Add warnings, ala mktemp, to tempnam and tmpnam as a reminder that

these are inherently unsafe interfaces.

Do not allow TMPDIR to override path for setuid/setgid programs.

2 files changed, 13 insertions, 3 deletions

diff --git a/lib/libc/stdio/tempnam.c b/lib/libc/stdio/tempnam.c
index 243fa39..803596a 100644
--- a/lib/libc/stdio/tempnam.c
+++ b/lib/libc/stdio/tempnam.c
@@ -36,7 +36,7 @@
 static char sccsid[] = "@(#)tempnam.c	8.1 (Berkeley) 6/4/93";
 #endif
 static const char rcsid[] =
-		"$Id$";
+		"$Id: tempnam.c,v 1.5 1997/02/22 15:02:37 peter Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <sys/param.h>
@@ -47,6 +47,11 @@ static const char rcsid[] =
 #include <unistd.h>
 #include <paths.h>
 
+__warn_references(tempnam,
+    "warning: tempnam() possibly used unsafely; consider using mkstemp()");
+
+extern char *_mktemp __P((char *));
+
 char *
 tempnam(dir, pfx)
 	const char *dir, *pfx;
@@ -60,10 +65,10 @@ tempnam(dir, pfx)
 	if (!pfx)
 		pfx = "tmp.";
 
-	if ((f = getenv("TMPDIR"))) {
+	if (issetugid() == 0 && (f = getenv("TMPDIR"))) {
 		(void)snprintf(name, MAXPATHLEN, "%s%s%sXXXXXX", f,
 		    *(f + strlen(f) - 1) == '/'? "": "/", pfx);
-		if ((f = mktemp(name)))
+		if ((f = _mktemp(name)))
 			return(f);
 	}
 
diff --git a/lib/libc/stdio/tmpnam.c b/lib/libc/stdio/tmpnam.c
index ce86482..d0aed48 100644
--- a/lib/libc/stdio/tmpnam.c
+++ b/lib/libc/stdio/tmpnam.c
@@ -43,6 +43,11 @@ static char sccsid[] = "@(#)tmpnam.c	8.3 (Berkeley) 3/28/94";
 #include <stdio.h>
 #include <unistd.h>
 
+__warn_references(tmpnam,
+    "warning: tmpnam() possibly used unsafely; consider using mkstemp()");
+
+extern char *_mktemp __P((char *));
+
 char *
 tmpnam(s)
 	char *s;