Public bug reported:
Hello,
Not a Unix/Linux professional, I noticed /tmp in 10.10 has the rights:
drwxrwxrwt 12 root root 4096 2011-02-12 09:59 tmp/
The sticky bit being here to avoid a user to delete another user's file.
However, by nature of these rights, anyone can list the files in this folder,
and e.g. Firefox stores the temporary pdfs at /tmp; therefore anyone can read
the bank account name when you open an account file with explicit name.
Isn't that a privacy threat ?
Why not make any user's tmp directory in /tmp/'$user' and forbid any
user-loaded program write in /tmp, leaving it accessible only for the system ?
Even more, to allow efficiency of using encrypting the home directory, it
should just use ~/.tmp so that anything is anyway encrypted (even root couldn't
decrypt without the user logged I believe), shouldn't it ?
I understand there is a reason if it isn't done but I can't see...
Thanks for your clarification.
Bye
** Affects: ubuntu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/717622
Title:
Anyone can list the files of /tmp
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
