On 2019-06-25 14:26:16 -0500, Derek Martin wrote: > On Tue, Jun 25, 2019 at 09:11:22PM +0200, Vincent Lefevre wrote: > > On 2019-06-24 17:18:27 -0500, Derek Martin wrote: > > > Mutt honors $TMPDIR. You should set it. You should probably not use > > > /tmp, especially on a multi-user system, especially if you care about > > > security (privacy to be more precise, but that's part of security). > > > You should probably also not put it on NFS. > > > > On the multi-user machines I use, my home is under NFS. So, there > > isn't much choice. The other directories I can use are just like > > /tmp. > > BUT... you still can do better than just using /tmp. You can create, > say, /tmp/vincent, with 700 perms, which effectively solves most of the > problem. Then set TMPDIR to that. :)
Mutt should do the creation of the intermediate directory for me. > In some cases it might get cleaned up, but you can just have your > .profile (or whatever) recreate it when you log in... FWIW this is > probably what I would do in that case. But if the directory has already been created by someone else, this is not OK. The solution must be compatible with Mutt's $tmpdir variable (which will not affect other applications, contrary to $TMPDIR). > You could still use your home directory too... most of the trouble is > that you have to trust your sysadmins. If there's a security issue there, then there's nothing one can do: my account could be hacked and everything could be read. The problem is more the reliability of NFS. So temporary files are better put somewhere else. > The other reason to avoid using /tmp (or another world-writable > directory) is avoiding things like symlink attacks, and similar > classes of things. At least symlink attacks are now protected by the kernel (and BTW, a bug in some Debian package related to a symlink attack is no longer regarded as a security bug by Debian, no longer RC). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
