Nick Rusnov wrote: >On Sat, Apr 05, 2008 at 10:52:05PM +0100, [EMAIL PROTECTED] wrote: >> So I think that it might be better to sidestep the whole issue >> by just having nmh create its temporary files in ~/Mail. Because >> this directory isn't writable except by the user, there's no >> danger of malicious attackers creating symlinks in it as there >> is with putting files in /tmp/. Some work would still be >> required, but nowhere near as much. > >I have to agree that this is a good solution short of massive code changes. I >believe that users can currently do this by setting their TEMP variable to a >directory that they control
Nope. The code hardcodes /tmp/... >, but a systematic use of a temporary directory specially >for nmh seems like a good policy. Something like ~/Mail/.temp or some such so >as >not to interfere with a potential folder called temp. I thought about having these files be in a subdir, but we'd have to create it (and hope it isn't used by a user for something already), and it just seemed to me that it would be easier to put it all in ~/Mail. Judging by some of the things I have in Mail/ it looks as if mhshow might be putting temp files there already... -- PMM _______________________________________________ Nmh-workers mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/nmh-workers
