Incorrect default permissions

  • Rule ID: go_gosec_filesystem_tempfile
  • Languages: go
  • Source: tempfile.yml


The application has been observed creating files in shared system temporary directories, such as /tmp or /var/tmp, without the use of secure functions like os.CreateTemp. This practice is insecure because it opens up the possibility of symlink attacks, where an attacker could anticipate the temporary file name and create a symlink to a target file, leading to unauthorized file creation or overwriting when the application writes to what it believes is a temporary file.


To prevent symlink attacks and other vulnerabilities associated with the use of shared temporary directories:

✅ Use Secure Temporary File Creation

Implement os.CreateTemp to safely create temporary files within a directory that's restricted to the application. This reduces the risk of symlink attacks and ensures that temporary files are handled securely.

import (

func main() {
// Ensure the application-restricted directory exists with appropriate permissions
restrictedDir := "/opt/appdir/restricted"
if err := os.MkdirAll(restrictedDir, 0700); err != nil {
log.Fatalf("failed to create restricted directory: %s", err)

// Securely create a temporary file within the restricted directory
f, err := os.CreateTemp(restrictedDir, "temp-*.txt")
if err != nil {
log.Fatalf("failed to create temporary file: %s", err)
defer f.Close() // Ensure the file is closed when no longer needed

defer os.Remove(f.Name()) // Clean up the file upon exit
// Continue working with the temporary file

✅ Avoid Shared Temporary Directories for Sensitive Operations

Do not use common temporary directories for storing sensitive information or for operations that require secure handling of files.

✅ Clean Up After Use

Always remove temporary files after their use to prevent accumulation and potential misuse.


Associated CWE


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_filesystem_tempfile

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_filesystem_tempfile

Ready to take the next step? Learn more about Bearer Cloud.