centos 6
tmpfile weakness #17

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

net-snmp-5.5/agent/mibgroup/util_funcs.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 tmpfile weakness.

 #ifdef NETSNMP_EXCACHETIME
static long     cachetime;
#endif

extern int      numprocs, numextens;

void
Exit(int var)
{
    snmp_log(LOG_ERR, "Server Exiting with code %d\n", var);
    exit(var);
}

/** deprecated, use netsnmp_mktemp instead */
const char *
make_tempfile(void)
{
    static char     name[32];
    int             fd = -1;

    strcpy(name, get_temp_file_pattern());
#ifdef HAVE_MKSTEMP
    fd = mkstemp(name);
#else
    if (mktemp(name)) {
# ifndef WIN32        
        fd = open(name, O_CREAT | O_EXCL | O_WRONLY);
# else
        /*
          Win32 needs _S_IREAD | _S_IWRITE to set permissions on file after closing
         */
        fd = _open(name, _O_CREAT, _S_IREAD | _S_IWRITE | _O_EXCL | _O_WRONLY);
# endif
    }
#endif
    if (fd >= 0) {
        close(fd);
        DEBUGMSGTL(("make_tempfile", "temp file created: %s\n", name));
        return name;
    }
    snmp_log(LOG_ERR,"make_tempfile: error creating file %s\n", name);
    return NULL;
}

int
shell_command(struct extensible *ex)
{
#if HAVE_SYSTEM
    const char     *ofname;
    char            shellline[STRMAX]; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.