centos 7
tmpfile weakness #6

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

kdelibs-4.14.8/kinit/lnusertemp.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 tmpfile weakness.

   {
     fprintf(stderr, "Error: \"%s\" points to \"%s\" instead of \"%s\".\n", kde_tmp_dir, tmp_buf, user_tmp_dir);
     unlink(kde_tmp_dir);
#ifndef NDEBUG
     fprintf(stderr, "Creating link %s.\n", kde_tmp_dir);
#endif
     result = create_link(kde_tmp_dir, user_tmp_dir);
     if (result == 0) return 0; /* Success */
     unlink(kde_tmp_dir);
     strncat(user_tmp_dir, "XXXXXX", PATH_MAX - strlen(user_tmp_dir));
#if 0
     mktemp(user_tmp_dir); /* We want a directory, not a file, so using mkstemp makes no sense and is wrong */
#else
     if (mkdtemp(user_tmp_dir)==0) return 1; /*JOWENN: isn't that the better solution ?? */
#endif
     return create_link(kde_tmp_dir, user_tmp_dir);
  }
  result = check_tmp_dir(tmp, 0);
  if (result != 0) return result; /* Failure to create parent dir */
  result = check_tmp_dir(tmp_buf, 1);
  if (result == 0) return 0; /* Success */
  unlink(kde_tmp_dir);
  strncat(user_tmp_dir, "XXXXXX", PATH_MAX - strlen(user_tmp_dir));
#if 0
  mktemp(user_tmp_dir); /* We want a directory, not a file, so using mkstemp makes no sense and is wrong */
#else
     if (mkdtemp(user_tmp_dir)==0) return 1; /*JOWENN: isn't that the better solution ?? */
#endif
  return create_link(kde_tmp_dir, user_tmp_dir);
}

int main(int argc, char **argv)
{
  const char *tmp = 0;
  const char *xdg_runtime_dir = 0;
  char *tmp_prefix = 0;
  const char *kde_prefix = 0;
  int res = 0;

  if ((argc != 2) || 
      ((strcmp(argv[1], "tmp")!=0) && 
       (strcmp(argv[1], "socket")!=0) && 
       (strcmp(argv[1], "cache")!=0)))
  {
     fprintf(stderr, "Usage: lnusertemp tmp|socket|cache\n");
     return 1;
  }

  tmp = getenv("KDETMP");
  if (!tmp || !tmp[0]) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.