fedora 24
tmpfile weakness #25


Weakness Breakdown


A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:



The highlighted line of code below is the trigger point of this particular Fedora 24 tmpfile weakness.

 * Create a temporary file in tmpdir, use prefix for its name,
 * store the unique name in fn, and return a stdio FILE pointer
 * with access mode.
 * The permissions for the newly created file are given in bits.
Ftemp(char **fn, char *prefix, char *mode, int bits, int register_file)
	FILE *fp;
	int fd;

	*fn = smalloc(strlen(tmpdir) + strlen(prefix) + 8);
	strcpy(*fn, tmpdir);
	strcat(*fn, "/");
	strcat(*fn, prefix);
	strcat(*fn, "XXXXXX");
	if ((fd = mkstemp(*fn)) < 0)
		goto Ftemperr;
	if (fchmod(fd, bits) < 0)
		goto Ftemperr;
#else	/* !HAVE_MKSTEMP */
	if (mktemp(*fn) == NULL)
		goto Ftemperr;
	if ((fd = open(*fn, O_CREAT|O_EXCL|O_RDWR, bits)) < 0)
		goto Ftemperr;
#endif	/* !HAVE_MKSTEMP */
	if (register_file)
		fp = Fdopen(fd, mode);
	else {
		fp = fdopen(fd, mode);
		fcntl(fd, F_SETFD, FD_CLOEXEC);
	return fp;
	return NULL;

 * Free the resources associated with the given filename. To be
 * called after unlink().
 * Since this function can be called after receiving a signal,
 * the variable must be made NULL first and then free()d, to avoid
 * more than one free() call in all circumstances.
Ftfree(char **fn) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.