Create temp file in Bash using mktemp and trap

When working on Linux Bash, sometimes there is need to create temporary file. A common way of creating temp file on Linux is creating some file in /tmp directory. However there is security risk when creating temp file in /tmp directory. This post will show how to securely create temp file in Linux Bash.

When creating file in /tmp directory, there are some security risks. This directory can be accessed by any user on the system, any user can write data into this directory as well. The files created in this directory can also be read by other users.

pike@DESKTOP-G352RBR:/tmp$ touch /tmp/info.txt
pike@DESKTOP-G352RBR:/tmp$ ls -lart /tmp/info.txt
-rw-rw-rw- 1 pike pike 0 Dec 31 13:01 /tmp/info.txt

By default, the file created can be read and written by any user. Moreover, if an attacker knows about the temp file name, they can create symbolic link to the file and put bad data in the file which may cause system malfunction. Last but not the least, the temp file should be deleted when a script exits, however, the temp file may not be deleted if the script exits unexpected.

The best practices on creating temp files are

Check whether the file exists before creating
Ensure the temp file is created successfully
Have permission control on the temp file created
Use unpredictable file name
Delete temp file when script exits

mktemp command is built for creating secure temp file. Although it will not check whether the file exists before creating, it can support unique unpredictable file name and deletion mechanism which can reduce the security risk.

A temp file can be created by directly running mktemp command.

pike@DESKTOP-G352RBR:/tmp$ mktemp
/tmp/tmp.ykpE2mvchw

The file created can only be read and written by the file owner by default.

pike@DESKTOP-G352RBR:/tmp$ ls -l /tmp/tmp.ykpE2mvchw
-rw------- 1 pike pike 0 Dec 31 13:10 /tmp/tmp.ykpE2mvchw

In Bash script, the command can be

#!/bin/bash

TMPFILE=$(mktemp)
echo "Our temp file is $TMPFILE"

To ensure the file is created successfully, there should be an OR operator to exit the script if the file fails to be created.

#!/bin/bash

TMPFILE=$(mktemp) || exit 1
echo "Our temp file is $TMPFILE"

And to ensure the temp file can be deleted when the script exits, trap command can be used.

#!/bin/bash

trap 'rm -f "$TMPFILE"' EXIT

TMPFILE=$(mktemp) || exit 1
echo "Our temp file is $TMPFILE"

mktemp command can have some options.

-d can be used to create a temp directory.

pike@DESKTOP-G352RBR:/tmp$ mktemp -d
/tmp/tmp.AfFhSTgnJV
pike@DESKTOP-G352RBR:/tmp$ ls -lart /tmp/tmp.AfFhSTgnJV
total 0
drwxrwxrwt 1 root root 4096 Dec 31 13:16 ..
drwx------ 1 pike pike 4096 Dec 31 13:16 .

-p can be used to specify the location where the temp file will be created.

pike@DESKTOP-G352RBR:/tmp$ mktemp -p ~
/home/pike/tmp.lhN6Q1rSqp

-t can be used to define the template for the temp file name. It must have at least 3 X characters at the end of the template.

pike@DESKTOP-G352RBR:/tmp$ mktemp -t mytemp.XXXXXXX
/tmp/mytemp.uaWoXpx

trap command is used to respond to system signals in the Bash script. A common system signal is SIGINT which is produced normally when pressing Ctrl + C.

The -l option of trap can list all the system signals supported.

pike@DESKTOP-G352RBR:/tmp$ trap -l
 1) SIGHUP       2) SIGINT       3) SIGQUIT      4) SIGILL       5) SIGTRAP
 6) SIGABRT      7) SIGBUS       8) SIGFPE       9) SIGKILL     10) SIGUSR1
11) SIGSEGV     12) SIGUSR2     13) SIGPIPE     14) SIGALRM     15) SIGTERM
16) SIGSTKFLT   17) SIGCHLD     18) SIGCONT     19) SIGSTOP     20) SIGTSTP
21) SIGTTIN     22) SIGTTOU     23) SIGURG      24) SIGXCPU     25) SIGXFSZ
26) SIGVTALRM   27) SIGPROF     28) SIGWINCH    29) SIGIO       30) SIGPWR
31) SIGSYS      34) SIGRTMIN    35) SIGRTMIN+1  36) SIGRTMIN+2  37) SIGRTMIN+3
38) SIGRTMIN+4  39) SIGRTMIN+5  40) SIGRTMIN+6  41) SIGRTMIN+7  42) SIGRTMIN+8
43) SIGRTMIN+9  44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13
48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12
53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9  56) SIGRTMAX-8  57) SIGRTMAX-7
58) SIGRTMAX-6  59) SIGRTMAX-5  60) SIGRTMAX-4  61) SIGRTMAX-3  62) SIGRTMAX-2
63) SIGRTMAX-1  64) SIGRTMAX

The syntax of trap is

trap [action] [signal]

action usually specifies what command to ran
signal means which signal to trap

Reference:

http://www.ruanyifeng.com/blog/2019/12/mktemp.html
Working with Temporary Files and Directories in Shell Scripts, Steven Vona
Using Trap to Exit Bash Scripts Cleanly, Steven Vona
Sending and Trapping Signals

Create temp file in Bash using mktemp and trap

RELATED

2 COMMENTS

RANDOM FUN

Hotfix on production environment

ABOUT

HOW IT WORKS

FOLLOW US

FEEDBACK

AnonymousX [Reply]	@ 2019-12-31 07:32:37
`trap -l does not list EXIT - whitch You have used?`

Anonymous [Reply]	@ 2019-12-31 21:24:12
I've never used trap (it has a great use case!) but it doesn't appear to come installed with standard linux (I have Ubuntu 16.04/18.04). Is there a similar tool that is already installed?