fedora 23
tmpfile weakness #36


Weakness Breakdown


A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:



The highlighted line of code below is the trigger point of this particular Fedora 23 tmpfile weakness.

   return templ;


  // Typical use of mktemp() risks the file being created by someone else in
  // between when the name is chosen and the file is opened.  However, use
  // of mktemp() to pick a *directory* name is safe, because mkdir() will
  // not create a directory if anything already exists by that name - even a
  // dangling symlink.  Thus we can simply loop until we find a suitable
  // name.  There IS a very small risk that we loop endlessly, but that's
  // under extreme conditions, and the problem is likely to really be
  // elsewhere... as a backstop, we limit iterations to the smaller of
  // 10000 and TMP_MAX.

  unsigned int cycles = 0, limit = 10000;
#ifdef TMP_MAX
  if (TMP_MAX > 0 && TMP_MAX < limit)
    limit = TMP_MAX;

  char * tmpdir = new char[strlen(templ) + 1];
  for (;;)
      strcpy(tmpdir, templ);
      result = mktemp(tmpdir);
      E(result, origin::system,
        F("mktemp(%s) failed: %s") % tmpdir % os_strerror(errno));
      I(result == tmpdir);

      if (mkdir(tmpdir, 0700) == 0)
          strcpy(templ, tmpdir);
          delete [] tmpdir;
          return templ;

      E(errno == EEXIST, origin::system,
        F("mkdir(%s) failed: %s") % tmpdir % os_strerror(errno));

      E(cycles < limit, origin::system,
        F("%d temporary names are all in use") % limit);


bool running_as_root()

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.