[kaffe] File.createTempFile() creates files in /tmp with mode 0666!
Mark J Roberts
mjr@znex.org
Mon Mar 3 02:37:01 2003
Jim Pick:
> From the looks of this, it does look somewhat undefined. I think we're
> doing what Sun does, but that makes me somewhat nervous. I can see how
> it could be considered "correct" if somebody uses a temp file location
> other than /tmp. However, since we default to /tmp (as does Sun), using
> the default behaviour looks like a way to create security holes to me.
> If somebody is writing portable code, using File.createTempFile() with
> the default directory setting looks like bad news to me (unless I'm
> missing something).
>
> So, I personally vote for changing the mode to "0644" or "0600".
>
> Does anybody else know anything about this issue?
I'm at a loss for why someone would use this API with the intention
of creating a file that other users would access, but from your
reply, it seems to be designed and even used with that in mind. My
feeling is that the whole notion of a default temp dir is stupid and
that the two-argument form of this call is insecure by design. So I
think we're more or less in agreement.
This may be a reasonable solution:
* The three-argument form is unchanged. Callers are
responsible for whatever security the file will have.
* If java.io.tmpdir is explicitly user-configured, behavior
is unchanged. The user who configured it is responsible
for the security of files in the temp dir.
* If java.io.tmpdir is _not_ configured, assume the user
wants a secure temp file, and do it in the best
platform-specific way.