getpid() or something similar

John Meacham john@repetae.net
Thu, 22 May 2003 09:47:08 -0700 

On Thu, May 22, 2003 at 12:21:10PM -0400, Derek Elkins wrote:
> Why do you need such a unique name, using the open call you can always
> choose another if it already exists.  One way or the other you still
> need to atomically check for security reasons, no matter how unique
> your name is your code shouldn't rely on the file not being created
> between checking and creation, uniqueness means little for a malicious
> attack. Simply using a random number generator would seem sufficient,
> though I'd probably do, at least, progname++num, though more so that the
> user can see what's related to what (if files get left around) than on
> the off chance of 4 billion numerically named files.

like someone else mentioned, NFS (and probably some other filesystems)
have wierd semantics where O_CREAT | O_EXCL don't work properly always.
on such broken filesystems there is not much you can do, but to make the
system as robust as possible one should use everything at their
disposal.

I should also mention that I didn't just make up the previous formula
for 'robust' temporary files. they are used in various applications and
that is 'best common practice'. see the Maildir format for another
example.

as for 32bit random numbers being sufficient, I have one technical
argument against it and one anecdote. The technical argument is called
'the birthday attack', a web search will provide lots of info on it. The
upshot is the 32 bits is not nearly as secure as you think because
probability does not work the way our intuition says. The anecdote
involved a certain distributed operating system which when booted, would
wait a random amount of time to connect to the server since there would
be many machines, and all of them connecting at once would wedge the
server. all seemed well until their first power outage, the power came
back up and 3 minutes later the whole system came tumbling down much to
their surprise. their random number generator was seeded from their
clock, since the power came on for all systems at the same time, all the
random number generators were seeded with the same value and hence the
first thing that came out of them was the same for every system. The
moral, random numbers arn't always random :)

For the quick and dirty behind the birthday attack ask yourself this:

how many people do you need before two of them most likely (> 50%
chance) share a birthday?



if you said anything greater than about 20 then that is too high.
basically the number of random samples needed before two collide is much
smaller than one thinks, it grows as the square root so a bigger space
(like 32bits) doesn't help as much as one might think.


-- 
---------------------------------------------------------------------------
John Meacham - California Institute of Technology, Alum. - john@foo.net
---------------------------------------------------------------------------