Potential file permissions issue (mkstemp)
Description
Some older Unix-like systems, `mkstemp` would create temp files with 0666 permissions, meaning the file created would be read/write access for all users. Ensure the process has called the `umask` function with restricted permissions prior to calling `mkstemp` and validate the permissions prior to using the file descriptor.
Examples
Insecure Code
c
fd = mkstemp(template);Secure Code
c
old_umask = umask(077); fd = mkstemp(template); umask(old_umask);Remediation
Call `umask` with restricted permissions before calling `mkstemp` and validate the permissions prior to using the file descriptor.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0617 |
| Category | AccessControl |
| Severity | MEDIUM |
| CWE | CWE-377 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | file permissions, temporary files |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |