Sun Nov 06 13:11:15 2011: Request 69560 was acted upon.
Transaction: Correspondence added by RSCHUPP
Queue: PAR-Packer
Subject: PAR packed files are extracted to unsafe and predictable
temporary directories
Broken in: (no value)
Severity: Critical
Owner: Nobody
Requestors: j...@nixnuts.net
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=69560 >
On 2011-11-05 06:04:02, SMUELLER wrote:
> a) assert ownership of all directories and files under $TMPDIR/par-$USER
> b) assert that other can't write. (How portable would this be?)
I dont't think that's really necessary. We should (on *nix):
- create $TMPDIR/par-$USER with mode 0700 if it doesn't already exist
- if it exists, check that it's owned by $USER and still mode 0700
(otherwise we bail out)
Am I overlooking something obvious here?
I checked what Gnome's orbit daemon does (it creates sockets
for clients to connect to under /tmp/orbit-$USER) and it does the above.
Cheers, Roderich
