473,320 Members | 2,146 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Messaging and GCC - "use of `mktemp' is dangerous" warning

Hi,

I'm trying to mimic the IPC/messaging system of an specific OS in a
portable way by using GCC's library. The IPC system uses buffered
asynchronous messages, where any thread can send a message to any other
thread (i.e. to the "threadID") without blocking, and the receiver does
any security checks necessary.

I'm trying to implement the portable/linux version on top of
sockets/datagrams ("SOCK_DGRAM" in the local namespace), and so far
it's working. The first problem I had is that you can't send a datagram
directly to a PID. To get around this, each process creates a temporary
file for it's socket. When any process is created the file name it's
parent used is passed as a command line argument ("excl"), and the new
process uses this information to send an "init" message back to it's
parent containing the file name it used for it's socket. When the
parent receives this "init" message, it broadcasts a "new process"
message to all previous processes within the application. It's an ugly
mess, but after all processes have started (and built a "directory" of
message port ID's) it does work like the IPC system I'm trying to
mimic.

To allow several instances of the application to run at the same time
(without file name conflicts), I'm using the "mktemp" function to
create unique file names for each process's socket.

Unfortunately, GCC keeps reporting warnings - "warning: the use of
`mktemp' is dangerous, better use `mkstemp'".

Is there a way to do this more securely or more cleanly? The "mkstemp"
function isn't quite the same as "bind", and using "mkstemp" and then
closing/deleting the file before calling "bind" seems stupid (it's just
as insecure and messier).

Alternatively, is there a way to disable this warning? For an open
source project, it's a little embarassing when the compiler decides to
tell others that your code is "dangerous" (especially if there is no
viable alternative)....
Thanks,

Brendan

May 1 '06 #1
6 7422
On 1 May 2006 12:38:35 -0700, "Brendan" <bt******@gmail.com> wrote in
comp.lang.c:
Hi,

I'm trying to mimic the IPC/messaging system of an specific OS in a
portable way by using GCC's library. The IPC system uses buffered
asynchronous messages, where any thread can send a message to any other
thread (i.e. to the "threadID") without blocking, and the receiver does
any security checks necessary.

I'm trying to implement the portable/linux version on top of
sockets/datagrams ("SOCK_DGRAM" in the local namespace), and so far
it's working. The first problem I had is that you can't send a datagram
directly to a PID. To get around this, each process creates a temporary
file for it's socket. When any process is created the file name it's
parent used is passed as a command line argument ("excl"), and the new
process uses this information to send an "init" message back to it's
parent containing the file name it used for it's socket. When the
parent receives this "init" message, it broadcasts a "new process"
message to all previous processes within the application. It's an ugly
mess, but after all processes have started (and built a "directory" of
message port ID's) it does work like the IPC system I'm trying to
mimic.

To allow several instances of the application to run at the same time
(without file name conflicts), I'm using the "mktemp" function to
create unique file names for each process's socket.

Unfortunately, GCC keeps reporting warnings - "warning: the use of
`mktemp' is dangerous, better use `mkstemp'".

Is there a way to do this more securely or more cleanly? The "mkstemp"
function isn't quite the same as "bind", and using "mkstemp" and then
closing/deleting the file before calling "bind" seems stupid (it's just
as insecure and messier).

Alternatively, is there a way to disable this warning? For an open
source project, it's a little embarassing when the compiler decides to
tell others that your code is "dangerous" (especially if there is no
viable alternative)....
Thanks,

Brendan


None of sockets, threads, IPC, PID, or mkstemp are defined by or part
of the standard C library. I would suggest you post this either to a
gcc support group, or one for programming for that "specific OS" that
you were careful not to mention.

--
Jack Klein
Home: http://JK-Technology.Com
FAQs for
comp.lang.c http://c-faq.com/
comp.lang.c++ http://www.parashift.com/c++-faq-lite/
alt.comp.lang.learn.c-c++
http://www.contrib.andrew.cmu.edu/~a...FAQ-acllc.html
May 1 '06 #2
Hi,

Jack Klein wrote:
None of sockets, threads, IPC, PID, or mkstemp are defined by or part
of the standard C library. I would suggest you post this either to a
gcc support group, or one for programming for that "specific OS" that
you were careful not to mention.


I've reposted to "gnu.gcc.help" - I haven't created any newsgroups for
the OS that I was careful not to mention.
Cheers,

Brendan

May 2 '06 #3
Brendan wrote:
Hi, To allow several instances of the application to run at the same time
(without file name conflicts), I'm using the "mktemp" function to
create unique file names for each process's socket.
mktemp() is dangerous, since it allows an attacker to guess names.

Unfortunately, GCC keeps reporting warnings - "warning: the use of
`mktemp' is dangerous, better use `mkstemp'".
The linker is actually reporting this.
Is there a way to do this more securely or more cleanly? The "mkstemp"
function isn't quite the same as "bind", and using "mkstemp" and then
closing/deleting the file before calling "bind" seems stupid (it's just
as insecure and messier).
Isn't tempnam() an alternative ?
Alternatively, is there a way to disable this warning? For an open
source project, it's a little embarassing when the compiler decides to
tell others that your code is "dangerous" (especially if there is no
viable alternative)....


No, not that I'm aware of.

Igmar
May 2 '06 #4
Hi,

Igmar Palsenberg wrote:
Brendan wrote:
To allow several instances of the application to run at the same time
(without file name conflicts), I'm using the "mktemp" function to
create unique file names for each process's socket.
mktemp() is dangerous, since it allows an attacker to guess names.


The mktemp() function *may* be used in an insecure way, but it can also
be used securely and there's plenty of warnings about the problem in
the library manuals. It seems I'm also not the first to have this
problem. An example, from
http://kt.dlut.edu.cn/samba/sm20001223_36.html:

"Despite the stupid compiler warnings mktemp() (when used properly) is
the most secure option available. When something better comes along we
can consider using it, but meanwhile just put up with the stupid
compiler warnings."

To be honest, for my code there's is a tiny window of time between the
mktemp() call and bind() call that immediately follows it where an
attacker could cause bind() to fail. In this case the application will
shutdown on startup with a "failed to initialized communications" error
(no data loss, etc). It's entirely acceptable considering the
application itself.
Isn't tempnam() an alternative ?


The tempnam() function is re-entrant while mktemp() isn't (which
doesn't matter for me as each process only uses it once anyway).
Otherwise they are mostly equivelent, and I still get a "warning: the
use of `tempnam' is dangerous, better use `mkstemp'" warning.

I have thought of one possibility - I could use "mkdtemp" to securely
create a temporary directory, and then create the files used for
sockets in this directory. In this case the file names won't matter and
don't need to be random. It's annoying, but it'd stop the linker's
whining (which solves my problem)... :-)
Thanks,

Brendan

May 2 '06 #5
Brendan wrote:
Hi,

Igmar Palsenberg wrote:
Brendan wrote:
To allow several instances of the application to run at the same time
(without file name conflicts), I'm using the "mktemp" function to
create unique file names for each process's socket.

mktemp() is dangerous, since it allows an attacker to guess names.


The mktemp() function *may* be used in an insecure way, but it can also
be used securely and there's plenty of warnings about the problem in
the library manuals. It seems I'm also not the first to have this
problem. An example, from
http://kt.dlut.edu.cn/samba/sm20001223_36.html:

"Despite the stupid compiler warnings mktemp() (when used properly) is
the most secure option available. When something better comes along we
can consider using it, but meanwhile just put up with the stupid
compiler warnings."

To be honest, for my code there's is a tiny window of time between the
mktemp() call and bind() call that immediately follows it where an
attacker could cause bind() to fail. In this case the application will
shutdown on startup with a "failed to initialized communications" error
(no data loss, etc). It's entirely acceptable considering the
application itself.
Isn't tempnam() an alternative ?


The tempnam() function is re-entrant while mktemp() isn't (which
doesn't matter for me as each process only uses it once anyway).
Otherwise they are mostly equivelent, and I still get a "warning: the
use of `tempnam' is dangerous, better use `mkstemp'" warning.

I have thought of one possibility - I could use "mkdtemp" to securely
create a temporary directory, and then create the files used for
sockets in this directory. In this case the file names won't matter and
don't need to be random. It's annoying, but it'd stop the linker's
whining (which solves my problem)... :-)

[OT]
Isn't there an option to GCC to ask it to shut up about certain warnings?
May 2 '06 #6
Hi,

void * clvrmnky() wrote:
[OT]
Isn't there an option to GCC to ask it to shut up about certain warnings?


Yes - there's lots of command line options that enable or disable
specific types of warnings. AFAIK every "enable" option has a
corresponding "disable" option (which is normally the same with a "no-"
inserted) - for example, "Wunused-function" and "-Wno-unused-function".

As Igmar correctly pointed out, the "mktemp()" warnings are from the
linker and not from GCC. As far as I"ve been able to find out there is
no way to enable/disable these warnings - they're like a big permanent
glowing sign proclaiming that I'm a moron and that the code is
"dangerous" (which is why I've spent the last 4 hours modifying my
"compatibility layer").

[Even more OT]

To be honest, it's working out better than I thought it would - I'm
using the "message port ID" as the file name for each socket, which
means I don't need to send a "new process started" broadcast message
anymore (and makes it easier to hide the legacy environment from the
application).
Cheers,

Brendan

May 2 '06 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: Thomas Guettler | last post by:
Hi! Is there a need for the "@" in the filenames created with tempfile.mktemp()? I think it would be better to use only characters which are "shell save". At least with bash you need to...
2
by: Liang | last post by:
Hi, I use "defined $r_libs->{$name}" to check first if a key exists in a hash table. But Perl gives a warning WHENEVER the key exists: "Use of uninitialized value". Would u please help to...
40
by: Steve Juranich | last post by:
I know that this topic has the potential for blowing up in my face, but I can't help asking. I've been using Python since 1.5.1, so I'm not what you'd call a "n00b". I dutifully evangelize on the...
24
by: Rv5 | last post by:
Rookie c++ question, but Ive spent the last 5 years doing Java, where everytime I created an object I used new. In c++ I can create my objects without and its confusing me just a little. I have...
1
by: Jethro | last post by:
Hi all I have got my .NET vb project compiling nicely into an EXE. I wish to use one of the components (declared as Public) stored in the EXE as a base class for subsequent DLLs to INHERIT...
7
by: Doug Bell | last post by:
Hi, I have just built a small application with a form that has one Text Box and one Check Box and a couple of Command Buttons. What I am trying to achieve is that if the Text Box has focus and...
10
by: Lau Lei Cheong | last post by:
Hello, I really need to use volatile System.Int64 for a .NET v1.1 program in C#. But the compiler complains "a volatile field can not be of type long". How to work around it? Or is there any...
23
by: steve.j.donovan | last post by:
Hi guys, We have the following macro: #define NEXT(type,p) (*((type*)(p))++) It provides a way to poke variable sized data into an array of pcode for a simple VM. e.g,
1
by: Steve Mavronis | last post by:
I tried to install Python 2.51 on Microsoft Vista Ultimate 32-bit because I use the 3D modeler software Blender 2.44, in case I needed additional Python support in the future for add-on scripts. ...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.