MacOS – How to determine public temp directory on OS X to be write-accessible by www server

command linefoldersmacosscript

I've MAMP running httpd server as _www and I'd like to assign the temporary directory as part of the shell script (bash).

I've tried to use $TMPDIR as per these posts:

however it points to /var/folders/vp/tlt7xf791gl1_v56m0xdmrph0000gn/T/ and this folder has not necessary permissions, so Apache server can't create any files in there.

Based on this:

$ /usr/bin/stat -F $TMPDIR /tmp /private/tmp 
drwx------ 104 kenorb staff 3536 Oct 14 22:21:05 2015 /var/folders/vp/tlt7xf791gl1_v56m0xdmrph0000gn/T//
lrwxr-xr-x 1 root wheel 11 Apr  9 13:08:03 2014 /tmp@ -> private/tmp
drwxrwxrwt 112 root wheel 3808 Oct 14 22:12:04 2015 /private/tmp/

My www user which I care about:

$ id _www
uid=70(_www) gid=70(_www) groups=70(_www),12(everyone),61(localaccounts),401(com.apple.sharepoint.group.1),100(_lpoperator)

I can't use /tmp, because it's linked to my /private/tmp (which name states it's private).

Therefore how do I determine my correct temporary directory on OS X, so I and my httpd server can use it?

I don't want to hardcode value, as the script would be useless when used on different environments (e.g. on non-MAMP environment), so the location can vary.

Best Answer

I would write to /tmp (which is equivalent to writing to /private/tmp ) since it's writable by all users and not just administrative users. It's there for compatibility and for bonus points, your script can clean up files or cut them if they grow too large.

I don't have an authoritative reference to why /private was called that, but it's always been open to writing and isn't restricted like $TMPDIR is from non-admin users.

The real question is what user are you running apache - a member of the ADMIN group or just a normal non-admin user?

Apple documents this in the Secure Coding Guide with the admonition that writing files to publicly readable locations is inherently insecure and that it's better to place files in more protected locations that aren't readable by all users. See the Race Conditions and Secure File Operations section and this link on creating secure temporary files. By using the mkstemp POSIX call you ensure a unique file is created and can control access with umask.

Oddly (to me), mktemp when run by a non-admin user can still make a temp file in $TMPDIR so it's clearly using escalated privileges to hand off that more "secure" file to non-admin users. Pretty cool.

Related Solutions

How to determine the absolute path to a file in a shell script

One option would be to install coreutils and use greadlink -f. It resolves symlinks and it works with /Foo/ or ~/foo.txt if they don't exist, but not with /Foo/foo.txt if /Foo/ doesn't exist.

$ brew install coreutils
$ greadlink -f /etc
/private/etc
$ greadlink -f ~/Documents/
/Users/lauri/Documents
$ greadlink -f ..
/Users
$ greadlink -f //etc/..////
/private
$ greadlink -f /Foo
/Foo
$ greadlink -f /Foo/foo.txt
$

This doesn't resolve symlinks, and it doesn't work with /Foo/foo.txt either.

abspath() {
  if [ -d "$1" ]; then
    ( cd "$1"; dirs -l +0 )
  else
    ( cd "$(dirname "$1")"; d=$(dirs -l +0); echo "${d%/}/${1##*/}" )
  fi
}

abspath /etc # /etc
abspath /Foo/foo.txt # doesn't work
abspath /Foo # works
abspath .
abspath ./
abspath ../
abspath ..
abspath /
abspath ~
abspath ~/
abspath ~/Documents
abspath /\"\ \'
abspath /etc/../etc/
abspath /private//etc/
abspath /private//
abspath //private # //private
abspath ./aa.txt
abspath aa.tar.gz
abspath .aa.txt
abspath /.DS_Store

dirs -l performs tilde expansion. dirs +0 prints only the top directory if there are other directories in the stack. You could also replace the subshells with something like old="$PWD" ... cd "$old".

Ruby's expand_path works with all paths that don't exist, but it doesn't resolve symlinks.

$ ruby -e 'print File.expand_path ARGV[0]' ~/aa/bb
/Users/lauri/aa/bb$

MacOS – Determine if file or directory is encrypted

If you're using FileVault 2 (OS X Lion and newer), the entire boot partition will be encrypted, which includes your home folder as well as Applications.

I ran the following command and part of the output shows I am using an encrypted, unlocked volume:

ashley@sidekick-4:~$ sudo diskutil list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *251.0 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:          Apple_CoreStorage                         250.1 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS Macintosh HD           *249.8 GB   disk1
                                 Logical Volume on disk0s2
                                 2DDC5CBD-1B65-403E-9D4F-9424BC764433
                                 Unlocked Encrypted
/dev/disk3
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *2.0 TB     disk3
   1:                        EFI EFI                     209.7 MB   disk3s1
   2:                  Apple_HFS Time Machine Backups    2.0 TB     disk3s2
ashley@sidekick-4:~$

Best Answer

Related Solutions

How to determine the absolute path to a file in a shell script

MacOS – Determine if file or directory is encrypted

Related Question