SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 144

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 145

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Fixed a few typos.

...

Wiki Markup
Privileged programs that create temporary files in world-writable directories can be exploited to overwrite protected system files. An attacker who can predict the name of a file created by a privileged program can create a symbolic link (with the same name as the file used by the program) to point to a protected system file. Unless the privileged program is coded securely, the program will follow the symbolic link instead of opening or creating the file that it is supposed to be using. As a result, a protected system file to which the symbolic link points can be overwritten when the program is executed \[[HP 03|AA. References#HPBibliography#HP 03]\]. Unprivileged programs can be similarly exploited to overwrite protected user files.

...

Wiki Markup
Exclusive access grants unrestricted file access to the locking process while denying access to all other processes and eliminates the potential for a race condition on the locked region (see \[[Seacord 05a|AA. References#SeacordBibliography#Seacord 05]\] Chapter 7).

Files, or regions of files, can be locked to prevent two processes from concurrent access. Windows supports two types of file locks:

...

Wiki Markup
The following noncompliant code example attempts to remedy the problem by generating the file name at runtime using {{tmpnam()}}.  The C99 {{tmpnam()}} function generates a string that is a valid file name and that is not the same as the name of an existing file \[[ISO/IEC 9899:1999|AA. References#ISOBibliography#ISO/IEC 9899-1999]\]. Files created using strings generated by the {{tmpnam()}} function are temporary in that their names should not collide with those generated by conventional naming rules for the [implementation|BB. Definitions#implementation].  The function is potentially capable of generating {{TMP_MAX}} different strings, but any or all of them may already be in use by existing files.

...

Wiki Markup
This next noncompliant code example attempts to remedy the problem by using the POSIX {{open()}} function, and providing a mechanism to indicate whether an existing file has been opened for writing or a new file has been created \[[Open Group 04|AA. References#OpenBibliography#Open Group 04]\]. If the {{O_CREAT}} and {{O_EXCL}} flags are used together, the {{open()}} function fails when the file specified by {{file_name}} already exists. To prevent an existing file from being opened and truncated, include the flags {{O_CREAT}} and {{O_EXCL}} when calling {{open()}}.

...

Wiki Markup
Care should be observed when using {{O_EXCL}} with remote file systems, as it does not work with NFS version 2. NFS version 3 added support for {{O_EXCL}} mode in {{open()}}; see IETF RFC 1813 \[[Callaghan 95|AA. References#CallaghanBibliography#Callaghan 95]\], in particularly the {{EXCLUSIVE}} value to the {{mode}} argument of {{CREATE}}.

Wiki Markup
Moreover, the {{open()}} function, as specified by the Open Group Base Specifications Issue 6 \[[Open Group 04|AA. References#OpenBibliography#Open Group 04]\], does not include support for shared or exclusive locks. However, BSD systems support two additional flags that allow you to obtain these locks:

...

Wiki Markup
The TR 24731-1 {{tmpnam_s()}} function generates a string that is a valid file name and that is not the same as the name of an existing file \[[ISO/IEC TR 24731-1:2007|AA. References#SOBibliography#SO/IEC TR 24731-1-2007]\]. It is almost identical to the {{tmpnam()}} function except with an added {{maxsize}} argument for the supplied buffer.

...

Wiki Markup
It should be possible to open at least {{TMP_MAX}} temporary files during the lifetime of the program (this limit may be shared with {{tmpnam()}}). C99, Section 7.19.4.4, allows for the value of the macro {{TMP_MAX}} to be as small as 25 \[[ISO/IEC 9899:1999|AA. References#ISOBibliography#ISO/IEC 9899-1999]\].

Most historic implementations provide only a limited number of possible temporary file names (usually 26) before file names are recycled.

...

Wiki Markup
It should be possible to open at least {{TMP_MAX_S}} temporary files during the lifetime of the program (this limit may be shared with {{tmpnam_s()}}).  The value of the macro {{TMP_MAX_S}} is only required to be 25 \[[ISO/IEC TR 24731-1:2007|AA. References#ISOBibliography#ISO/IEC TR 24731-1-2007]\].

Wiki Markup
TR 24731-1 notes the following regarding the use of {{tmpfile_s()}} instead of {{tmpnam_s()}} \[[ISO/IEC TR 24731-1:2007|AA. References#ISOBibliography#ISO/IEC TR 24731-1-2007]\]:

After a program obtains a file name using the tmpnam_s function and before the program creates a file with that name, the possibility exists that someone else may create a file with that same name. To avoid this race condition, the tmpfile_s function should be used instead of tmpnam_s when possible. One situation that requires the use of the tmpnam_s function is when the program needs to create a temporary directory rather than a temporary file.

...

Wiki Markup
The Open Group Base Specification Issue 6 \[[Open Group 04|AA. References#OpenBibliography#Open Group 04]\] does not specify the permissions the file is created with, so these are [implementation-defined|BB. Definitions#implementation-defined behavior]. However, Issue 7 (POSIX.1-2008) specifies them as {{S_IRUSR\|S_IWUSR}} (0600) \[[Austin Group 08|AA. References#AustinBibliography#Austin Group 08]\].

This compliant solution invokes the user-defined function secure_dir()} (such as the one defined in FIO15-C. Ensure that file operations are performed in a secure directory) to ensure the temporary file resides in a secure directory.

...

Wiki Markup
In many older [implementations|BB. Definitions#implementation], the name is a function of process ID and time, so it is possible for the attacker to predict the name and create a decoy in advance.  FreeBSD changed the {{mk*temp()}} family to eliminate the PID component of the file name and replace the entire field with base-62 encoded randomness.  This raises the number of possible temporary files for the typical use of six {{X}}'s significantly, meaning that even {{mktemp()}} with six {{X}}'s is reasonably (probabilistically) secure against guessing, except under frequent usage \[[Kennaway 00|AA. References#KennawayBibliography#Kennaway 00]\].

Exceptions

FIO43-EX1: The TR24731-1 tmpfile_s() function can be used if all the targeted implementations create temporary files; in secure directories.

...

Wiki Markup
\[[Austin Group 08|AA. References#AustinBibliography#Austin Group 08]\]
\[[HP 03|AA. References#HPBibliography#HP 03]\]
\[[ISO/IEC 9899:1999|AA. References#ISOBibliography#ISO/IEC 9899-1999]\] Section 7.19.4.4, "The {{tmpnam}} function," 7.19.4.3, "The {{tmpfile}} function," and Section 7.19.5.3, "The {{fopen}} function"
\[[ISO/IEC PDTR 24772|AA. References#ISOBibliography#ISO/IEC PDTR 24772]\] "EWR Path Traversal"
\[[ISO/IEC TR 24731-1:2007|AA. References#ISOBibliography#ISO/IEC TR 24731-1-2007]\] Section 6.5.1.2, "The {{tmpnam_s}} function," 6.5.1.1, "The {{tmpfile_s}} function," and Section 6.5.2.1, "The {{fopen_s}} function"
\[[Kennaway 00|AA. References#KennawayBibliography#Kennaway 00]\]
\[[MITRE 07|AA. References#MITREBibliography#MITRE 07]\] [CWE ID 379|http://cwe.mitre.org/data/definitions/379.html], "Creation of Temporary File in Directory with Insecure Permissions"
\[[Open Group 04|AA. References#OpenBibliography#Open Group 04]\] [{{mktemp()}}|http://www.opengroup.org/onlinepubs/000095399/functions/mktemp.html], [{{mkstemp()}}|http://www.opengroup.org/onlinepubs/009695399/functions/mkstemp.html], [{{open()}}|http://www.opengroup.org/onlinepubs/009695399/functions/open.html]
\[[Seacord 05a|AA. References#SeacordBibliography#Seacord 05a]\] Chapter 3, "File I/O", Chapter 7
\[[Viega 03|AA. References#ViegaBibliography#Viega 03]\] Section 2.1, "Creating Files for Temporary Use"
\[[Wheeler 03|AA. References#WheelerBibliography#Wheeler 03]\] [Chapter 7, "Structure Program Internals and Approach"|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html#TEMPORARY-FILES]

...