centos 7
tmpfile weakness #5

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

snapper-0.2.8/snapper/FileUtils.h

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 tmpfile weakness.

 	string fullname(bool with_base_path = true) const;
	string fullname(const string& name, bool with_base_path = true) const;

	// Type is not supported by all file system types, see readdir(3).
	typedef std::function<bool(unsigned char type, const char* name)> entries_pred_t;

	// The order of the result of the entries functions is undefined.
	vector<string> entries() const;
	vector<string> entries(entries_pred_t pred) const;
	vector<string> entries_recursive() const;
	vector<string> entries_recursive(entries_pred_t pred) const;

	int stat(struct stat* buf) const;

	int stat(const string& name, struct stat* buf, int flags) const;
	int open(const string& name, int flags) const;
	int open(const string& name, int flags, mode_t mode) const;
	ssize_t readlink(const string& name, string& buf) const;
	int mkdir(const string& name, mode_t mode) const;
	int unlink(const string& name, int flags) const;
	int chmod(const string& name, mode_t mode, int flags) const;
	int chown(const string& name, uid_t owner, gid_t group, int flags) const;
	int rename(const string& oldname, const string& newname) const;

	int mktemp(string& name) const;
	bool mkdtemp(string& name) const;

	bool xaSupported() const;

	ssize_t listxattr(const string& path, char* list, size_t size) const;
	ssize_t getxattr(const string& path, const char* name, void* value, size_t size) const;

	bool mount(const string& device, const string& mount_type, unsigned long mount_flags,
		   const string& mount_data) const;
	bool umount(const string& mount_point) const;

	bool fsetfilecon(const string& name, char* con) const;
	bool fsetfilecon(char* con) const;
	bool restorecon(SelinuxLabelHandle* sh) const;
	bool restorecon(const string& name, SelinuxLabelHandle* sh) const;

    private:

	XaAttrsStatus xastatus;
	void setXaStatus();

	const string base_path;
	const string path;

	int dirfd; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.