>>> So use NamedTemporaryFile(delete = False) and close it before passing it to the other program.
>> That's effectively the same as calling tempfile.mktemp. While it does waste time opening and closing an unused file, that doesn't help with security
> That is not actually true. The important difference is that with NamedTemporaryFile the file exists with appropriate access right (0600).
You are right, I must have mentally reversed the polarity of the delete argument. And I didn't realise that the access right on a file had the power to prevent itself from being removed from the folder that it's in. I thought the access flags were a property of the file itself and not the directory entry. Not sure how that works.
But if NamedTemporaryFile(delete=False) is secure then why not use that to implement mktemp?
def mktemp(suffix="", prefix=template, dir=None):
with NamedTemporaryFile(delete=False, suffix=suffix, prefix=prefix, dir=dir) as f:
Yes, it does leave an empty file if the name is not used, but the name is usually created with the intent to use it, so that is rarely going to be a problem. Just document that that's how it is. It does mean that where there's an explicit file-exists check before writing the file, that code will break. But it will break a lot less code than removing mktemp entirely.