...
Moreover, the open() function, as specified by the Open Group the Standard for Information Technology—Portable Operating System Interface (POSIX®), Base Specifications, Issue 6 [Open Group 20047 [IEEE Std 1003.1:2013], does not include support for shared or exclusive locks. However, BSD systems support two additional flags that allow you to obtain these locks:
...
The Open Group Base Specification Issue 6 [Open Group 2004] does not specify the permissions the file is created with, so these are implementation-defined. However, Issue 7 (POSIX[IEEE Std 1003.1-2008) :2013] specifies them as S_IRUSR|S_IWUSR (0600) [Austin Group 2008].
This compliant solution invokes the user-defined function secure_dir() (such as the one defined in FIO15-C. Ensure that file operations are performed in a secure directory) to ensure the temporary file resides in a secure directory.
...
| CERT C Secure Coding Standard | FIO15-C. Ensure that file operations are performed in a secure directory |
| CERT C++ Secure Coding Standard | FIO43-CPP. Do not create temporary files in shared directories |
| CERT Oracle Secure Coding Standard for Java | FIO03-J. Remove temporary files before termination |
| ISO/IEC TR 24772:2013 | Path Traversal [EWR] |
| MITRE CWE | CWE-379, Creation of temporary file in directory with insecure permissions |
Bibliography
...
| [HP 2003] | |
| [IEEE Std 1003.1:2013] | System Interfaces: open System Interfaces: mkdopen, mksopen |
| [ISO/IEC 9899:2011] | Subclause K.3.5.1.2, "The tmpnam_s Function"Subclause 7.21.4.4, "The tmpnam Function |
| [Kennaway 2000] | |
| [Open Group 2004] | mktempmktemp()open() |
| [Seacord 2013] | Chapter 3, "Pointer Subterfuge" Chapter 8, "File I/O" |
| [Viega 2003] | Section 2.1, "Creating Files for Temporary Use" |
| [Wheeler 2003] | Chapter 7, "Structure Program Internals and Approach" |
...