Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <87msu95b1q.fsf@oldenburg.str.redhat.com>
Date: Sun, 17 Dec 2023 12:21:53 +0100
From: Florian Weimer <fweimer@...hat.com>
To: Matthias Gerstner <mgerstner@...e.de>
Cc: oss-security@...ts.openwall.com
Subject: Re: budgie-extras: multiple predictable /tmp path
 issues in various applications

* Matthias Gerstner:

> As a quick fix for all of these issues I suggested to use
> `$XDG_RUNTIME_DIR` instead of /tmp. This directory is private to the
> logged in user and cannot be manipulated by other users in the system.

Note that on some systems, the XDG_RUNTIME_DIR directory is unavailable
after user UID switching (e.g., with sudo) because these systems follow
the specification to the letter and provide a XDG_RUNTIME_DIR setting
for the logged-in user instead of the current user.  So while it looks
like a good solution for most cases, it breaks a couple of use cases (or
still needs fallback even on systems that nominally have XDG_RUNTIME_DIR
support).

Thanks,
Florian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.