centos 6
tmpfile weakness #3


Weakness Breakdown


A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:



The highlighted line of code below is the trigger point of this particular Centos 6 tmpfile weakness.


	char const *
	int n;
/* Create a unique pathname using n and the process id and store it
 * into the nth slot in tpnames.
 * Because of storage in tpnames, tempunlink() can unlink the file later.
 * Return a pointer to the pathname created.
	char *p;
	char const *t = tpnames[n];

	if (t)
		return t;

#	if has_mktemp
	    char const *tp = tmp();
	    size_t tplen = dir_useful_len(tp);
	    p = testalloc(tplen + 10);
	    VOID sprintf(p, "%.*s%cT%cXXXXXX", (int)tplen, tp, SLASH, '0'+n);
	    if (!mktemp(p) || !*p)
		faterror("can't make temporary pathname '%.*s%cT%cXXXXXX'",
			(int)tplen, tp, SLASH, '0'+n
#	else
	    static char tpnamebuf[TEMPNAMES][L_tmpnam];
	    p = tpnamebuf[n];
	    if (!tmpnam(p) || !*p)
#		ifdef P_tmpdir
		    faterror("can't make temporary pathname '%s...'",P_tmpdir);
#		else
		    faterror("can't make temporary pathname");
#		endif
#	endif

	tpnames[n] = p;
	return p;

/* Clean up maketemp() files.  May be invoked by signal handler.
	register int i; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.