Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

java equivalent for mkstemp

Tags:

java

Is there any way in Java to write out to a temporary file securely?

As far as I can tell, the only way to create a temporary file (createTempFile) does't actually open it at the same time, so there's a race condition between file open & file write. Am I missing something? I couldn't find the C source code behind createFileExclusively(String) in UnixFileSystem.java, but I doubt it can really do anything since the file open occurs in the Java code after the temp file is created (unless it tries to do something with file locks?).

The problem

Between when the temporary file is created & you open it, a malicious attacker could unlink that temporary file & put malicious stuff there. For example, an attacker could create a named pipe to read sensitive data. Or similarly if you eventually copy the file by reading it, then the named pipe could just ignore everything written & supply malicious content to be read.

I remember reading of numerous examples of temporary file attacks in the past 10+ years that exploit the race condition between when the name appears in the namespace and when the file is actually opened.

Hopefully a mitigating factor is that Java set's the umask correctly so a less-privileged user can't read/write to the file and typically the /tmp directory restricts permissions properly so that you can't perform an unlink attack.

Of course if you pass a custom directory for the temporary file that's owned by a less-privileged user who's compromised, the user could do an unlink attack against you. Hell, with inotify, it's probably even easier to exploit the race condition than just a brute force loop that does a directory listing.

like image 315
Vitali Avatar asked Apr 18 '12 01:04

Vitali

Video Answer

1 Answers

http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

Java

use java.io.File.createTempFile() – some interesting info at http://www.veracode.com/blog/2009/01/how-boring-flaws-become-interesting/

for directories there is a helpful posting at How to create a temporary directory/folder in Java?

Java 7

for files use java.io.File.createTempFile()

for directories use createTempDirectory()

http://docs.oracle.com/javase/7/docs/api/java/nio/file/Files.html

like image 106
Kurt Avatar answered Oct 15 '22 06:10

Kurt
Sign in to Comment

Related questions

Java client to WCF service interop with mutual certificate - Cannot resolve KeyInfo for verifying signature
Using a stack to traverse and solve a maze - Java
Can I demultiplex streams?
Apache POI - Docx output issue
Java, JFileChooser & Windows Network Shares WITH Password Protection
RestEasy - UnsupportedMediaTypeException: Cannot consume content type
Interface I cannot be implemented more than once with different arguments: I<String> and I<String>
Why is there a server-side limit on the length of a URL?
How can I store the inverted document index on a disk?
Converting from a Euler ZXZ rotation, to fixed axis XYZ rotations
Java Sound refresh Lines list after attaching a microphone
Improving MIDI Synthesizer Sound on Android / Loading Sound Fonts
New Bitmap Changed on Copy Using Buffer
Java Awt Robot changes Windows Mouse Speed
Making JFrame transparent breaks scrolling on Mac
compiling and running java8/jdk8 code in netbeans - Uncompilable source code
Peak memory usage does not go beyond a limit
Can I access the Apache Tiles definition name inside a ViewPreparer?
Detect orientation using javascript on android devices
Proguard - unresolved references to program class members

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!