...
| Wiki Markup |
|---|
The {{tmpfile()}} function may not be compliant with \[[TMP33-C. Temporary files must be removed before the program exits]\] for implementations where the temporary file is not removed if the program terminates abnormally. |
...
Compliant Solution: mkstemp() (POSIX)
A reasonably secure solution for generating random file names is to use the mkstemp() function. The mkstemp() function is available on systems that support the Open Group Base Specifications Issue 4, Version 2 or later.
A call to mkstemp() replaces the six Xs in the template string with six randomly selected characters:
| Code Block |
|---|
char template[] = "/tmp/fileXXXXXX";
if ((fd = mkstemp(template)) == -1) {
/* handle error condition */
}
|
The mkstemp() algorithm for selecting filenames has proven to be immune to attacks.
| Code Block | ||
|---|---|---|
| ||
char sfn[15] = "/tmp/ed.XXXXXX";
FILE *sfp;
int fd = -1;
if ((fd = mkstemp(sfn)) == -1 || (sfp = fdopen(fd, "w+")) == NULL) {
if (fd != -1) {
unlink(sfn);
close(fd);
}
/* handle error condition */
}
unlink(sfn); /* unlink immediately */
/* use temporary file */
fclose(sfp);
close(fd);
|
| Wiki Markup |
|---|
The Open Group Based Specification Issue 6 \[[Open Group 04|AA. C References#Open Group 04]\] does not specify the mode and permissions the file is created with, so these are [implementation-defined|BB. Definitions#implementation-defined behavior]. |
Implementation Details
For glibc versions 2.0.6 and earlier, the file is then created with mode read/write and permissions 0666; for glibc versions 2.0.7 and later, the file is created with permissions 0600. On NetBSD the file is opened with mode read/write and permissions 0600.
| Wiki Markup |
|---|
In many older [implementations|BB. Definitions#implementation], the name is a function of process ID and time--so it is possible for the attacker to guess it and create a decoy in advance. FreeBSD has recently changed the {{mk*temp()}} family to get rid of the PID component of the filename and replace the entire thing with base-62 encoded randomness. This raises the number of possible temporary files for the typical use of 6 Xs significantly, meaning that even {{mktemp()}} with 6 Xs is reasonably (probabilistically) secure against guessing, except under very frequent usage \[[Kennaway 00|AA. C References#Kennaway 00]\] . |
Compliant Solution: tmpfile_s() (ISO/IEC TR 24731-1 )
The ISO/IEC TR 24731-1 function tmpfile_s() creates a temporary binary file that is different from any other existing file that is automatically removed when it is closed or at program termination. If the program terminates abnormally, whether an open temporary file is removed is implementation-defined.
The file is opened for update with "wb+" mode, which means "truncate to zero length or create binary file for update." To the extent that the underlying system supports the concepts, the file is opened with exclusive (non-shared) access and has a file permission that prevents other users on the system from accessing the file.
It should be possible to open at least TMP_MAX_S temporary files during the lifetime of the program (this limit may be shared with tmpnam_s()). The value of the macro TMP_MAX_S is only required to be 25 by ISO/IEC TR 24731-1.
The tmpfile_s() function is available on systems that support ISO/IEC TR 24731-1 (e.g., Microsoft Visual Studio 2005).
| Code Block | ||
|---|---|---|
| ||
/* ... */
if (tmpfile_s(&file_ptr)) {
/* Handle Error */
}
/* ... */
|
| Wiki Markup |
|---|
The {{tmpfile_s()}} function may not be compliant with \[[TMP33-C. Temporary files must be removed before the program exits]\] for implementations where the temporary file is not removed if the program terminates abnormally. |
...
Risk Assessment
A protected system file to which the symbolic link points can be overwritten when a vulnerable program is executed.
...