Re: [Perl-unix-users] Random number :: ASPN Mail Archive

Recent Messages
List Archives
About the List
List Leaders
Subscription Options

View Subscriptions
Help

View by Topic
ActiveState
.NET Framework
Open Source
Perl
PHP
Python
Tcl
Web Services
XML & XSLT

View by Category
Database
General
SOAP
System Administration
Tools
User Interfaces
Web Programming
XML Programming

MyASPN >> Mail Archive >> perl-unix-users

perl-unix-users

Re: [Perl-unix-users] Random number
by Ingo Schwarze other posts by this author
Jan 31 2008 2:56AM messages near this date

Re: [Perl-unix-users] Random number | Re: [Perl-unix-users] Random number

Hi Gary,

Gary Yang wrote on Wed, Jan 30, 2008 at 03:54:51PM -0800:

>  I need to get a random number whenever the perl script is called.
>  Each time the random number I got should be different.
>  I use that number to name generated files, i.e. I want the perl
>  script to generate different file names whenever it is called.

That's probably a very bad idea in the first place.

Automatic unique filename generation and opening the file for writing
looks like an easy task from a naive point of view, but actually,
it's one of the major sources of security issues, usually involving
race conditions.  There are many different techniques for exploiting
such race conditions, and if your script is running with root
privileges, they usually result in root exploits.

Besides, there is a plethora of standard library routines to
accomplish such tasks, but most of them are no good and should
not be used at all.  There are even cases where the shell version
of a routine is ok, but the C version is not (eg. mktemp).
So you need to be extremely careful.
To understand the basic issues, read:
  http://www.openbsd.org/cgi-bin/man.cgi?query=tmpfile
  http://www.openbsd.org/cgi-bin/man.cgi?query=mktemp&sektion=3
  http://www.openbsd.org/cgi-bin/man.cgi?query=mktemp&sektion=1
These OpenBSD manual pages are describing the issues involved
much better than the corresponding GNU manual pages, so do NOT
try to learn this stuff on a Linux system.

Even if you have understood the basic issues concerning C code,
transferring that knowledge to a different language is non-trivial.
The right tool to use in Perl is the standard module File::Temp.

To summarize, 
 1. Do not naively use random numbers.
 2. Do not use the process number.
 3. Do not use the date or time or anything calculated from it:
    Time might need backward correction, and time is predictable.
 4. Never use tmpnam(3), tempnam(3), mktemp(3), POSIX::tmpnam,
    File::Temp::tmpnam, File::Temp::tempnam, File::Temp::mktemp:
    These functions are inherently unsafe.
 5. Never use tempfile(3), mkdtemp(3) or mkstemps(3):
    These functions are not portable.
 6. In C, use tmpfile(3) when possible.
 7. In C, use mkstemp(3) when you want to keep the file after process
    temination or if you need to know the filename.
 8. In shell scripts, use mktemp(1).
 9. In Perl, use File::Temp::tempfile.

No, this is _not_ simple.

Have fun,
  Ingo

-- 
Ingo Schwarze <ischwarze@[...].com>  | Software Engineer | Framework Team
Astaro AG | www.astaro.com | 76227 Karlsruhe | Germany
_______________________________________________
Perl-Unix-Users mailing list
Perl-Unix-Users@[...].com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs

Thread:

Gary Yang

Casteele/ShadowLord

Poul H. Sorensen

Ingo Schwarze

Bill Luebkert

Suresh Govindachar