Linux – Best Method to Create Temporary Named Pipe with mktemp

linuxpipeSecurityshell

I'm aware its best to create temporary files with mktemp, but what about named pipes?

I prefer things to be as POSIX compliant as possible, but Linux only is acceptable. Avoiding Bashisms is my only hard criteria, as I write in dash.

Best Answer

tmppipe=$(mktemp -u)
mkfifo -m 600 "$tmppipe"

Unlike regular file creation, which is prone to being hijacked by an existing file or a symbolic link, the creation of a name pipe through mkfifo or the underlying function either creates a new file in the specified place or fails. Something like : >foo is unsafe because if the attacker can predict the output of mktemp then the attacker can create the target file for himself. But mkfifo foo would fail in such a scenario.

If you need full POSIX portability, mkfifo -m 600 /tmp/myfifo is safe against hijacking but prone to a denial of service; without access to a strong random file name generator, you would need to manage retry attempts.

If you don't care for the subtle security problems around temporary files, you can follow a simple rule: create a private directory, and keep everything in there.

tmpdir=
cleanup () {
  trap - EXIT
  if [ -n "$tmpdir" ] ; then rm -rf "$tmpdir"; fi
  if [ -n "$1" ]; then trap - $1; kill -$1 $$; fi
}
tmpdir=$(mktemp -d)
trap 'cleanup' EXIT
trap 'cleanup HUP' HUP
trap 'cleanup TERM' TERM
trap 'cleanup INT' INT
mkfifo "$tmpdir/pipe"

Related Solutions

Is the data transiting through a pipe confidential

The command line you are suggesting is secure.

All other things being equal, "normal" anonymous pipes (created with the pipe(2) system call or the shell's familiar | syntax) are always going to be more secure than named pipes because there are fewer ways for something else outside the system to get ahold of either one of the ends of the pipe. For normal anonymous pipes, you can only read or write from the pipe if you already have in your possession a file descriptor for it, which means you must either be the process that created the pipe, or must have inherited it (directly or indirectly) from that process, or some process that had the file descriptor deliberately sent it to you through a socket. For named pipes, you can obtain a file descriptor to the pipe if you don't have one already by opening it by name.

On operating systems like Linux that have /proc there is always the possibility that another process can peek into /proc/pid/fd an access file descriptors belonging to a different process, but this is nothing unique to pipes (of whatever kind), and for that matter they can peek into another process' memory space too. The "peeker" must be either running under the same user as the subject or root, so it's not a security problem.

Linux – How to call a binary outside PATH

Creating a hardlink should probably be avoided, there's no need for one and a symlink is simpler and safer. Your other solutions are also fine though. You can create as script that calls the binary or you can add the directory to your PATH. The latter might be preferable if you expect to add other binaries in /opt as well.

This is essentially a matter of preference. In such cases, usually the simplest solution is the best. So, just create a soft link and you're all set:

sudo ln -s /opt/master-pdf-editor-3 /usr/bin

Alternatively, of course, you could just call the binary with its full path:

/opt/master-pdf-editor-3

Finally, if it's only for your user, you can create an alias by adding this line to your shell's initialization file (e.g. ~/.bashrc):

alias master-pdf-editor-3='/opt/master-pdf-editor-3'

Anyway, no, there isn't any single Best Way© to do this. It depends on how you want your system to be set up and your own preferences as the system's administrator.

Best Answer

Related Solutions

Is the data transiting through a pipe confidential

Linux – How to call a binary outside PATH

Related Question