On Wed, Oct 17, 2012 at 10:52 AM, Marc Deslauriers <marc.deslauri...@canonical.com> wrote: > > Now that we have symlink restrictions in Ubuntu, security issues with > using the /tmp directory are greatly reduced. > > Since Quantal now sets $XDG_RUNTIME_DIR, apps should use it or one of > the other $XDG_* locations to store temporary user data. If use of /tmp > is still necessary, apps should simply assign appropriate permissions to > the files they create in /tmp.
I'm more concerned with keeping the contents of /tmp private. When I filed bugs for Thunderbird and Firefox years ago (which never got fixed) I pointed out things like site designations, client names, and (amusingly) pornography being leaked through /tmp. Which has got to be great when you're 15 and peeking at /tmp to see what kinds of flicks your dad's been downloading, though now everything streams in browser. Well, except torrent names, which are spewed all over the place, and stay there until reboot. > > Please file bugs on any app that doesn't currently do this properly. > > Marc. > > > -- > Marc Deslauriers > Ubuntu Security Engineer | http://www.ubuntu.com/ > Canonical Ltd. | http://www.canonical.com/ > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
