Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

os: TempDir should use GetTempPath2 when available on Windows #56899

Closed
qmuntal opened this issue Nov 22, 2022 · 7 comments
Closed

os: TempDir should use GetTempPath2 when available on Windows #56899

qmuntal opened this issue Nov 22, 2022 · 7 comments
Labels
OS-Windows Proposal Proposal-Accepted
Milestone
Go1.21

Comments

@qmuntal
Copy link
Contributor

qmuntal commented Nov 22, 2022
edited

Proposal

os.TempDir should use GetTempPath2 when available.

This new API is a security hardening that ensures temporary files owned by SYSTEM-processes and not reachable to non-SYSTEM processes.

Background

Windows 11 introduced a new API to retrieve the path of the directory designated for temporary files, GetTempPath2.

When calling this function from a process running as SYSTEM it will return the path C:\Windows\SystemTemp, which is inaccessible to non-SYSTEM processes. For non-SYSTEM processes, GetTempPath2 will behave the same as GetTempPath.

The GetTempPath docs added this recommendation:

Apps should call GetTempPath2 instead of GetTempPath.

Go would not be a first mover here, a bunch of other frameworks and languages are already using this new API: dotnet/runtime#72452, rust-lang/rust#89999, microsoft/STL#2302, and microsoft/react-native-windows@b5c3df5.

There is on theoretical backwards compatibly break if we do this change: communication via temporary files between SYSTEM and non-SYSTEM process would no longer work. This scenario is niche enough to justify breaking it in favor of a security improvement for the 99,99%. The workaround would be to call syscall.GetTempPath instead of os.TempDir.

@golang/windows
@gopherbot gopherbot added this to the Proposal milestone Nov 22, 2022
@qmuntal qmuntal changed the title proposal: os: use GetTempPath2 when available on Windows proposal: os: TempDir should GetTempPath2 when available on Windows Nov 22, 2022
@qmuntal qmuntal changed the title proposal: os: TempDir should GetTempPath2 when available on Windows proposal: os: TempDir should use GetTempPath2 when available on Windows Nov 22, 2022
@bcmills
Copy link
Contributor

bcmills commented Nov 22, 2022

This new API is a security hardening that ensures temporary files owned by SYSTEM-processes and not reachable to non-SYSTEM processes.

(CC @golang/security)

@rolandshoemaker
Copy link
Member

Seems like the right thing to do.

@alexbrainman
Copy link
Member

I agree that we should do this.

Thank you.

Alex

@rsc
Copy link
Contributor

rsc commented Nov 30, 2022

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

@rsc rsc changed the title proposal: os: TempDir should use GetTempPath2 when available on Windows os: TempDir should use GetTempPath2 when available on Windows Nov 30, 2022
@rsc rsc modified the milestones: Proposal, Backlog Nov 30, 2022
nwnt added a commit to nwnt/go that referenced this issue Jan 17, 2023
@nwnt
os: TempDir uses GetTempPath2 on Windows if available
9e097be 
This generates GetTempPath2 together with RtlGetNtVersionNumbers. The
latter is needed to determine if the running Windows has GetTempPath2
by comparing it against the minimum build number that has the API.
RtlGetNtVersionNumbers was generated into syscall/windows since
syscall is locked down.

Fixes golang#56899
@nwnt nwnt mentioned this issue Jan 17, 2023
Closed
@gopherbot
Copy link

Change https://go.dev/cl/462052 mentions this issue: os: use GetTempPath2 on Windows if available

nwnt pushed a commit to nwnt/go that referenced this issue Jan 24, 2023
os: TempDir uses GetTempPath2 on Windows if available
214628f 
This generates GetTempPath2 together with RtlGetNtVersionNumbers. The
latter is needed to determine if the running Windows has GetTempPath2
by comparing it against the minimum build number that has the API.
RtlGetNtVersionNumbers was generated into syscall/windows since
syscall is locked down.

Fixes golang#56899
@nwnt nwnt mentioned this issue Jan 25, 2023
Closed
nwnt added a commit to nwnt/go that referenced this issue Jan 25, 2023
@nwnt
os: TempDir uses GetTempPath2 on Windows if available
eb3dacf 
This generates GetTempPath2 together with RtlGetNtVersionNumbers. The
latter is needed to determine if the running Windows has GetTempPath2
by comparing it against the minimum build number that has the API.
RtlGetNtVersionNumbers was generated into syscall/windows since
syscall is locked down.

Fixes golang#56899
@gopherbot
Copy link

Change https://go.dev/cl/463219 mentions this issue: os: TempDir uses GetTempPath2 on Windows if available

nwnt added a commit to nwnt/go that referenced this issue Jan 26, 2023
@nwnt
os: TempDir uses GetTempPath2 on Windows if available
34a8a96 
This generates GetTempPath2. Go now tries to determine if the windows
it runs on has GetTempPath2 by finding it only once at the loading time.
If GetTempPath2 exists, it sets the flag so that any calls to tempDir
will use it. If it doesn't exist, Go then uses GetTempPath.
GetTempPath2 was generated into internal/syscall/windows since
syscall is locked down.

Fixes golang#56899
nwnt added a commit to nwnt/go that referenced this issue Jan 26, 2023
@nwnt
os: TempDir uses GetTempPath2 on Windows if available
152a736 
This generates GetTempPath2. Go now tries to determine if the windows
it runs on has GetTempPath2 by finding it only once at the loading time.
If GetTempPath2 exists, it sets the flag so that any calls to tempDir
will use it. If it doesn't exist, Go then uses GetTempPath.
GetTempPath2 was generated into internal/syscall/windows since
syscall is locked down.

Fixes golang#56899
nwnt added a commit to nwnt/go that referenced this issue Jan 26, 2023
@nwnt
os: use GetTempPath2 on Windows if available
97b83bc 
This generates GetTempPath2. Go now tries to determine if the windows
it runs on has GetTempPath2 by finding it only once at the loading time.
If GetTempPath2 exists, it sets the flag so that any calls to tempDir
will use it. If it doesn't exist, Go then uses GetTempPath.
GetTempPath2 was generated into internal/syscall/windows since
syscall is locked down.

Fixes golang#56899
nwnt added a commit to nwnt/go that referenced this issue Jan 27, 2023
@nwnt
os: use GetTempPath2 on Windows if available
b779389 
This generates GetTempPath2. Go now tries to determine if the windows
it runs on has GetTempPath2 by finding it only once at the loading time.
If GetTempPath2 exists, it sets the flag so that any calls to tempDir
will use it. If it doesn't exist, Go then uses GetTempPath.
GetTempPath2 was generated into internal/syscall/windows since
syscall is locked down.

Fixes golang#56899
@dmitshur dmitshur modified the milestones: Backlog, Go1.21 Jan 28, 2023
@gopherbot
Copy link

Change https://go.dev/cl/500255 mentions this issue: doc/go1.21: document that os.TempDir now uses GetTempPath2W

gopherbot pushed a commit that referenced this issue Jun 2, 2023
@qmuntal
doc/go1.21: document that os.TempDir now uses GetTempPath2W
ae71a86 
Updates #56899

Change-Id: Ibde69cd55c81ac0bb757b28b28d69463778dd117
Reviewed-on: https://go-review.googlesource.com/c/go/+/500255
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Quim Muntal <quimmuntal@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
OS-Windows Proposal Proposal-Accepted
Projects
None yet
Milestone
Go1.21
7 participants
@rsc @dmitshur @qmuntal @rolandshoemaker @bcmills @gopherbot @alexbrainman