[kaffe] File.createTempFile() creates files in /tmp with mode 0666!

Mark J Roberts mjr@znex.org
Mon Mar 3 02:37:01 2003


Jim Pick:
> From the looks of this, it does look somewhat undefined.  I think we're
> doing what Sun does, but that makes me somewhat nervous.  I can see how
> it could be considered "correct" if somebody uses a temp file location
> other than /tmp.  However, since we default to /tmp (as does Sun), using
> the default behaviour looks like a way to create security holes to me. 
> If somebody is writing portable code, using File.createTempFile() with
> the default directory setting looks like bad news to me (unless I'm
> missing something).
> 
> So, I personally vote for changing the mode to "0644" or "0600".
> 
> Does anybody else know anything about this issue?

I'm at a loss for why someone would use this API with the intention
of creating a file that other users would access, but from your
reply, it seems to be designed and even used with that in mind. My
feeling is that the whole notion of a default temp dir is stupid and
that the two-argument form of this call is insecure by design. So I
think we're more or less in agreement.

This may be a reasonable solution:

	* The three-argument form is unchanged. Callers are
	  responsible for whatever security the file will have.

	* If java.io.tmpdir is explicitly user-configured, behavior
	  is unchanged. The user who configured it is responsible
	  for the security of files in the temp dir.

	* If java.io.tmpdir is _not_ configured, assume the user
	  wants a secure temp file, and do it in the best
	  platform-specific way.