os: TempDir should use GetTempPath2 when available on Windows #56899
Milestone
Comments
qmuntal
changed the title
qmuntal
changed the title
(CC @golang/security) |
|
Seems like the right thing to do. |
|
I agree that we should do this. Thank you. Alex |
|
No change in consensus, so accepted. 🎉 |
rsc
changed the title
nwnt
added a commit
to nwnt/go
that referenced
this issue
Jan 17, 2023
This generates GetTempPath2 together with RtlGetNtVersionNumbers. The latter is needed to determine if the running Windows has GetTempPath2 by comparing it against the minimum build number that has the API. RtlGetNtVersionNumbers was generated into syscall/windows since syscall is locked down. Fixes golang#56899
|
Change https://go.dev/cl/462052 mentions this issue: |
nwnt
pushed a commit
to nwnt/go
that referenced
this issue
Jan 24, 2023
This generates GetTempPath2 together with RtlGetNtVersionNumbers. The latter is needed to determine if the running Windows has GetTempPath2 by comparing it against the minimum build number that has the API. RtlGetNtVersionNumbers was generated into syscall/windows since syscall is locked down. Fixes golang#56899
nwnt
added a commit
to nwnt/go
that referenced
this issue
Jan 25, 2023
This generates GetTempPath2 together with RtlGetNtVersionNumbers. The latter is needed to determine if the running Windows has GetTempPath2 by comparing it against the minimum build number that has the API. RtlGetNtVersionNumbers was generated into syscall/windows since syscall is locked down. Fixes golang#56899
|
Change https://go.dev/cl/463219 mentions this issue: |
nwnt
added a commit
to nwnt/go
that referenced
this issue
Jan 26, 2023
This generates GetTempPath2. Go now tries to determine if the windows it runs on has GetTempPath2 by finding it only once at the loading time. If GetTempPath2 exists, it sets the flag so that any calls to tempDir will use it. If it doesn't exist, Go then uses GetTempPath. GetTempPath2 was generated into internal/syscall/windows since syscall is locked down. Fixes golang#56899
nwnt
added a commit
to nwnt/go
that referenced
this issue
Jan 26, 2023
This generates GetTempPath2. Go now tries to determine if the windows it runs on has GetTempPath2 by finding it only once at the loading time. If GetTempPath2 exists, it sets the flag so that any calls to tempDir will use it. If it doesn't exist, Go then uses GetTempPath. GetTempPath2 was generated into internal/syscall/windows since syscall is locked down. Fixes golang#56899
nwnt
added a commit
to nwnt/go
that referenced
this issue
Jan 26, 2023
This generates GetTempPath2. Go now tries to determine if the windows it runs on has GetTempPath2 by finding it only once at the loading time. If GetTempPath2 exists, it sets the flag so that any calls to tempDir will use it. If it doesn't exist, Go then uses GetTempPath. GetTempPath2 was generated into internal/syscall/windows since syscall is locked down. Fixes golang#56899
nwnt
added a commit
to nwnt/go
that referenced
this issue
Jan 27, 2023
This generates GetTempPath2. Go now tries to determine if the windows it runs on has GetTempPath2 by finding it only once at the loading time. If GetTempPath2 exists, it sets the flag so that any calls to tempDir will use it. If it doesn't exist, Go then uses GetTempPath. GetTempPath2 was generated into internal/syscall/windows since syscall is locked down. Fixes golang#56899
|
Change https://go.dev/cl/500255 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jun 2, 2023
Updates #56899 Change-Id: Ibde69cd55c81ac0bb757b28b28d69463778dd117 Reviewed-on: https://go-review.googlesource.com/c/go/+/500255 Reviewed-by: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Quim Muntal <quimmuntal@gmail.com> Reviewed-by: Ian Lance Taylor <iant@google.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Proposal
os.TempDirshould use GetTempPath2 when available.This new API is a security hardening that ensures temporary files owned by SYSTEM-processes and not reachable to non-SYSTEM processes.
Background
Windows 11 introduced a new API to retrieve the path of the directory designated for temporary files, GetTempPath2.
When calling this function from a process running as SYSTEM it will return the path
C:\Windows\SystemTemp, which is inaccessible to non-SYSTEM processes. For non-SYSTEM processes, GetTempPath2 will behave the same as GetTempPath.The
GetTempPathdocs added this recommendation:Go would not be a first mover here, a bunch of other frameworks and languages are already using this new API: dotnet/runtime#72452, rust-lang/rust#89999, microsoft/STL#2302, and microsoft/react-native-windows@b5c3df5.
There is on theoretical backwards compatibly break if we do this change: communication via temporary files between SYSTEM and non-SYSTEM process would no longer work. This scenario is niche enough to justify breaking it in favor of a security improvement for the 99,99%. The workaround would be to call
syscall.GetTempPathinstead ofos.TempDir.@golang/windows
The text was updated successfully, but these errors were encountered: