On Sun, Jun 23, 2019 at 12:36:07PM +0200, Vincent Lefevre wrote: > On 2019-06-23 14:44:36 +1000, Cameron Simpson wrote: > > Were it a simple filename it would all be easy. Maybe a chdir(tmpdir) > > before running the shell command with a simple filename? > > I'm not sure whether this is a good idea. The temporary directory > may be (and often is) world-writable, and on multi-user machines, > this increases the risk of vulnerability. For instance, some > programs may consider configuration files in the current working > directory, and/or may write/re-read files there.
While I don't disagree with anything you said, FWIW: $ echo $TMPDIR /home/dmartin/tmp $ ls -ld $TMPDIR drwx------ 9 dmartin users 4096 Jun 24 16:45 /home/dmartin/tmp/ Mutt honors $TMPDIR. You should set it. You should probably not use /tmp, especially on a multi-user system, especially if you care about security (privacy to be more precise, but that's part of security). You should probably also not put it on NFS. For that matter, you should probably not put anything sensitive on NFS, which likely includes your mail (and there are other reasons to avoid that as well). This (or something akin to it) used to be (at least in my circles) somewhat common knowledge/practice, but it seems the young'ns don't learn such things anymore. Sadly plenty of more recent POSIX-ish software programs don't know or don't care about $TMPDIR or other such historical features anymore. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
pgpcSlGUyIEND.pgp
Description: PGP signature
