tags:

views:

2844

answers:

4
+4  Q: 

Create a temporary FIFO (named pipe) in Python?

How can you create a temporary FIFO (named pipe) in Python? This should work:

import tempfile

temp_file_name = mktemp()

os.mkfifo(temp_file_name)

open(temp_file_name, os.O_WRONLY)

# ... some process, somewhere, will read it ...

However, I'm hesitant because of the big warning in Python Docs 11.6 and potential removal because it's deprecated.

Thanks for reading.

Brian

EDIT: It's noteworthy that I've tried tempfile.NamedTemporaryFile (and by extension tempfile.mkstemp), but os.mkfifo throws OSError -17: File already exists when you run it on the files that mkstemp/NamedTemporaryFile have created.

+2  A: 

How about using

d = mkdtemp()
t = os.path.join(d, 'fifo')
brendan  2009-09-16 01:36:12
That suffers the same security issues as mktemp. Thanks though, Brendan.
Brian M. Hunt  2009-09-16 01:57:59
It only has the same security issue if the user has already compromised the account running the script (the directory is 0700). In which case, they can probably do much worse.
Joe  2009-09-16 02:13:21
Oop - I was wrong. This doesn't have the same security issue as mktemp because mkfifo() balks if the file exists (i.e. there's no chance for a MiM attack). This would work.
Brian M. Hunt  2009-09-16 02:58:00
A: 

Why not just use mkstemp()?

For example:

import tempfile
import os

handle, filename = tempfile.mkstemp()
os.mkfifo(filename)
writer = open(filename, os.O_WRONLY)
reader = open(filename, os.O_RDONLY)
os.close(handle)
Daniel Pryden  2009-09-16 01:37:37
os.mkfifo throws an OSError 17: File Exists. Thanks though.
Brian M. Hunt  2009-09-16 01:45:54
+1  A: 

If it's for use within your program, and not with any externals, have a look at the Queue module. As an added benefit, python queues are thread-safe.

nilamo  2009-09-16 01:42:29
Thanks Nilamo. Unfortunately it's not for internal communication. I'm using Queues elsewhere, though. Thanks for the suggestion.
Brian M. Hunt  2009-09-16 01:44:54
Not a problem, just throwing the 'use the simplest possible thing that could work' flag. If you actually need the fifo, then this answer doesn't help at all.
nilamo  2009-09-16 02:36:00
+3  A: 

os.mkfifo() will fail with exception OSError: [Errno 17] File exists if the file already exists, so there is no security issue here. The security issue with using tempfile.mktemp() is the race condition where it is possible for an attacker to create a file with the same name before you open it yourself, but since os.mkfifo() fails if the file already exists this is not a problem.

However, since mktemp() is deprecated you shouldn't use it. You can use tempfile.mkdtemp() instead:

import os, tempfile

tmpdir = tempfile.mkdtemp()
filename = os.path.join(tmpdir, 'myfifo')
print filename
try:
    os.mkfifo(filename)
except OSError, e:
    print "Failed to create FIFO: %s" % e
else:
    fifo = open(filename, 'w')
    # write stuff to fifo
    print >> fifo, "hello"
    fifo.close()
    os.remove(filename)
    os.rmdir(tmpdir)

EDIT: I should make it clear that, just because the mktmp() vulnerabitly is averted by this, there are still the other usual security issues that need to be considered, e.g. an attacker could create the fifo (if they had suitable permissions) before your program did which could cause your program to crash if errors/exceptions are not properly handled.

mhawke  2009-09-16 02:09:15
Well said. Thanks mhawke.
Brian M. Hunt  2009-09-16 02:16:42
Should the `os.rmdir(tmpdir)` not be outside the the try-else block?
Artelius  2010-07-21 07:41:34

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security