|
| 1 | + |
| 2 | +# Unix temporary files |
| 3 | + |
| 4 | +The Unix support for temporary files is different from the Windows model and developers who |
| 5 | +are used to Windows may inadvertently create security risk if they use the same practices on Unix. |
| 6 | + |
| 7 | +Most notably, the Windows model for temporary files is that the operating system provides each user with a *unique*, *user-owned* temporary directory. |
| 8 | +Moreover, all Windows users, including the service and system users, have designated user folders, including temporary folders. |
| 9 | + |
| 10 | +The Unix model is very different. The temp directory, assuming there is one, is often a global folder (except on MacOS). |
| 11 | +If possible, prefer a library function like `GetTempPath()` to find the folder. Otherwise, |
| 12 | +the `TMPDIR` environment variable is used to store the location of this folder. This variable is |
| 13 | +widely used and supported, but it is not mandatory for all Unix implementations. It should be the preferred |
| 14 | +mechanism for finding the Unix temporary folder if a library method is not available. It will commonly |
| 15 | +point to either the `/tmp` or `/var/tmp` folder. These folders are not used for MacOS, so it is not recommended |
| 16 | +to use them directly. |
| 17 | + |
| 18 | +Because the temporary directory is often global, any use of the temp directory should be carefully |
| 19 | +considered. In general, the best use of the temp directory is for programs which, |
| 20 | + |
| 21 | +1. Will create the temporary file during their process execution |
| 22 | +1. Do not depend on predictable temporary file/folder names |
| 23 | +1. Will not access the file after the process exits |
| 24 | + |
| 25 | +In these cases, the process can create a file or files with |
| 26 | + 1. A pseudorandom name, unlikely to cause collisions |
| 27 | + 1. Permissions which restrict all access to owner-only, i.e. 700 for directories, 600 for files |
| 28 | + |
| 29 | +Any other use needs to be carefully audited, particularly if the temporary file is intended for use across |
| 30 | +multiple processes. Some considerations: |
| 31 | + |
| 32 | +- **Never** write files with global access permissions |
| 33 | +- **Always** verify that the owner of the file is the current user and that the permissions |
| 34 | + only allow write access by the owner when reading existing files |
| 35 | +- **Never** rely on having ownership of a particular file name. Any process can write a file with that name, |
| 36 | + creating a denial of service. |
| 37 | + - When creating files, consider likelihood of file name collision and performance impact of attempting |
| 38 | + to create new names, if supported. |
| 39 | + |
| 40 | + If any of the above conflict with the feature requirements, consider instead writing temporary files to a |
| 41 | + location in the user home folder. Some considerations for this model: |
| 42 | + |
| 43 | + - There is no automatic cleanup in user folders. Files will remain permanently or require cleanup by the app |
| 44 | + - Some environments do not have user home folders (e.g., systemd). Consider providing an environment variable |
| 45 | + to override the location of the temporary folder, and provide user documentation for this variable. |
0 commit comments