On 2025-08-09 22:55:14 -0700, lunbun wrote: > If, say, the archive is extracted to `/tmp` and the CWD is `/tmp`, then > yes, the best an attacker can do is guess the user's login name.
There are other issues with /tmp. If I understand correctly, the attacker could create /tmp/config.guess and /tmp/install-sh executable files. Then if the user compiles a libtool-based library under a subdirectory of /tmp, one of these files could be executed: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=21951 And what about the /run/user/1000 directory? (In Debian, the UID of the main user always seems to be 1000.) -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
