env::temp_dir returns /private/tmp on Apple instead while /tmp is

[devnexen]

a symlink in fact.

ref #99608

[rustbot]

Hey! It looks like you've submitted a new PR for the library teams!

If this PR contains changes to any rust-lang/rust public library APIs then please comment with @rustbot label +T-libs-api -T-libs to tag it appropriately. If this PR contains changes to any unstable APIs please edit the PR description to add a link to the relevant API Change Proposal or create one if you haven't already. If you're unsure where your change falls no worries, just leave it as is and the reviewer will take a look and make a decision to forward on if necessary.

Examples of T-libs-api changes:

• Stabilizing library features
• Introducing insta-stable changes such as new implementations of existing stable traits on existing stable types
• Introducing new or changing existing unstable library APIs (excluding permanently unstable features / features without a tracking issue)
• Changing public documentation in ways that create new stability guarantees
• Changing observable runtime behavior of library APIs

[rust-highfive]

r? @thomcc

(rust-highfive has picked a reviewer for you, use r? to override)

[thomcc]

Hmm, I am not so sure about this.

The preferred tempdir on these platforms is the value from libc::confstr(libc::_CS_DARWIN_USER_TEMP_DIR, ...), although this will be a user-specific directory with a name like /var/folders/rw/gsmfnk2s12d34hywmktc28q40000gn/T/, where the specific name will change over time and is unpredictable.

This is best for security, as it avoids providing a temporary directory that another user (who may be at a different privilege level) has access to, unlike /tmp or /private/tmp. Usually $TMPDIR is set to this, but I guess not always? That said, I don't know if using this is a change we'd want to make.

More generally, we've always returned /tmp on darwin platforms, despite it (AFAIK) always being a symlink to /private/tmp. So I don't really think changing it to this is what I'd recommend, If we're going to change it, I'd rather see us use the safer directory.

Either way, this is a behavioral change that would require documentation to be updated, and t-libs-api signoff.

@rustbot label +T-libs-api -T-libs

[thomcc]

I think this needs further discussion in the t-libs-api meeting. Essentially there are three choices here for what to do if $TMPDIR is unset on Darwin platforms:

1. Keep the same behavior we have currently, which is to return /tmp, which is (and has always been on these platforms) a symlink to /private/tmp.

2. Change to returning /private/tmp. This avoids returning something that is symlink, and returns the target of the symlink. The rationale here is certain programs may not expect the path returned to be a symlink (although I'm not totally certain that it's never a symlink on other unixes, and IMO we don't want to promise that it is not a symlink -- or if we do we should canonicalize it).

3. Change to returning the string by confstr(_CS_DARWIN_USER_TEMP_DIR, ...). This matches the behavior used when $TMPDIR is provided (it usually points here), avoids some security pitfalls, and matches the behavior recommended by apple for these platforms. This will be a string like /var/folders/rw/gsmfnk2s12d34hywmktc28q40000gn/T/ which varies between users (but not between processes of the same user) and periodically is randomized around every 3 days and/or on boot.

I recommend either the third (which is a behavioral change, but we don't promise this to be unchanging, and I would have expected $TMPDIR to usually be set) or the first, which keeps the current behavior.

[thomcc]

(Sorry for the accidental close -- accidentally hit tab). See previous message for explanation of my nomination.

@rustbot label +I-libs-api-nominated

[m-ou-se]

The rationale here is certain programs may not expect the path returned to be a symlink

Are there any examples of this? Is there any realistic use case where a symlink would be a problem?

[thomcc]

It did cause an issue for someone using SQLite, since they were requesting SQLite not follow symbolic links. I don't particularly care about this.

That said, I don't think most software on Darwin OSes should be using /tmp or /private/tmp in most cases. Doing so goes against Apple's security guidelines, which tell you to use confstr(_CS_DARWIN_USER_TEMP_DIR, ...) instead.

Generally this is not needed, as most of the time $TMPDIR is set in the environment to the directory the confstr invocation will resolve to. I guess in some cases it is not though, and think that we should use that as a fallback instead if we can justify the behavioral change.

[thomcc]

We already checked the env above. Also, don't use libc::getenv as it doesn't hold the env lock. Also, this string isn't NUL-terminated.

[thomcc]

Let's wait for rust-lang/libc#2883.

[thomcc]

50 bytes should be enough in practice, but really this should have some retry logic. I was going to submit thomcc@ee1c648 as a PR at one point, but you can just integrate the changes from it.

[devnexen]

it s better if you do since you authored all.