centos 6
tmpfile weakness #3

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

rcs-5.7/src/rcsfnms.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 tmpfile weakness.

 #endif

	char const *
maketemp(n)
	int n;
/* Create a unique pathname using n and the process id and store it
 * into the nth slot in tpnames.
 * Because of storage in tpnames, tempunlink() can unlink the file later.
 * Return a pointer to the pathname created.
 */
{
	char *p;
	char const *t = tpnames[n];

	if (t)
		return t;

	catchints();
	{
#	if has_mktemp
	    char const *tp = tmp();
	    size_t tplen = dir_useful_len(tp);
	    p = testalloc(tplen + 10);
	    VOID sprintf(p, "%.*s%cT%cXXXXXX", (int)tplen, tp, SLASH, '0'+n);
	    if (!mktemp(p) || !*p)
		faterror("can't make temporary pathname '%.*s%cT%cXXXXXX'",
			(int)tplen, tp, SLASH, '0'+n
		);
#	else
	    static char tpnamebuf[TEMPNAMES][L_tmpnam];
	    p = tpnamebuf[n];
	    if (!tmpnam(p) || !*p)
#		ifdef P_tmpdir
		    faterror("can't make temporary pathname '%s...'",P_tmpdir);
#		else
		    faterror("can't make temporary pathname");
#		endif
#	endif
	}

	tpnames[n] = p;
	return p;
}

	void
tempunlink()
/* Clean up maketemp() files.  May be invoked by signal handler.
 */
{
	register int i; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.