On Tue, May 31, 2005 at 01:05:45PM +1000, Mark Suter wrote: > Roberto, > > This problem is a symptom of the larger "shared /tmp" issue. A > solution is to use the TMPDIR environment variable as discussed > in the Secure Programming for Linux and Unix HOWTO. > > > http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html#TEMPORARY-FILES > > Mutt honours the TMPDIR environment variable, so something like > the following in your ~/.bashrc (or equivalent) will avoid this > issue completely (and cover a few alternate variables). > > ## Safe, local temporary directory > mkdir -p $HOME/tmp && for var in TMPDIR TMP TEMP TEMPDIR ; do export > $var=$HOME/tmp; done > test -d $TMPDIR || echo Warning: TMPDIR is not set correctly. > That is fine. However, given the existence of the tmpfile(3) function, there is really no excuse for any program to employ a 1-up numbering of temporary files. Sepcifically, in the same section of the Secure- Programs-HOWTO you cite:
According to the 1997 ``Single Unix Specification'', the preferred method for creating an arbitrary temporary file (using the C interface) is tmpfile(3). The paragraph after that goes on to talk about why mkstemp(3) is an even better idea. So, there are options. Besides, given the choice between the following two options: 1) One-time fix applied by upstream developer; by extenension, present in all future releases. 2) Work around in ~/.bashrc (or equivalent) that must be applied to every system accessed. (Think a year or two down the road when you get an account on a new machine). I would say that that option 1 has major advantages: 1) Requires one person to do one thing to fix. 2) Less error prone/open to peer review. 3) Is not dependent on a specific user action. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr
pgpLKrvmsBHPd.pgp
Description: PGP signature
