Sun Nov 06 13:11:15 2011: Request 69560 was acted upon.
Transaction: Correspondence added by RSCHUPP
       Queue: PAR-Packer
     Subject: PAR packed files are extracted to unsafe and predictable 
temporary directories
   Broken in: (no value)
    Severity: Critical
       Owner: Nobody
  Requestors: j...@nixnuts.net
      Status: open
 Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=69560 >


On 2011-11-05 06:04:02, SMUELLER wrote:
> a) assert ownership of all directories and files under $TMPDIR/par-$USER
> b) assert that other can't write. (How portable would this be?)

I dont't think that's really necessary. We should (on *nix):

- create $TMPDIR/par-$USER with mode 0700 if it doesn't already exist
- if it exists, check that it's owned by $USER and still mode 0700
  (otherwise we bail out)

Am I overlooking something obvious here?
I checked what Gnome's orbit daemon does (it creates sockets
for clients to connect to under /tmp/orbit-$USER) and it does the above.

Cheers, Roderich



Reply via email to