centos 6
tmpfile weakness #42

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

glibc-2.12-2-gc4ccff1/posix/tst-execvp4.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 tmpfile weakness.

 #include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>

static int
do_test (void)
{
  char buf[40] = "/usr/bin/does-not-exist";
  size_t stemlen = strlen (buf);
  struct stat64 st;
  int cnt = 0;
  while (stat64 (buf, &st) != -1 || errno != ENOENT
	 || stat64 (buf + 4, &st) != -1 || errno != ENOENT)
    {
      if (cnt++ == 100)
	{
	  puts ("cannot find a unique file name");
	  return 0;
	}

      strcpy (buf + stemlen, ".XXXXXX");
      mktemp (buf);
    }

  unsetenv ("PATH");
  char *argv[] = { buf + 9, NULL };
  execvp (argv[0], argv);
  return 0;
}

#define TEST_FUNCTION do_test ()
#include "../test-skeleton.c" 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.