This is a somewhat dangerous pattern for picking temporary files (from #8): $ NE... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ckuehl on Jan 21, 2018 \| parent \| context \| favorite \| on: More Things I Wish I’d Known About Bash This is a somewhat dangerous pattern for picking temporary files (from #8): `$ NEWFILE=/tmp/newfile_${RANDOM} $ touch $NEWFILE` The problem is that any user on the box can create files under /tmp. An attacker can set up a bunch of symlinks like /tmp/newfile_1, ..., /tmp/newfile_99999 pointing to a file owned by your user. When your script then writes into this temporary file, you'll write through the symlink and clobber one of your own files. Especially dangerous if root :) This has been a historic source of software vulnerabilities (often with the PID used instead as the guessable component instead of random, though). One recommended alternative is to use the `mktemp` command instead.

jwilk on Jan 21, 2018 | [–]

Nitpick: $RANDOM gives you an integer between 0 and 32767 (inclusive).

xchaotic on Jan 21, 2018 | | [–]

this is from a guy writing abook on Docker, so I hope this is for a single purpose cointainer with now other users of THAT /tmp

cryptonector on Jan 22, 2018 | [–]

it's a very dangerous pattern. Use mktemp(1) instead!

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact