Using /tmp/ and /var/tmp/ Safely

/tmp/ and /var/tmp/ are two world-writable directories Linux systems provide for temporary files. The former is typically on tmpfs and thus backed by RAM/swap, and flushed out on each reboot. The latter is typically a proper, persistent file system, and thus backed by physical storage. This means:

Note that /tmp/ and /var/tmp/ each define a common namespace shared by all local software. This means guessable file or directory names below either directory directly translate into a 🚨 Denial-of-Service (DoS) 🚨 vulnerability or worse: if some software creates a file or directory /tmp/foo then any other software that wants to create the same file or directory /tmp/foo either will fail (as the file already exists) or might be tricked into using untrusted files. Hence: do not use guessable names in /tmp/ or /var/tmp/ — if you do you open yourself up to a local DoS exploit or worse. (You can get away with using guessable names, if you pre-create subdirectories below /tmp/ for them, like X11 does with /tmp/.X11-unix/ through tmpfiles.d/ drop-ins. However this is not recommended, as it is fully safe only if these directories are pre-created during early boot, and thus problematic if package installation during runtime is permitted.)

To protect yourself against these kinds of attacks Linux provides a couple of APIs that help you avoiding guessable names. Specifically:

Leave a Comment