As the discussion about this was going on for 8 years in the mozilla community, I suggest to at least set permissions right in the distros.
For the moment, there is only one path (which is /tmp) and there is only the original name used. That said, concurrent users could overwrite their temporary files to each other. Setting permissions right would avoid that in addition to solving the security problem. And it's still better than allowing users to overwrite files of other users to avoid error messages. Plus, privacy is an issue here as users can read private files of other users. On single user systems, there might not be a noticable change to users. So, what should it break? It's still not a perfect concept but a big improvement in terms of security. The rest can be done later in a nice fashion. After setting permissions right in the distros you can still wait another 8 years and see which solution mozilla community came up with. Possible we see an importance change to 'high' in between (say 4 years or so). -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/1401454 Title: Thunderbird writes attachments to /tmp readable to everyone Status in Mozilla Thunderbird Mail and News: Confirmed Status in thunderbird package in Ubuntu: Confirmed Bug description: When I open an attachment of an email in Thunderbird it gets written to disk with permission 644, so it is readable by everyone on the system. How to repeat: Open an E-Mail, Open an Attachment (e.g. google.png) $ cd /tmp; ls -lh -rw-r--r-- 1 theuser thegroup 2,4K Dez 11 10:39 google.png Instead, Thunderbird should write the file with permissions 600. Plus, to avoid conflicts between users, the file should be written into a directory per user, e.g. /tmp/theuser/google.png or another user specific temp directory. To manage notifications about this bug go to: https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
