Spotting /tmp related vulnerabilities with TmpWatcher

Did you know that misuse of the /tmp directory is one of the most common security flaws? If you search mitre for the keyword “tmp”, you’ll find a plethora of vulnerabilities (529 at the time of this writing). Because /tmp is a world-writable directory, applications need to be very careful about how they create and use files in /tmp. Unfortunately, many developers are unaware that improper use of /tmp can lead to symlink race, TOCTOU, information disclosure, privilege escalation, and denial-of-service vulnerabilities.

Simple solution to a complex problem

There are many open source projects that continue to use /tmp in an unsafe way. As members of the open source community, we have the opportunity to find and report these types of vulnerabilities. In order to discover more vulnerabilities in less time, TmpWatcher was created. TmpWatcher watches for misuse of the `/tmp` directory, which can lead to many different kinds of security vulnerabilities.

There are two ways to find vulnerabilities caused by the misuse of /tmp. The first is to read source code and search for code that creates files in /tmp. By evaluating this code, you can determine whether or not temporary files are created safely. This approach has the drawback of being somewhat time-consuming. The second way to find these vulnerabilities is to develop a heuristic that will identify unsafe usage of /tmp at runtime. TmpWatcher takes the latter approach.

An efficient way to spot vulnerabilities

One of the most exciting things about open source software is that it gives everyone the opportunity to contribute. A great way to contribute to open source projects is by discovering and reporting security vulnerabilities. TmpWatcher monitors /tmp in real time and watches for files or directories with world-writable permissions (o+w). When files with insecure permissions in /tmp are detected, an alert is logged. As you go about your daily activities, you’ll be notified if an application you’re using makes unsafe use of /tmp. You can take note of what application you were using at the time of the alert and, at your leisure, investigate the alert and report it to the application’s developers.

Get it working

Using TmpWatcher is as easy as installing the tmpwatcher snap and running it:

$ sudo snap install tmpwatcher
$ tmpwatcher

You can test that tmpwatcher is working properly by creating a directory with world-writable permissions in /tmp:

$ mkdir --mode=0777 /tmp/test_dir

In some cases, a user’s umask will help to mitigate potential vulnerabilities caused by unsafe usage of /tmp. On Ubuntu, for example, the default umask is 002, which will cause o+w bit to be unset. As a result, potential vulnerabilities may fly under TmpWatcher’s radar. To combat this, you can cast a wider net if you invoke TmpWatcher with the --perms-mask argument.

$ tmpwatcher --perms-mask 077

TmpWatcher provides a number of options which allow you to watch directories other than /tmp, watch directories recursively, specify a config file, and run as a daemon. In addition, TmpWatcher can be configured to send alerts to a syslog server so that alerts from multiple systems can all be viewed in one place.

Are you interested in vulnerability research? Are you a software developer who wants to check their software for misuse of the /tmp directory? Give TmpWatcher a try!

For more information about TmpWatcher, see TmpWatcher’s home page on github or check it out in the snap store.

Talk to us today

Interested in running Ubuntu Desktop in your organisation?

Newsletter signup

Select topics you’re
interested in

In submitting this form, I confirm that I have read and agree to Canonical’s Privacy Notice and Privacy Policy.

Related posts

Tour of the snap developer account in the Snap Store

Sometimes, you may wonder, what’s on the other side of the curtain? If you’re a developer contemplating snaps, you surely want to know the range of tools and...

Productivity is but a snap away – useful applications for your everyday needs

The state of being productive comes in various guises. Sometimes, you want to do more. Sometimes, you want less. It’s been a while since we toured the Snap...

An adventure through the Snap Store

An application store with a large number of entries is a double-edged sword. It’s often a good sign of a vibrant, thriving community of software creators,...