On Sat, 16 Jan 2021 15:34:44 +0100, Lennart Poettering wrote: > Regardless of the actual issue ran into: taking a predictable name > like that in /tmp/ is a DoS vulnerability. /tmp/ is a shared > namespace, any local program can take any name in there, and hence > block you out from starting Claws mail — simply by creating a file or > directory by that name there under their own ownership. That would be a mostly theoretical/academical attack vector, since Claws Mail refusing to start and printing an error message would alert the user, and the user could take proper action against the attacker. > Most likely you want to use $XDG_RUNTIME_DIR instead, which is private > to your user, and not shared with other users. Use glib's > g_get_user_runtime_dir() as a wrapper for accessing that variable. >From the Claws Mail FAQ: | Why does Claws Mail allow me to open more than one instance at the same | time for the same user on a network? | | Claws Mail opens a Unix-domain socket using a name constucted from your | TMPDIR path plus your UID. This socket is used to arbitrate multiple | instances on a given machine. In Linux, at least, named Unix-domain | sockets are known only locally, to the creating machine. Pointing your | TMPDIR environment variable to /home/yours/tmp doesn't have the desired | effect, as the socket definition would need to be propagated across the | LAN and isn't. | | Setting an alternate configuration directory (--alternate-config-dir | option) overrides TMPDIR value and places the socket under the alternate | directory. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
