[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] Remove tempfile.mktemp()

On Wed, Mar 20, 2019 at 12:45:40PM +0100, Victor Stinner wrote:
> Hi,
> I'm not really convinced that mktemp() should be made "more secure".
> To be clear: mktemp() is vulnerable by design. It's not a matter of
> entropy. You can watch the /tmp directory using inotify and "discover"
> immediately the "secret" filename, it doesn't depend on the amount of
> entropy used to generate the filename. A function is either unsafe or
> secure.

Security is not a binary state, it is never either-or "unsafe" or 
"secure". Secure against what attacks? Unsafe under what circumstances?

I can use the unsafe mktemp on a stand alone single-user computer, 
disconnected from the internet, guaranteed to have nothing but trusted 
software, and it will be secure in practice.

Or I can use the "safe interfaces" and I'm still vulnerable to an 
Advanced Persistent Threat that has compromised the OS specifically to 
target my application. If the attacker controls the OS or the hardware, 
then effectively they've already won.