tmpdir: prevent symlink attacks and TOCTOU races (CVE-2025-71176)

[laurac8r]

Summary

Replace the predictable pytest-of-<user> rootdir with a randomly-named rootdir created via tempfile.mkdtemp to prevent the entire class of predictable-name attacks (symlink races, DoS via pre-created files/dirs). As defense-in-depth, open the rootdir with os.open using O_NOFOLLOW and O_DIRECTORY flags and perform ownership/permission checks via fd-based fstat/fchmod to eliminate TOCTOU races.

Fixes CVE-2025-71176.

closes #13669

Changes

• Randomly-named rootdir: Use tempfile.mkdtemp(prefix=f"pytest-of-{user}-", dir=temproot) instead of a fixed pytest-of-{user} directory, making pre-creation attacks infeasible.
• _safe_open_dir context manager: Opens the rootdir with O_NOFOLLOW | O_DIRECTORY (where available), yields the fd, and guarantees cleanup. Symlinks are rejected at the os.open level.
• fd-based ownership & permission checks: fstat and fchmod operate on the open file descriptor, eliminating the TOCTOU window between stat/chmod and the actual directory.
• _cleanup_old_rootdirs: Garbage-collects stale randomly-named rootdirs from previous sessions, respecting the retention count. The current session's rootdir is never removed.
• Comprehensive tests: Symlink rejection, wrong-owner rejection, missing O_NOFOLLOW/O_DIRECTORY fallback, predictable-path DoS immunity, _cleanup_old_rootdirs behavior, _safe_open_dir fd lifecycle, config validation, and session-finish edge cases.

---

• Include documentation when adding new features.
• Include new tests or update existing tests when applicable.
• Allow maintainers to push and squash when merging my commits. Please uncheck this if you prefer to squash the commits yourself.

If this change fixes an issue, please:

• Add text like closes #XYZW to the PR description and/or commits (where XYZW is the issue number). See the github docs for more information.

Important

Unsupervised agentic contributions are not accepted. See our AI/LLM-Assisted Contributions Policy.

• If AI agents were used, they are credited in Co-authored-by commit trailers.

Unless your change is trivial or a small documentation fix (e.g., a typo or reword of a small section) please:

• Create a new changelog file in the changelog directory, with a name like <ISSUE NUMBER>.<TYPE>.rst. See changelog/README.rst for details.

  Write sentences in the past or present tense, examples:

  • Improved verbose diff output with sequences.
  • Terminal summary statistics now use multiple colors.

  Also make sure to end the sentence with a ..

• Add yourself to AUTHORS in alphabetical order.

[orlitzky]

This certainly looks like an improvement, but it's still possible for any user to DoS the machine until a reboot with for x in $(cat /etc/passwd | cut -f1 -d:); do touch /tmp/pytest-of-$x; done;.

[laurac8r]

Great callout Michael! This attack route is now blocked by a safety check before creating the directory: If a non-directory file is blocking the path (e.g. placed by another user), we attempt to remove that file and then retry.

This cannot work unfortunately: the file is owned by the attacker, so I cannot delete his files from /tmp unless I am root. I indirectly mentioned this in #13669 (comment) where I pointed out that it's silly to tell me to fix the situation.

I don't want to sound like an asshole always coming back with new caveats to every approach, but the truth is that this is very old class of vulnerability and all of the ways to exploit it are well-known. (I was not auditing the code, I just saw the fixed path one day and knew immediately that it would be exploitable.) The solution is to use a carefully-created randomly-named path; so if someone proposes a solution that does not involve mkstemp() or something like it under the hood, then it's very easy to look up what the problem was with that approach.

Fixed!

Previously, TempPathFactory created a fixed, predictable directory (/tmp/pytest-of-<user>) as the rootdir, which enabled a class of attacks: an adversary could pre-create files or symlinks at that path to DoS pytest or exploit TOCTOU races (CVE-2025-71176).

I've replaced _try_ensure_directory() with tempfile.mkdtemp(), which atomically creates a randomly-suffixed directory (pytest-of-<user>-XXXX) that cannot be predicted or pre-empted by an attacker. os.chmod(0o700) is applied unconditionally after mkdtemp, and the existing fd-based fchmod inside _safe_open_dir provides defense-in-depth against TOCTOU.

Because mkdtemp now produces a fresh directory every session, add _cleanup_old_rootdirs() to prune stale rootdirs from previous sessions, retaining only the keep most recent (by mtime).

[orlitzky]

Fixed!

The new approach looks good to me FWIW.

mkdtemp() guarantees that the directory will be 0700 and owned by the current user, so the pre-existing chmod/stat safeguards conveniently become redundant if this approach is adopted :)

[laurac8r]

the pre-existing chmod/stat safeguards conveniently become redundant if this approach is adopted :)

TY Michael, and let's leave it to another enthusiastic coder ;) and close the book on this CVE

[orlitzky]

In light of another recent tmpdir exploit related to directory cleanup, I think we could bullet-proof the cleanup routine even more by ensuring that https://docs.python.org/3/library/shutil.html#shutil.rmtree.avoids_symlink_attacks is true before running rmtree().

It would be nice if we could confirm that the user/owner agree on the directories to be removed, and if we could remove them by file descriptor (to avoid TOCTOU again), but I don't see an obvious way to do that.

[nicoddemus]

Thanks @laurac8r for the PR and, @webknjaz and @orlitzky for the reviews.

[nicoddemus]

Why this try/except? Please add a comment for future reference.

[nicoddemus]

I noticed that before we used to keep 3 directories around, but on this branch we always end up with 4 directories, which is a bit confusing if configured to keep 3 directories around (the default).

[nicoddemus]

Another thing I noticed is now that we always generate a "root" temporary dir on every run:

pytest-of-Bruno-xe7su5xh, pytest-of-Bruno-vwyhe35x, etc, which is fine as it is the whole point of this PR.

However, each directory also has a pytest-0 and pytest-current (a symlink to pytest-0), which no longer makes sense in this scenario.

[nicoddemus]

This function is only used in one place:

pytest/src/_pytest/tmpdir.py

Lines 242 to 254 in bb1371b

	with _safe_open_dir(rootdir) as dir_fd:
	rootdir_stat = os.fstat(dir_fd)
	if rootdir_stat.st_uid != uid:
	raise OSError(
	f"The temporary directory {rootdir} is not owned by the current user. "
	"Fix this and try again."
	)
	if (rootdir_stat.st_mode & 0o077) != 0:
	os.fchmod(dir_fd, rootdir_stat.st_mode & ~0o077)
	keep = self._retention_count
	if self._retention_policy == "none":
	keep = 0
	basetemp = make_numbered_dir_with_cleanup(

I think we should instead have a more focused function: _verify_ownership_and_tighthen_permission(path, user_id), instead of splitting the logic that we ultimately want in two separate places.

[nicoddemus]

This lets us see the warning in case something goes wrong:

Suggested change

	symlink_warnings = [x for x in w if "avoids_symlink_attacks" in str(x.message)]
	assert len(symlink_warnings) == 0
	symlink_warnings = [x for x in w if "avoids_symlink_attacks" in str(x.message)]
	assert symlink_warnings == []

[nicoddemus]

Suggested change

	"""Tests for safe_rmtree and the avoids_symlink_attacks guard."""
	"""Tests for safe_rmtree and the avoids_symlink_attacks guard (#13669)."""

[nicoddemus]

I think we might be going overboard with the number of tests here. Could you verify if it is possible to remove/merge some of them?

[nicoddemus]

This description is detailed, but we should begin it with the user facing change:

Temporary directories created by :fixture:`tmp_path` used to be created inside a `pytest-of-{user}` root directory within the system's temporary directory. Each session would create a new subdirectory with an incrementing counter -- `pytest-0`, `pytest-1`, etc. -- along with a `pytest-current` symlink pointing to the current one.

This left the system vulnerable to symlink attacks, so pytest has changed how these directories are created.

Now, each session creates a single `pytest-of-{user}-{random}` directory directly inside the system's temporary directory. This makes the directories unpredictable and safe from symlink attacks and `TOCTOU <https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use>`__ races.

Also note that this entry should be written in ReStructuredText, not Markdown.