oss-security - Re: XDG_RUNTIME_DIR "misuse" as $TMPDIR (was: Re: budgie-extras: multiple predictable /tmp path issues in various applications)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Fri, 15 Dec 2023 12:34:24 +0100
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: XDG_RUNTIME_DIR "misuse" as $TMPDIR (was: Re:
 budgie-extras: multiple predictable /tmp path issues in
 various applications)

Hi Steffen,

On Thu, Dec 14, 2023 at 11:15:02PM +0100, Steffen Nurpmeso wrote:
> All that makes me think whether XDG_RUNTIME_DIR is such a good
> target for temporary files, generally speaking.

in general I would also not recommend using it for temporary files. At
least in this concrete case of the budgie-extras applications the files
placed in there can be considered small enough for a desktop environment.

I recommended using XDG_RUNTIME_DIR as a quick fix for these issues, but
as I also tried to point out, I don't believe the way temporary files
are used here is a good design.

At least the immediate dangers for security should be addressed by these
quick fixes applied, so sacrificing a bit of the cleanliness of the
filesystem seems justified.

Cheers

Matthias

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.