os: TempDir should use GetTempPath2 when available on Windows

[qmuntal]

Proposal

os.TempDir should use GetTempPath2 when available.

This new API is a security hardening that ensures temporary files owned by SYSTEM-processes and not reachable to non-SYSTEM processes.

Background

Windows 11 introduced a new API to retrieve the path of the directory designated for temporary files, GetTempPath2.

When calling this function from a process running as SYSTEM it will return the path C:\Windows\SystemTemp, which is inaccessible to non-SYSTEM processes. For non-SYSTEM processes, GetTempPath2 will behave the same as GetTempPath.

The GetTempPath docs added this recommendation:

Apps should call GetTempPath2 instead of GetTempPath.

Go would not be a first mover here, a bunch of other frameworks and languages are already using this new API: dotnet/runtime#72452, rust-lang/rust#89999, microsoft/STL#2302, and microsoft/react-native-windows@b5c3df5.

There is on theoretical backwards compatibly break if we do this change: communication via temporary files between SYSTEM and non-SYSTEM process would no longer work. This scenario is niche enough to justify breaking it in favor of a security improvement for the 99,99%. The workaround would be to call syscall.GetTempPath instead of os.TempDir.

@golang/windows

[bcmills]

This new API is a security hardening that ensures temporary files owned by SYSTEM-processes and not reachable to non-SYSTEM processes.

(CC @golang/security)

[rolandshoemaker]

Seems like the right thing to do.

[alexbrainman]

I agree that we should do this.

Thank you.

Alex

[rsc]

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group