oss-sec mailing list archives

Re: budgie-extras: multiple predictable /tmp path issues in various applications

From: Florian Weimer <fweimer () redhat com>
Date: Sun, 17 Dec 2023 12:21:53 +0100

* Matthias Gerstner:

As a quick fix for all of these issues I suggested to use
`$XDG_RUNTIME_DIR` instead of /tmp. This directory is private to the
logged in user and cannot be manipulated by other users in the system.


Note that on some systems, the XDG_RUNTIME_DIR directory is unavailable
after user UID switching (e.g., with sudo) because these systems follow
the specification to the letter and provide a XDG_RUNTIME_DIR setting
for the logged-in user instead of the current user.  So while it looks
like a good solution for most cases, it breaks a couple of use cases (or
still needs fallback even on systems that nominally have XDG_RUNTIME_DIR
support).

Thanks,
Florian

Current thread:

budgie-extras: multiple predictable /tmp path issues in various applications Matthias Gerstner (Dec 14)
- XDG_RUNTIME_DIR "misuse" as $TMPDIR (was: Re: [oss-security] budgie-extras: multiple predictable /tmp path issues in various applications) Steffen Nurpmeso (Dec 15)
  - Re: XDG_RUNTIME_DIR "misuse" as $TMPDIR (was: Re: [oss-security] budgie-extras: multiple predictable /tmp path issues in various applications) Matthias Gerstner (Dec 15)
    - Re: XDG_RUNTIME_DIR "misuse" as $TMPDIR (was: Re: [oss-security] budgie-extras: multiple predictable /tmp path issues in various applications) Steffen Nurpmeso (Dec 15)
- Re: budgie-extras: multiple predictable /tmp path issues in various applications Florian Weimer (Dec 17)