"Ken Raeburn via RT" <rt-comment@krbdev.mit.edu> writes:

> Coming up with names not already taken isn't all that hard, it just  
> requires setting up a loop and having a reasonably large space of  
> names to work through.  With a large enough namespace and a halfway  
> decent PRNG, we ought to be able to find an unused name in one or two  
> tries, actually: dir + "/krb5_RC" + base64(random).

We already have a mkstemp() replacement in the tree, it seems, but
only use it when the system does not already have mkstemp().

> Do we have this sort of thing happening elsewhere, such that a utility  
> function mkstemp_mode_0600 would help?

It looks like recent BSD-derived implementations of mkstemp() use mode
0600, but POSIX does not guarantee this.  We could call mkstemp() and
then fstat() to make sure we got the modes we expect, and if we get
modes we do not expect, fall back on something more irritating.  (Or
do autoconf run-time tests to see if mkstemp() is sane, but I'd rather
not do run-time tests.)