...
There are many different IPC mechanisms, ; some of which require the use of temporary files, and others of which do not. An example of an IPC mechanism that uses temporary files is the POSIX mmap() function. Berkeley Sockets, POSIX Local IPC Sockets, and System V Shared Memory do not require temporary files. Because the multiuser nature of shared directories poses an inherent security risk, the use of shared temporary files for IPC is discouraged.
...
- created unpredictable file names,
- created with unique names,
- opened only if the file doesn't already exist (atomic open),
- opened with exclusive access,
- opened with appropriate permissions, and
- removed before the program exits.
The following table lists common temporary file functions and their respective conformance to these criteria:
...
|
|
|
|
|
|
|
|---|---|---|---|---|---|---|
Unpredictable Name | not Not portably | yesYes | not Not portably | yesYes | not Not portablynot | Not portably |
Unique Name | yesYesyes | Yes | yesYesyes | Yes | yesYesyes | Yes |
Atomic open | noNono | No | yesYesyes | Yes | noNo | yesYes |
Exclusive Access | possiblePossiblepossible | Possible | noNo | if If supported by OS | possiblePossible | if If supported by OS |
Appropriate Permissions | possiblePossiblepossible | Possible | noNo | if If supported by OS | possiblePossible | not Not portably |
File Removed | noNono | No | yesYes*yes | Yes* | noNono | No |
* If the program terminates abnormally, this behavior is implementation-defined.
...
The following noncompliant code example attempts to remedy the problem by generating the file name at runtime using tmpnam(). The C tmpnam() function generates a string that is a valid file name and that is not the same as the name of an existing file [ISO/IEC 9899:2011]. Files created using strings generated by the tmpnam() function are temporary in that their names should not collide with those generated by conventional naming rules for the implementation. The function is potentially capable of generating TMP_MAX different strings, but any or all of them may already be in use by existing files.
...
The TR 24731-1 tmpnam_s() function generates a string that is a valid file name and that is not the same as the name of an existing file [ISO/IEC TR 24731-1:2007]. It is almost identical to the tmpnam() function , except for an added maxsize argument for the supplied buffer.
...
Nonnormative text in TR 24731-1 [ISO/IEC TR 24731-1:2007] also recommends the following:
...
It should be possible to open at least TMP_MAX temporary files during the lifetime of the program. (This limit may be shared with tmpnam().) Section 7.21.4.4 of the C standard Standard [ISO/IEC 9899:2011] allows for the value of the macro TMP_MAX to be as small as 25.
...
It should be possible to open at least TMP_MAX_S temporary files during the lifetime of the program. (This limit may be shared with tmpnam_s().) The value of the macro TMP_MAX_S is only required to be only 25 [ISO/IEC TR 24731-1:2007].
...
This compliant solution invokes the user-defined function secure_dir()} (such as the one defined in FIO15-C. Ensure that file operations are performed in a secure directory) to ensure the temporary file resides in a secure directory.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
Compass/ROSE |
|
| Can detect violations of this recommendation. Specifically, Rose reports use of | ||||||
| Coverity | 6.5 | SECURE_TEMP | Fully Implemented. | ||||||
| 489 S | Partially implemented. | |||||||
| PRQA QA-C |
| warncall tmpnam, tmpfile, mktemp, tmpnam_s | Partially implemented |
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
...
...
ISO/IEC PDTR 24772 "EWR Path traversal"
...
| TR 24731-1:2007 | Section 6.5.1.1, "The tmpfile_s Function,"Section 6.5.1.2, "The tmpnam_s |
...
| Function" Section 6.5.2.1, "The fopen_s |
...
| Function" | |
| ISO/IEC TR 24772:2013 | Path Traversal [EWR] |
| MITRE CWE |
...
...
| -379, |
...
| Creation of temporary file in directory with insecure permissions |
...
Bibliography
...
...
open() | |
| [Seacord 2005a] | Chapter 3, "Pointer Subterfuge |
...
| " |
...
Chapter 7, "File I/O" | |
| [Viega 2003] | Section 2.1, "Creating |
...
| Files for |
...
...