Create temp file in Bash using mktemp and trap

  sonic0002        2019-12-30 23:28:23       34,786        2         

When working on Linux Bash, sometimes there is need to create temporary file. A common way of creating temp file on Linux is creating some file in /tmp directory. However there is security risk when creating temp file in /tmp directory. This post will show how to securely create temp file in Linux Bash.

When creating file in /tmp directory, there are some security risks. This directory can be accessed by any user on the system, any user can write data into this directory as well. The files created in this directory can also be read by other users. 

pike@DESKTOP-G352RBR:/tmp$ touch /tmp/info.txt
pike@DESKTOP-G352RBR:/tmp$ ls -lart /tmp/info.txt
-rw-rw-rw- 1 pike pike 0 Dec 31 13:01 /tmp/info.txt

By default, the file created can be read and written by any user. Moreover, if an attacker knows about the temp file name, they can create symbolic link to the file and put bad data in the file which may cause system malfunction. Last but not the least, the temp file should be deleted when a script exits, however, the temp file may not be deleted if the script exits unexpected.

The best practices on creating temp files are

  • Check whether the file exists before creating
  • Ensure the temp file is created successfully
  • Have permission control on the temp file created
  • Use unpredictable file name
  • Delete temp file when script exits

mktemp command is built for creating secure temp file. Although it will not check whether the file exists before creating, it can support unique unpredictable file name and deletion mechanism which can reduce the security risk.

A temp file can be created by directly running mktemp command. 

pike@DESKTOP-G352RBR:/tmp$ mktemp
/tmp/tmp.ykpE2mvchw

The file created can only be read and written by the file owner by default.

pike@DESKTOP-G352RBR:/tmp$ ls -l /tmp/tmp.ykpE2mvchw
-rw------- 1 pike pike 0 Dec 31 13:10 /tmp/tmp.ykpE2mvchw

In Bash script, the command can be

#!/bin/bash

TMPFILE=$(mktemp)
echo "Our temp file is $TMPFILE"

To ensure the file is created successfully, there should be an OR operator to exit the script if the file fails to be created. 

#!/bin/bash

TMPFILE=$(mktemp) || exit 1
echo "Our temp file is $TMPFILE"

And to ensure the temp file can be deleted when the script exits, trap command can be used.

#!/bin/bash

trap 'rm -f "$TMPFILE"' EXIT

TMPFILE=$(mktemp) || exit 1
echo "Our temp file is $TMPFILE"

mktemp command can have some options.

-d can be used to create a temp directory.

pike@DESKTOP-G352RBR:/tmp$ mktemp -d
/tmp/tmp.AfFhSTgnJV
pike@DESKTOP-G352RBR:/tmp$ ls -lart /tmp/tmp.AfFhSTgnJV
total 0
drwxrwxrwt 1 root root 4096 Dec 31 13:16 ..
drwx------ 1 pike pike 4096 Dec 31 13:16 .

-p can be used to specify the location where the temp file will be created.

pike@DESKTOP-G352RBR:/tmp$ mktemp -p ~
/home/pike/tmp.lhN6Q1rSqp

-t can be used to define the template for the temp file name. It must have at least 3 X characters at the end of the template. 

pike@DESKTOP-G352RBR:/tmp$ mktemp -t mytemp.XXXXXXX
/tmp/mytemp.uaWoXpx

trap command is used to respond to system signals in the Bash script. A common system signal is SIGINT which is produced normally when pressing Ctrl + C. 

The -l option of trap can list all the system signals supported. 

pike@DESKTOP-G352RBR:/tmp$ trap -l
 1) SIGHUP       2) SIGINT       3) SIGQUIT      4) SIGILL       5) SIGTRAP
 6) SIGABRT      7) SIGBUS       8) SIGFPE       9) SIGKILL     10) SIGUSR1
11) SIGSEGV     12) SIGUSR2     13) SIGPIPE     14) SIGALRM     15) SIGTERM
16) SIGSTKFLT   17) SIGCHLD     18) SIGCONT     19) SIGSTOP     20) SIGTSTP
21) SIGTTIN     22) SIGTTOU     23) SIGURG      24) SIGXCPU     25) SIGXFSZ
26) SIGVTALRM   27) SIGPROF     28) SIGWINCH    29) SIGIO       30) SIGPWR
31) SIGSYS      34) SIGRTMIN    35) SIGRTMIN+1  36) SIGRTMIN+2  37) SIGRTMIN+3
38) SIGRTMIN+4  39) SIGRTMIN+5  40) SIGRTMIN+6  41) SIGRTMIN+7  42) SIGRTMIN+8
43) SIGRTMIN+9  44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13
48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12
53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9  56) SIGRTMAX-8  57) SIGRTMAX-7
58) SIGRTMAX-6  59) SIGRTMAX-5  60) SIGRTMAX-4  61) SIGRTMAX-3  62) SIGRTMAX-2
63) SIGRTMAX-1  64) SIGRTMAX

The syntax of trap is

trap [action] [signal]
  • action usually specifies what command to ran
  • signal means which signal to trap

Reference:

LINUX  TRAP  MKTEMP  TEMP FILE 

       

  RELATED


  2 COMMENTS


AnonymousX [Reply]@ 2019-12-31 07:32:37
trap -l does not list EXIT - whitch You have used?
Anonymous [Reply]@ 2019-12-31 21:24:12

I've never used trap (it has a great use case!) but it doesn't appear to come installed with standard linux (I have Ubuntu 16.04/18.04). Is there a similar tool that is already installed?



  RANDOM FUN

Love with Python

For Python lover.