centos 7
tmpfile weakness #33

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

pam_krb5-2.4.8/src/pam_krb5_cchelper.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 tmpfile weakness.

 		unlink(pattern + 5);
		krb5_free_context(ctx);
		return i;
	}
	i = krb5_cc_get_principal(ctx, tmp_ccache, &client);
	if (i != 0) {
		krb5_cc_destroy(ctx, tmp_ccache);
		krb5_free_context(ctx);
		return i;
	}

	/* If the ccache is a directory, create one, if need be. */
	if (strncmp(ccname, "DIR:", 4) == 0) {
		if ((p = strstr(ccname, "XXXXXX")) != NULL) {
			/* Check that we're in create mode, and create
			 * a directory. */
			if (!c_flag) {
				krb5_cc_destroy(ctx, tmp_ccache);
				krb5_free_context(ctx);
				return 9;
			}
			do {
				/* Try to create a unique directory. */
				strcpy(ccname, argv[2]);
				mktemp(ccname + 4);
				if (strlen(ccname + 4) == 0) {
					i = EINVAL;
				} else {
					i = mkdir(ccname + 4, S_IRWXU);
				}
			} while ((i != 0) && (errno == EEXIST));
			if (i != 0) {
				krb5_cc_destroy(ctx, tmp_ccache);
				krb5_free_context(ctx);
				return i;
			}
		} else {
			/* See if we can create the directory. */
			i = mkdir(ccname + 4, S_IRWXU);
			if ((i != 0) && (i == EEXIST)) {
				/* It exists.  Check that it's ours. */
				if (chdir(ccname + 4) != 0) {
					krb5_cc_destroy(ctx, tmp_ccache);
					krb5_free_context(ctx);
					return 9;
				}
				if ((lstat(".", &st) != 0) ||
				    (st.st_uid != uid) ||
				    (st.st_gid != gid) ||
				    ((st.st_mode & (S_IRWXG | S_IRWXO)) != 0)) { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.