Page History

...

Programmers frequently create temporary files in directories that are writable by everyone; examples include /tmp and /var/tmp on POSIX and C:\TEMP on Windows. Files in such directories may be purged regularly, such as every night or during reboot. However, an attacker who has access to the local file system can exploit operations on files in shared directories when those files are created insecurely or remain accessible after use. For example, an attacker who can both predict the name of a temporary file and change or replace that file can exploit a (TOCTOU) race condition to cause a failure in creating the temporary file from within program code or to cause the program to operate on a file determined by the attacker. This exploit is particularly dangerous when the vulnerable program process is running with elevated privileges because the attacker can operate on any file accessible by the vulnerable process. On multiuser systems, a user can be tricked by an attacker into unintentionally operating on his or her own files. Consequently, temporary file management must comply with rule FIO00-J. Do not operate on files in shared directories.

Many programs that create temporary files attempt to give them unique and unpredictable file names. This is a common attempt at mitigating the risk of creating a file in an insecure or shared directory. If the file name is insufficiently unique or randompredictable, an attacker could guess or predict the name of the file to be created and could create a file link with the same name , the final target of which is a file selected by the attackerto a normally inaccessible file. However, when temporary files are created in a secure directory, an attacker cannot tamper with them, consequently. Consequently, the need for unpredictable names is eliminated.

...

Removing temporary files when they are no longer required allows file names and other resources (such as secondary storage) to be recycled. Each program is responsible for ensuring that temporary files are removed during normal operation. There is no surefire method that can guarantee the removal of orphaned files in the case of abnormal termination, even in the presence of a finally block, because the finally block may fail to execute. For this reason, many systems employ temporary file cleaner utilities to sweep temporary directories and remove old files. Such utilities can be invoked manually by a system administrator or can be periodically invoked by a system process. However, these utilities are themselves frequently vulnerable to file-based exploits and may require the use of secure directories.

Noncompliant Code Example

For this This and subsequent code examples, we will assume that the files are automatically being created in a secure directory in compliance with rule FIO00-J. Do not operate on files in shared directories. We will also assume the files and are created with proper access permissions , to compy in compliance with rule FIO01-J. Create files with appropriate access permissions. Both requirements may be managed outside the JVM.

...

class TempFile {
  public static void main(String[] args) throws IOException{
    File f = new File("tempnam.tmp");
    if (!f.exists()) {
      System.out.println("This file doesalready not existexists");
      return;
    }

    FileOutputStream fop = null;
    try {
      fop = new FileOutputStream(f);
      String str = "Data";
      fop.write(str.getBytes());
    } finally {
      if (fop != null) {
        try {
          fop.close();
        } catch (IOException x) {
          // handle error
        }
      }
    }
  }
}

...

This compliant solution creates a temporary file using several methods from Java SE 7's NIO NIO2 package. It uses the createTempFile() method, which creates an unpredictable name. (The actual method by which the name is created is implementation-defined and undocumented.) Additionally, the createTempFile() method will throw an exception if the file already exists. The file is opened using the try-with-resources construct, which automatically closes the file regardless of whether an exception occurs. Finally, the file is opened with the Java SE 7 DELETE_ON_CLOSE option, which removes the file automatically when it is closed.

...

• other IPC mechanisms such as sockets and remote procedure calls.
• the low-level Java Native Interface (JNI).
• memory-mapped files.
• threads to share heap data within the same JVM (applies to data sharing between Java processes only).
• a secure directory that can be accessed only by application instances, provided that multiple instances of the application running on the same platform avoid competing for the same files.

Risk Assessment

Failure to follow best practices while creating, using, and deleting remove temporary files before termination can lead to result in information leakage , misinterpretations, and alterations in control flowand resource exhaustion.

Related Guidelines

...

...