Mailinglist Archive: opensuse (3637 mails)

< Previous Next >
Re: [SLE] mktemp is dangerous warning
  • From: Anders Johansson <andjoh@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 24 May 2001 21:12:06 +0200
  • Message-id: <200105241912.f4OJC6M30169@xxxxxxxxxxxxxxxxxxxxx>
It's only dangerous if you have other users on your machine. There is a
possibility of a local exploit, but nothing remote. The man page for
mktemp(3) has the details

Never use mktemp(). Some implementations follow BSD 4.3
and replace XXXXXX by the current process id and a single
letter, so that at most 26 different names can be
returned. Since on the one hand the names are easy to
guess, and on the other hand there is a race between test­
ing whether the name exists and opening the file, every
use of mktemp() is a security risk. The race is avoided
by mkstemp(3).


On Thursday 24 May 2001 20:10, Togan Muftuoglu wrote:
> Hi,
> I have noticed after I upgrade to gcc 2.95.3 (from Philip Thomas's
> directory at I am getting a warning like "use of mktemp is
> dangerous use mkstemp instead. "
> Now since I have a D in programming is this something I should worry
> about. An example is xsane-0.77

< Previous Next >