Page History

...

This is a dangerous practice , because a well-known file in a shared directory can be easily hijacked or manipulated by an attacker. Mitigation strategies include the following:

...

There are many different interprocess communication mechanisms (IPC) mechanisms, some of which require the use of temporary files, while others do not. An example of an IPC mechanism that uses temporary files is the POSIX mmap() function. Berkeley Sockets, POSIX Local IPC Sockets, and System V Shared Memory do not require temporary files. Because the multiuser nature of shared directories poses an inherent security risk, the use of shared temporary files for IPC is discouraged.

...

Consequently, temporary files in shared directories must be:

1. created with unique and unpredictable file names,
2. opened with exclusive access,
3. removed before the program exits, and
4. opened with appropriate permissions.

...

Privileged programs that create temporary files in world-writable directories can be exploited to overwrite protected system files. An attacker who can predict the name of a file created by a privileged program can create a symbolic link (with the same name as the file used by the program) to point to a protected system file. Unless the privileged program is coded securely, the program will follow the symbolic link instead of opening or creating the file that it is supposed to be using. As a result, a protected system file to which the symbolic link points can be overwritten when the program is executed \[[HP 032003|AA. Bibliography#HP 03]\]. Unprivileged programs can be similarly exploited to overwrite protected user files.

...

Exclusive access grants unrestricted file access to the locking process while denying access to all other processes and eliminates the potential for a race condition on the locked region. (seeSee \[[Seacord 05a2005a|AA. Bibliography#Seacord 05]\] Chapter 7.).

Files, or regions of files, can be locked to prevent two processes from concurrent access. Windows supports two types of file locks:

...

Removing temporary files when they are no longer required allows file names and other resources (such as secondary storage) to be recycled. In the case of abnormal termination, there is no sure method that can guarantee the removal of orphaned files. For this reason, temporary file cleaner utilities, which are invoked manually by a system administrator or periodically run by a daemon to sweep temporary directories and remove old files, are widely used. However, these utilities are themselves vulnerable to file-based exploits and often require the use of shared directories. During normal operation, it is the responsibility of the program to ensure that temporary files are removed either explicitly or through the use of library routines, such as tmpfile_s, which guarantee temporary file deletion upon program termination.

...

The following noncompliant code example attempts to remedy the problem by generating the file name at runtime using {{tmpnam()}}.  The C99 {{tmpnam()}} function generates a string that is a valid file name, and that is not the same as the name of an existing file \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\]. Files created using strings generated by the {{tmpnam()}} function are temporary in that their names should not collide with those generated by conventional naming rules for the [implementation|BB. Definitions#implementation].  The function is potentially capable of generating {{TMP_MAX}} different strings, but any or all of them may already be in use by existing files.

...

This next noncompliant code example attempts to remedy the problem by using the POSIX {{open()}} function, and providing a mechanism to indicate whether an existing file has been opened for writing or a new file has been created \[[Open Group 042004|AA. Bibliography#Open Group 04]\]. If the {{O_CREAT}} and {{O_EXCL}} flags are used together, the {{open()}} function fails when the file specified by {{file_name}} already exists. To prevent an existing file from being opened and truncated, include the flags {{O_CREAT}} and {{O_EXCL}} when calling {{open()}}.

...

Care should be observed when using {{O_EXCL}} with remote file systems, asbecause it does not work with NFS version 2. NFS version 3 added support for {{O_EXCL}} mode in {{open()}}; see IETF RFC 1813 \[[Callaghan 951995|AA. Bibliography#Callaghan 95]\], in particularly the {{EXCLUSIVE}} value to the {{mode}} argument of {{CREATE}}.

Moreover, the {{open()}} function, as specified by the Open Group Base Specifications Issue 6 \[[Open Group 042004|AA. Bibliography#Open Group 04]\], does not include support for shared or exclusive locks. However, BSD systems support two additional flags that allow you to obtain these locks:

...

The TR 24731-1 {{tmpnam_s()}} function generates a string that is a valid file name and that is not the same as the name of an existing file \[[ISO/IEC TR 24731-1:2007|AA. Bibliography#SO/IEC TR 24731-1-2007]\]. It is almost identical to the {{tmpnam()}} function, except withfor an added {{maxsize}} argument for the supplied buffer.

...

It should be possible to open at least {{TMP_MAX}} temporary files during the lifetime of the program. (thisThis limit may be shared with {{tmpnam()}}.). C99, Section 7.19.4.4, allows for the value of the macro {{TMP_MAX}} to be as small as 25 \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\].

...

The ISO/IEC TR 24731-1 function tmpfile_s() creates a temporary binary file that is different from any other existing file, and that is automatically removed when it is closed or at program termination. If the program terminates abnormally, whether an open temporary file is removed is implementation-defined.

...

It should be possible to open at least {{TMP_MAX_S}} temporary files during the lifetime of the program. (thisThis limit may be shared with {{tmpnam_s()}}.).  The value of the macro {{TMP_MAX_S}} is only required to be 25 \[[ISO/IEC TR 24731-1:2007|AA. Bibliography#ISO/IEC TR 24731-1-2007]\].

...

The TR24731-1 tmpfile_s() function should not be used with implementations that create temporary files in shared directory, such as /tmp or C:, because the function does not allow the user to specify a directory in which the temporary file should be created.

...

This solution is not serially reusable, ; however, because the mkstemp() function replaces the "XXXXXX" in template the first time it is invoked. This is not a problem as long as template is reinitialized before calling mkstemp() again. If template is not reinitialized, the mkstemp() function will return -1 and leave template unmodified because template did not contain six X's.

The Open Group Base Specification Issue 6 \[[Open Group 042004|AA. Bibliography#Open Group 04]\] does not specify the permissions the file is created with, so these are [implementation-defined|BB. Definitions#implementation-defined behavior]. However, Issue 7 (POSIX.1-2008) specifies them as {{S_IRUSR\|S_IWUSR}} (0600) \[[Austin Group 082008|AA. Bibliography#Austin Group 08]\].

This compliant solution invokes the user-defined function secure_dir()} (such as the one defined in recommendation FIO15-C. Ensure that file operations are performed in a secure directory) to ensure the temporary file resides in a secure directory.

Implementation Details

For glibc versions GLIBC, Versions 2.0.6 and earlier, the file is created with permissions 0666; for glibc versions GLIBC, Versions 2.0.7 and later, the file is created with permissions 0600. On NetBSD, the file is created with permissions 0600. This creates a security risk in that an attacker will have write access to the file immediately after creation. Consequently, programs need a private version of the mkstemp() function in which this issue is known to be fixed.

In many older [implementations|BB. Definitions#implementation], the name is a function of process ID and time, so it is possible for the attacker to predict the name and create a decoy in advance.  FreeBSD changed the {{mk*temp()}} family to eliminate the PID component of the file name and replace the entire field with base-62 encoded randomness.  This raises the number of possible temporary files for the typical use of six {{X}}'s significantly, meaning that even {{mktemp()}} with six {{X}}'s is reasonably (probabilistically) secure against guessing, except under frequent usage \[[Kennaway 002000|AA. Bibliography#Kennaway 00]\].

...

FIO43-EX1: The TR24731-1 tmpfile_s() function can be used if all the targeted implementations create temporary files ; in secure directories.

Risk Assessment

...

The unlink() function doesn't follow symlinks, and doesn't really have much of an affect on hard links. So, I guess your options for attacking something like that would be:
*SIGSTOP or SIGTSTP it before the unlink, maybe unlink it yourself and wait (a while) until something created something with the same name, or try to use that name somehow. Probably not that useful, but maybe in a specific attack it could work with a lot of effort.
*You could sorta do a symlink attack with an intermediate path component, for example, if it was /tmp/tmp2/ed.XXXXXX, you could rm tmp2 and then symlink it to /etc or something. It would then rm /etc/ed.XXXXXX, but that probably wouldn't buy you much.

John McDonald

Automated Detection

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

CERT This rule appears in the C++ Secure Coding Standard as : FIO43-CPP. Do not create temporary files in shared directories.This rule appears in the Java

The CERT Oracle Secure Coding Standard as for Java: FIO07-J. Do not create temporary files in shared directories.

Bibliography

ISO/IEC 9899:1999 Section 7.19. Wiki Markup\[[Austin Group 08|AA. Bibliography#Austin Group 08]\] \[[HP 03|AA. Bibliography#HP 03]\] \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 7.19.4.4, "The {{tmpnam}} function," 7.19.4.3, "The {{tmpfile}} function," and Section 7.19.5.3, "The {{fopen}} function" \[[ISO/IEC PDTR 24772|AA. Bibliography#ISO

ISO/IEC PDTR 24772]\] "EWR Path Traversal" \[[

ISO/IEC TR 24731-1:2007|AA. Bibliography#ISO/IEC TR 24731-1-2007]\] Section 6.5.1.2, "The {{tmpnam_s}} function," 6.5.1.1, "The {{tmpfile_s}} function," and Section 6.5.2.1, "The {{ fopen_s function"

MITRE CWE: CWE ID 379, "Creation of Temporary File in Directory with Insecure Permissions"

Bibliography

\[[Austin Group 2008|AA. Bibliography#Austin Group 08}} function"
\[[Kennaway 00|AA. Bibliography#Kennaway 00]\]
\[[MITREHP 072003|AA. Bibliography#MITREBibliography#HP 0703]\] 
\[[CWEKennaway ID 379|http://cwe.mitre.org/data/definitions/379.html], "Creation of Temporary File in Directory with Insecure Permissions"2000|AA. Bibliography#Kennaway 00]\]
\[[Open Group 042004|AA. Bibliography#Open Group 04]\] [{{mktemp()}}|http://www.opengroup.org/onlinepubs/000095399/functions/mktemp.html], [{{mkstemp()}}|http://www.opengroup.org/onlinepubs/009695399/functions/mkstemp.html], [{{open()}}|http://www.opengroup.org/onlinepubs/009695399/functions/open.html]
\[[Seacord 05a2005a|AA. Bibliography#Seacord 05a]\] Chapter 3, "File I/O", Chapter 7
\[[Viega 032003|AA. Bibliography#Viega 03]\] Section 2.1, "Creating Files for Temporary Use"
\[[Wheeler 032003|AA. Bibliography#Wheeler 03]\] [Chapter 7, "Structure Program Internals and Approach"|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html#TEMPORARY-FILES]

...