[Python-Dev] Remove tempfile.mktemp()
Steven D'Aprano
steve at pearwood.info
Wed Mar 20 08:09:44 EDT 2019
On Wed, Mar 20, 2019 at 12:45:40PM +0100, Victor Stinner wrote:
> Hi,
>
> I'm not really convinced that mktemp() should be made "more secure".
> To be clear: mktemp() is vulnerable by design. It's not a matter of
> entropy. You can watch the /tmp directory using inotify and "discover"
> immediately the "secret" filename, it doesn't depend on the amount of
> entropy used to generate the filename. A function is either unsafe or
> secure.
Security is not a binary state, it is never either-or "unsafe" or
"secure". Secure against what attacks? Unsafe under what circumstances?
I can use the unsafe mktemp on a stand alone single-user computer,
disconnected from the internet, guaranteed to have nothing but trusted
software, and it will be secure in practice.
Or I can use the "safe interfaces" and I'm still vulnerable to an
Advanced Persistent Threat that has compromised the OS specifically to
target my application. If the attacker controls the OS or the hardware,
then effectively they've already won.
--
Steven
More information about the Python-Dev
mailing list