A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.
Temporary file race condition.
The highlighted line of code below is the trigger point of this particular Centos 7 tmpfile weakness.
char *fname_str = NULL; #ifdef NO_MKSTEMP char *name; FILE *fd = NULL; #else int fd = -1; #endif *fname_ret = NULL; if (!cpy) goto make_failed; dir = dirname(cpy); fname_len = strlen(dir) + strlen("/d2utmpXXXXXX") + sizeof (char); if (!(fname_str = malloc(fname_len))) goto make_failed; sprintf(fname_str, "%s%s", dir, "/d2utmpXXXXXX"); *fname_ret = fname_str; free(cpy); #ifdef NO_MKSTEMP name = mktemp(fname_str); *fname_ret = name; if ((fd = fopen(fname_str, W_CNTRL)) == NULL) goto make_failed; #else if ((fd = mkstemp(fname_str)) == -1) goto make_failed; #endif return (fd); make_failed: free(*fname_ret); *fname_ret = NULL; #ifdef NO_MKSTEMP return (NULL); #else return (-1); #endif } /* Test if *lFN is the name of a symbolic link. If not, set *rFN equal * to lFN, and return 0. If so, then use canonicalize_file_name or * realpath to determine the pointed-to file; the resulting name is * stored in newly allocated memory, *rFN is set to point to that value, * and 1 is returned. On error, -1 is returned and errno is set as