• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: which temp dir to use?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: which temp dir to use?

  • Subject: Re: which temp dir to use?
  • From: Kyle Sluder <email@hidden>
  • Date: Sun, 24 May 2009 09:52:36 -0700
On Sun, May 24, 2009 at 5:58 AM, Dave Keck <email@hidden> wrote:
> I use /tmp. Works great for me - I use it to save temporary files that
> another privileged process then moves to a permanent location. Launchd
> uses it too, along with a host of other things.

Please don't just toss things in /tmp.  Launchd doesn't just toss
things in /tmp, it creates directories within /tmp, because that's
secure (you can't delete empty directories, and the permissions on the
directory are set such that only a specific user can modify the
directory).  Putting files for inter-process communication in /tmp is
not secure.  Imagine the following sequence of events:

1. Non-privileged process A running as user Alice creates a file
called /tmp/ipc.
2. A signals to privileged process B, running as root, that the file exists.
3. Malevolent process C, running as user Eve, notices the file,
unlinks it (which it can do due to the permissions on /tmp) and
creates a new one in its place with its own preferred contents.
4. B performs its action on the newly-replaced file contents.

Game over.  Eve has used a non-privileged account but has taken
advantage of Alice's use of a privileged tool.  This is even easier if
the path in /tmp is hardcoded.

If you want to pass things between non-privileged and privileged
processes, you have quite a few options that don't even involve the
filesystem.  If you need persistence or some other feature of the
filesystem, use NSTemporaryDirectory because it is far more secure
than /tmp.  If you *must* use /tmp for some reason (not linking
against Foundation, etc.) use FSFindFolder.  If you can't even use
that, then follow launchd's lead and create user-specific non-empty
directories in /tmp.  Try to pass file descriptors or pipes around
whenever possible rather than pointing to paths in the filesystem.

--Kyle Sluder
_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: which temp dir to use?
      • From: Michael Ash <email@hidden>
    • Re: which temp dir to use?
      • From: Dave Keck <email@hidden>
    • Re: which temp dir to use?
      • From: Kyle Sluder <email@hidden>
References: 
 >which temp dir to use? (From: Nick Rogers <email@hidden>)
 >Re: which temp dir to use? (From: Richard Frith-Macdonald <email@hidden>)
 >Re: which temp dir to use? (From: Dave Keck <email@hidden>)

  • Prev by Date: Re: which temp dir to use?
  • Next by Date: Re: which temp dir to use?
  • Previous by thread: Re: which temp dir to use?
  • Next by thread: Re: which temp dir to use?
  • Index(es):
    • Date
    • Thread