Creation of Temporary File With Insecure Permissions
This weakness occurs when a program creates a temporary file but fails to restrict access to it properly, leaving it readable or writable by other users on the…
This weakness occurs when a program creates a temporary file but fails to restrict access to it properly, leaving it readable or writable by other users on the same system. On multi-user systems, this can expose sensitive data or allow an attacker to tamper with files the application depends on, leading to data theft, privilege escalation, or application malfunction.
02How It Happens
Temporary files are often created to store intermediate data, session information, or working copies during processing. Developers sometimes create these files with default permissions inherited from the system umask, which may be overly permissive. Additionally, a race condition can occur between file creation and permission-setting: if the file is created world-readable and then permissions are tightened afterward, a malicious process running concurrently could read or modify the file in that window. On systems with multiple user accounts or shared hosting environments, this becomes a practical vulnerability.
03Real-World Impact
An attacker with local system access (or another user on a shared server) can read temporary files containing passwords, API keys, session tokens, or personal data. They may also replace a temporary file with malicious content before the application reads it, causing the application to execute unintended logic or process corrupted data. In privilege-escalation scenarios, a setuid program that creates world-writable temp files can be exploited to gain elevated access.
04Vulnerable & Fixed Patterns
Vulnerable pattern
import tempfile
import os
# Vulnerable: creates file with default permissions
temp_file = tempfile.mktemp(prefix="app_", suffix=".tmp")
with open(temp_file, 'w') as f:
f.write(sensitive_data)
# File is now readable by any user on the system
Why it's vulnerable: tempfile.mktemp() returns a filename but does not create the file securely. When the file is then created with open(), it inherits the system's default umask, which often allows other users to read it. Additionally, the race condition between name generation and file creation opens a window for symlink attacks.
Fixed pattern
import tempfile
import os
# Fixed: NamedTemporaryFile creates file with mode 0o600 (read/write owner only)
with tempfile.NamedTemporaryFile(mode='w', delete=False, prefix="app_", suffix=".tmp") as f:
temp_file = f.name
f.write(sensitive_data)
# File permissions are automatically restricted to owner only
# Clean up when done
os.unlink(temp_file)
Vulnerable pattern
<?php
// Vulnerable: creates temp file with default permissions
$temp_file = tempnam(sys_get_temp_dir(), "app_");
file_put_contents($temp_file, $sensitive_data);
// File may be readable by other web server processes or users
?>
Why it's vulnerable: tempnam() creates the file but does not guarantee restrictive permissions. On many systems, the resulting file is readable by the web server user and potentially other processes. If the temp directory is world-writable, an attacker can also predict or race the filename.
Fixed pattern
<?php
// Fixed: create temp file and explicitly set restrictive permissions
$temp_file = tempnam(sys_get_temp_dir(), "app_");
file_put_contents($temp_file, $sensitive_data);
// Explicitly set permissions to owner read/write only (0600)
chmod($temp_file, 0600);
// Clean up when done
unlink($temp_file);
?>
05Prevention Checklist
Use language-provided secure temp file functions (tempfile.NamedTemporaryFile() in Python, tempnam() + chmod() in PHP) that create files atomically with restricted permissions.
Never use mktemp() or equivalent functions that only generate a name without creating the file securely.
Always explicitly set file permissions to 0600 (owner read/write only) immediately after creation if the language does not do so automatically.
Store temporary files in a dedicated, non-world-writable directory (e.g., a private temp folder within the application's data directory) rather than relying on system temp directories.
Delete temporary files as soon as they are no longer needed; use context managers or try/finally blocks to ensure cleanup even if an error occurs.
On multi-user systems, run the application with the minimum required privileges and ensure the temp directory is owned by the application user.
06Signs You May Already Be Affected
Check your application logs for unexpected file access or modification errors related to temporary files. On Linux/Unix systems, examine the permissions of files in /tmp or your application's temp directory using ls -la — if you see temp files with permissions like 0644 or 0666, or if you find temp files owned by unexpected users, investigate further. Additionally, monitor for unusual process activity attempting to read or write files in your temp directory.