Technical Article => Operating System => Linux/Unix

When working on Linux Bash, sometimes there is need to create temporary file. A common way of creating temp file on Linux is creating some file in /tmp directory. However there is security risk when creating temp file in /tmp directory. This post will show how to securely create temp file in Linux Bash.

When creating file in /tmp directory, there are some security risks. This directory can be accessed by any user on the system, any user can write data into this directory as well. The files created in this directory can also be read by other users.

pike@DESKTOP-G352RBR:/tmp$ touch /tmp/info.txt pike@DESKTOP-G352RBR:/tmp$ ls -lart /tmp/info.txt -rw-rw-rw- 1 pike pike 0 Dec 31 13:01 /tmp/info.txt

By default, the file created can be read and written by any user. Moreover, if an attacker knows about the temp file name, they can create symbolic link to the file and put bad data in the file which may cause system malfunction. Last but not the least, the temp file should be deleted when a script exits, however, the temp file may not be deleted if the script exits unexpected.

The best practices on creating temp files are

Check whether the file exists before creating

Ensure the temp file is created successfully

Have permission control on the temp file created

Use unpredictable file name

Delete temp file when script exits

mktemp command is built for creating secure temp file. Although it will not check whether the file exists before creating, it can support unique unpredictable file name and deletion mechanism which can reduce the security risk.

A temp file can be created by directly running mktemp command.

pike@DESKTOP-G352RBR:/tmp$ mktemp /tmp/tmp.ykpE2mvchw

The file created can only be read and written by the file owner by default.

pike@DESKTOP-G352RBR:/tmp$ ls -l /tmp/tmp.ykpE2mvchw -rw------- 1 pike pike 0 Dec 31 13:10 /tmp/tmp.ykpE2mvchw

In Bash script, the command can be

#!/bin/bash TMPFILE=$(mktemp) echo "Our temp file is $TMPFILE"

To ensure the file is created successfully, there should be an OR operator to exit the script if the file fails to be created.

#!/bin/bash TMPFILE=$(mktemp) || exit 1 echo "Our temp file is $TMPFILE"

And to ensure the temp file can be deleted when the script exits, trap command can be used.

#!/bin/bash trap 'rm -f "$TMPFILE"' EXIT TMPFILE=$(mktemp) || exit 1 echo "Our temp file is $TMPFILE"

mktemp command can have some options.

-d can be used to create a temp directory.

pike@DESKTOP-G352RBR:/tmp$ mktemp -d /tmp/tmp.AfFhSTgnJV pike@DESKTOP-G352RBR:/tmp$ ls -lart /tmp/tmp.AfFhSTgnJV total 0 drwxrwxrwt 1 root root 4096 Dec 31 13:16 .. drwx------ 1 pike pike 4096 Dec 31 13:16 .

-p can be used to specify the location where the temp file will be created.

pike@DESKTOP-G352RBR:/tmp$ mktemp -p ~ /home/pike/tmp.lhN6Q1rSqp

-t can be used to define the template for the temp file name. It must have at least 3 X characters at the end of the template.

pike@DESKTOP-G352RBR:/tmp$ mktemp -t mytemp.XXXXXXX /tmp/mytemp.uaWoXpx

trap command is used to respond to system signals in the Bash script. A common system signal is SIGINT which is produced normally when pressing Ctrl + C.

The -l option of trap can list all the system signals supported.

pike@DESKTOP-G352RBR:/tmp$ trap -l 1) SIGHUP 2) SIGINT 3) SIGQUIT 4) SIGILL 5) SIGTRAP 6) SIGABRT 7) SIGBUS 8) SIGFPE 9) SIGKILL 10) SIGUSR1 11) SIGSEGV 12) SIGUSR2 13) SIGPIPE 14) SIGALRM 15) SIGTERM 16) SIGSTKFLT 17) SIGCHLD 18) SIGCONT 19) SIGSTOP 20) SIGTSTP 21) SIGTTIN 22) SIGTTOU 23) SIGURG 24) SIGXCPU 25) SIGXFSZ 26) SIGVTALRM 27) SIGPROF 28) SIGWINCH 29) SIGIO 30) SIGPWR 31) SIGSYS 34) SIGRTMIN 35) SIGRTMIN+1 36) SIGRTMIN+2 37) SIGRTMIN+3 38) SIGRTMIN+4 39) SIGRTMIN+5 40) SIGRTMIN+6 41) SIGRTMIN+7 42) SIGRTMIN+8 43) SIGRTMIN+9 44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13 48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12 53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9 56) SIGRTMAX-8 57) SIGRTMAX-7 58) SIGRTMAX-6 59) SIGRTMAX-5 60) SIGRTMAX-4 61) SIGRTMAX-3 62) SIGRTMAX-2 63) SIGRTMAX-1 64) SIGRTMAX

The syntax of trap is

trap [action] [signal]

action usually specifies what command to ran

signal means which signal to trap

Reference: