Hi Karl, Michael,
* Karl Berry wrote on Thu, Jan 27, 2011 at 02:42:32AM CET:
> Is the problem mentioned in the standards the same with the one described
> here?
> http://www.linuxsecurity.com/content/view/115462/151/
>
> Yes.
>
> If yes, then, maybe, advice to use mktemp would be more appropriate?
>
> Mentioning mktemp is a good idea. But doesn't noclobber also avoid the
> security problem (though in an inferior way), because either your
> program or the attacker's will fail to create the file, with noclobber
> set.
Right.
> Here's my attempt at a new paragraph:
>
> In bash, use @code{set -C} (long name @code{noclobber}) to avoid this
> problem; the @code{mktemp} utility is a more general solution for
> creating temporary files from shell scripts (@pxref{mktemp
> invocation,,, coreutils, GNU Coreutils}).
Sounds better. You could mention that mktemp is available everywhere.
'info Autoconf --index mktemp' also has a recommendation for a portable
alternative. And for the $RANDOM alternative mentioned there, noclobber
would be a nice additional measure.
Cheers,
Ralf
