[Python-Dev] Remove tempfile.mktemp()

Cameron Simpson cs at cskk.id.au
Sat Mar 23 19:59:35 EDT 2019


On 20Mar2019 12:53, Jeroen Demeyer <J.Demeyer at UGent.be> wrote:
>On 2019-03-20 12:45, Victor Stinner wrote:
>>You can watch the /tmp directory using inotify and "discover"
>>immediately the "secret" filename, it doesn't depend on the amount of
>>entropy used to generate the filename.
>
>That's not the problem. The security issue here is guessing the 
>filename *before* it's created and putting a different file or symlink 
>in place.
>
>So I actually do think that mktemp() could be made secure by using a 
>longer name generated by a secure random generator.

I know it is days later, but to add a little nuance: the security issue 
is guessing the filename before it is _used_. Consider:

  path = tempfile.mktemp()
  with open(path, "w"):
    write some secret stuff ...
  call_other_function(path)

If an attacker gets in _after_ the open (which creates the file) by 
using something like inotify to _observe_ the pathname instead of 
guessing and supplants the file then, call_other_function is then 
subverted.

Also, the common examples are attackers who are not the user making the 
tempfile, in which case the _default_ mktemp is sort of secure with the 
above because it gets made in /tmp which on a modern POSIX system 
prevents _other_ uses from removing/renaming a file. (And Eryk I think 
described the Windows situation which is similarly protected).

However, mktemp somewhere else is not so protected.

And the attacker might be malware running as the orignal user (yes the 
game may already be overin that case for other reasons).

However, I wanted to make the point that the security issue isn't around 
creation but use - trusting the mktemp pathname to be the same state as 
it was earlier.

Cheers,
Cameron Simpson <cs at cskk.id.au>


More information about the Python-Dev mailing list