alpine 3.6
tmpfile weakness #70

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

php7-apcu/src/apcu-5.1.8/apc_mmap.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 tmpfile weakness.

 #ifdef APC_MEMPROTECT
        remap = 0;
#endif
#endif
    } else if(!strcmp(file_mask,"/dev/zero")) { 
        fd = open("/dev/zero", O_RDWR, S_IRUSR | S_IWUSR);
        if(fd == -1) {
            apc_error("apc_mmap: open on /dev/zero failed:");
            goto error;
        }
#ifdef APC_MEMPROTECT
        remap = 0; /* cannot remap */
#endif
    } else if(strstr(file_mask,".shm")) {
        /*
         * If the filemask contains .shm we try to do a POSIX-compliant shared memory
         * backed mmap which should avoid synchs on some platforms.  At least on
         * FreeBSD this implies MAP_NOSYNC and on Linux it is equivalent of mmap'ing
         * a file in a mounted shmfs.  For this to work on Linux you need to make sure
         * you actually have shmfs mounted.  Also on Linux, make sure the file_mask you
         * pass in has a leading / and no other /'s.  eg.  /apc.shm.XXXXXX
         * On FreeBSD these are mapped onto the regular filesystem so you can put whatever
         * path you want here.
         */
        if(!mktemp(file_mask)) {
            apc_error("apc_mmap: mktemp on %s failed:", file_mask);
            goto error;
        }
        fd = shm_open(file_mask, O_CREAT|O_RDWR, S_IRUSR|S_IWUSR);
        if(fd == -1) {
            apc_error("apc_mmap: shm_open on %s failed:", file_mask);
            goto error;
        }
        if (ftruncate(fd, size) < 0) {
            close(fd);
            shm_unlink(file_mask);
            apc_error("apc_mmap: ftruncate failed:");
            goto error;
        }
        shm_unlink(file_mask);
    } else {
        /*
         * Otherwise we do a normal filesystem mmap
         */
        fd = mkstemp(file_mask);
        if(fd == -1) {
            apc_error("apc_mmap: mkstemp on %s failed:", file_mask);
            goto error;
        }
        if (ftruncate(fd, size) < 0) { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.