Sun Nov 06 13:11:15 2011: Request 69560 was acted upon. Transaction: Correspondence added by RSCHUPP Queue: PAR-Packer Subject: PAR packed files are extracted to unsafe and predictable temporary directories Broken in: (no value) Severity: Critical Owner: Nobody Requestors: j...@nixnuts.net Status: open Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=69560 >
On 2011-11-05 06:04:02, SMUELLER wrote: > a) assert ownership of all directories and files under $TMPDIR/par-$USER > b) assert that other can't write. (How portable would this be?) I dont't think that's really necessary. We should (on *nix): - create $TMPDIR/par-$USER with mode 0700 if it doesn't already exist - if it exists, check that it's owned by $USER and still mode 0700 (otherwise we bail out) Am I overlooking something obvious here? I checked what Gnome's orbit daemon does (it creates sockets for clients to connect to under /tmp/orbit-$USER) and it does the above. Cheers, Roderich