centos 6
tmpfile weakness #40

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

glibc-2.12-2-gc4ccff1/posix/bug-glob1.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 tmpfile weakness.

 
static void prepare (int argc, char *argv[]);
#define PREPARE prepare
static int do_test (void);
#define TEST_FUNCTION do_test ()

#include "../test-skeleton.c"


static char *fname;

static void
prepare (int argc, char *argv[])
{
  if (argc < 2)
    error (EXIT_FAILURE, 0, "missing argument");

  size_t len = strlen (argv[1]);
  static const char ext[] = "globXXXXXX";
  fname = malloc (len + sizeof (ext));
  if (fname == NULL)
    error (EXIT_FAILURE, errno, "cannot create temp file");
 again:
  strcpy (stpcpy (fname, argv[1]), ext);
  fname = mktemp (fname);
  if (fname == NULL || *fname == '\0')
    error (EXIT_FAILURE, errno, "cannot create temp file name");
  if (symlink ("bug-glob1-does-not-exist", fname) != 0)
    {
      if (errno == EEXIST)
	goto again;

      error (EXIT_FAILURE, errno, "cannot create symlink");
    }
  add_temp_file (fname);
}


static int
do_test (void)
{
  glob_t gl;
  int retval = 0;
  int e;

  e = glob (fname, 0, NULL, &gl);
  if (e == 0)
    {
      printf ("glob(\"%s\") succeeded\n", fname);
      retval = 1; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.