~cw
 
J

Jarek Zgoda

Grant Edwards pisze:
Under Windows, is there a "safe" way to create a temp file that
has a name that can be passed to a program which will then open
it? I never figured out a way to do that and had to fall back
on the "unsafe" tmpnam method.

I think it's all impossible to get only file name and feel safe. You
have to have both file name and a file object opened exclusively for
you. Any other way you'll get a possible race condition.
 
G

Grant Edwards

I think it's all impossible to get only file name and feel
safe. You have to have both file name and a file object opened
exclusively for you. Any other way you'll get a possible race
condition.

I know. That's the point of my question: how do you do that
under Windows?
 
M

Martin v. Löwis

I know. That's the point of my question: how do you do that
under Windows?

When you create a new process, you have the option to inherit
file handles to the new process. So the parent should open the
file, and then inherit the handle to the new process.

The new process will need to know what the file handle it should
use. There are two basic options:
a) pass the file handle number as a string on the command line
b) make the handle either stdin or stdout of the new process,
and have the new process ask for its stdin/stdout handle.

IOW, it's the same approach as on Unix.

Regards,
Martin
 
G

Grant Edwards

When you create a new process, you have the option to inherit
file handles to the new process. So the parent should open the
file, and then inherit the handle to the new process.

That's an answer, though not for the question I asked. The
program that's being run requires a that it be passed a
filename on the command-line.

I'm not writing the program that is to open the file. If I
were, I'd just make it a python module and call it instead of
running it in a separate process.
IOW, it's the same approach as on Unix.

Not really. Under Unix you can safely create a temp file with
a name that can be used to open the file. I asked about a way
to do that under Windows as well.
 
M

Martin v. Löwis

That's an answer, though not for the question I asked.

I think you'll have to pose a complete question again,
rather than "how do I do that", if you want to get an
answer to your question.
Not really. Under Unix you can safely create a temp file with
a name that can be used to open the file. I asked about a way
to do that under Windows as well.

Assuming you are still talking about

" is there a "safe" way to create a temp file that
has a name that can be passed to a program which will then open
it?"

then also on Unix, the answer is: no, that's not possible.
I assume you are asking about a scenario such as:
a) the parent process creates a file
b) the parent process closes its handle to the file
c) the parent process creates a child process passing
the file name
d) the child process opens the file, and is certain that it
is still the same file

then this sequence cannot be implemented on Unix, either - another
process may remove the file and create a new one between b and d.

Regards,
Martin
 
F

Fredrik Lundh

Grant said:
Not really. Under Unix you can safely create a temp file with
a name that can be used to open the file.

Unless I'm missing something, it's not possible to do this in a safe
way in the shared temp directory; you can do that only by creating a
file in a directory that's under full control of your user.

And *that* approach works on Windows as well, of course.

</F>
 
G

Grant Edwards

Unless I'm missing something, it's not possible to do this in a safe
way in the shared temp directory; you can do that only by creating a
file in a directory that's under full control of your user.

Which is what I do.
And *that* approach works on Windows as well, of course.

I was asking how to create a named temporary file under Windows
without a race condition. I've re-read the tempfile module
documentation a couple more times, and it finally dawned on me
that I'd been misreading the following statement about
tempfiles created by NamedTemporaryFile/mkstemp:

"Whether the name can be used to open the file a second time,
while the named temporary file is still open, varies across
platforms (it can be so used on Unix; it cannot on Windows NT
or later)."

I don't know how many times I've read that and missed the
phrase "while the named temporary file is still open". I had
always read that as saying that the tempfile couldn't be opened
a second time under Windows. I know, that would make the
availability of the path/name a moot point, but so many things
under Windows don't make sense to me that I just let it slide.

As Emily Litella used to say:

"Oh. That's very different. Never mind."
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,902
Latest member
Elena68X5

Latest Threads

Top