This weakness occurs when software fails to properly hand off control of a resource—such as a file handle, memory buffer, or database connection—between…
This weakness occurs when software fails to properly hand off control of a resource—such as a file handle, memory buffer, or database connection—between different security contexts or privilege levels. The result is that a resource intended for one user, process, or privilege level becomes accessible to another, potentially exposing sensitive data or allowing unauthorized operations.
02How It Happens
Resources in modern software are often shared across different "spheres"—contexts with different trust levels or ownership. A file handle opened by a privileged process, a memory buffer allocated in kernel space, or a database connection established by an administrator may need to be transferred to or accessed by user-level code. If the transfer mechanism doesn't properly validate ownership, clear permissions, or reset state, the receiving context may inherit unintended access rights. This commonly happens when:
- A parent process passes a file descriptor to a child process without restricting its use.
- A privileged operation creates a temporary resource (file, socket, shared memory) that a lower-privileged user can then access.
- State or permissions attached to a resource are not properly cleared or re-validated when ownership changes.
- A resource is shared between threads or processes without synchronization or access control checks.
03Real-World Impact
Incorrect resource transfer can lead to privilege escalation, where a low-privileged user gains access to data or capabilities intended only for administrators. It may also result in information disclosure if a resource containing sensitive data is inadvertently made readable by unauthorized processes. In multi-tenant environments, this weakness can allow one tenant to access another tenant's files or connections. The severity depends on what resource is transferred and what data or operations it controls.
04Vulnerable & Fixed Patterns
Vulnerable pattern
import os
import tempfile
# Parent process creates a temporary file with sensitive data
temp_file = tempfile.NamedTemporaryFile(mode='w', delete=False)
temp_file.write("SECRET_API_KEY=abc123xyz")
temp_file.close()
# Child process (spawned with lower privileges) inherits file descriptor
child_pid = os.fork()
if child_pid == 0:
# Child can read the file without explicit permission check
with open(temp_file.name, 'r') as f:
print(f.read()) # Reads parent's sensitive data
os.unlink(temp_file.name)
Why it's vulnerable: The parent process creates a file with sensitive data and the child process inherits access to it without any validation that the child should be allowed to read it. No permission checks or state clearing occur during the transfer.
Fixed pattern
import os
import tempfile
import stat
# Parent process creates a temporary file with restrictive permissions
temp_file = tempfile.NamedTemporaryFile(mode='w', delete=False)
temp_file.write("SECRET_API_KEY=abc123xyz")
temp_file.close()
# Restrict file to owner only (0o600 = rw-------)
os.chmod(temp_file.name, stat.S_IRUSR | stat.S_IWUSR)
# Child process spawned; parent explicitly closes sensitive file descriptor
child_pid = os.fork()
if child_pid == 0:
# Child cannot read the file due to permissions
try:
with open(temp_file.name, 'r') as f:
print(f.read())
except PermissionError:
print("Access denied")
else:
# Parent cleans up
os.waitpid(child_pid, 0)
os.unlink(temp_file.name)
Vulnerable pattern
<?php
// Privileged script creates a temporary file with database credentials
$temp_file = tempnam(sys_get_temp_dir(), 'config_');
file_put_contents($temp_file, "DB_USER=admin\nDB_PASS=secret123");
// File is world-readable by default (mode 0666 on many systems)
// A lower-privileged web process or another user can read it
$creds = file_get_contents($temp_file);
echo $creds; // Unintended access to credentials
?>
Why it's vulnerable: The temporary file is created with default permissions that allow any process on the system to read it. No access control is enforced when the resource is transferred or accessed by other processes.
Fixed pattern
<?php
// Privileged script creates a temporary file with restrictive permissions
$temp_file = tempnam(sys_get_temp_dir(), 'config_');
file_put_contents($temp_file, "DB_USER=admin\nDB_PASS=secret123");
// Explicitly set permissions to owner-only (0600)
chmod($temp_file, 0600);
// Verify permissions before use
$perms = fileperms($temp_file) & 0777;
if ($perms !== 0o600) {
die("File permissions are incorrect; aborting.");
}
// Only the owner can read this file
$creds = file_get_contents($temp_file);
unlink($temp_file);
?>
05Prevention Checklist
Validate ownership and permissions before transferring or accessing any resource; do not assume inherited access is correct.
Use explicit access control lists (ACLs) or file permissions to restrict resource access to intended users or processes only.
Clear or reset resource state when ownership or context changes; do not carry over permissions or cached data from the previous owner.
Minimize resource sharing across privilege boundaries; prefer creating separate resources for each context rather than sharing one.
Use OS-level isolation (e.g., separate user accounts, containers, or sandboxes) to enforce sphere separation at the system level.
Audit resource creation and transfer in code review and testing; trace the lifecycle of sensitive resources across process and privilege boundaries.
06Signs You May Already Be Affected
Check system logs and file permissions for unexpected access patterns: temporary files in shared directories with overly permissive modes (e.g., world-readable config files), processes accessing files they should not own, or privilege escalation attempts involving temporary resources. Review process inheritance and file descriptor passing in your codebase; if child processes inherit file handles or resources from parents without explicit permission validation, this weakness may be present.