On Thu, Mar 17, 2016 at 12:40:59AM +0800, 惠轶群 wrote: > > Is it better to have the fallback in /tmp, and not in > > ~/.git-credential-cache/, and why? > > > > Is it because the wish is to always use /tmp/git-$uid/ as a fallback > > for $XDG_RUNTIME_DIR (as opposed to ~/.git-credential-cache/, which > > is specific to the credential-cache and would look strange if we > > used it for other "runtime" things)? > > Yes, I mean to use it as a general fallback for git. > > xdg base dir spec does not specify where to fallback when > $XDG_RUNTIME_DIR is not defined. It just says: > > If $XDG_RUNTIME_DIR is not set applications should fall back to > a replacement directory with similar capabilities and print a warning > message. Applications should use this directory for communication > and synchronization purposes and should not place larger files in it, > since it might reside in runtime memory and cannot necessarily be > swapped out to disk. > > tmpfs is just like what it describes. And many other applications > put socket under which, such as tmux. > > On the other hand, I think, falling back to $HOME/.git-credential-cache/socket > doesn't make any sense for back-compability cannot be ensured. If we are going to use a publicly accessible directory like /tmp, I think we need to start worrying about tmp-races with malicious users. Right now we make sure that an existing socket directory is mode 0700. That's just a courtesy check that the user didn't create it themselves with a permissive mode. But we don't check the owner of the directory, and our check is racy with accessing the directory. So if we blindly use an existing /tmp/git-$uid, I think an attacker can race with: dir=/tmp/git-$victimuid mkdir $dir while true; do chmod 0700 $dir chmod 0777 $dir done If the victim does their mode check while the 0700 is in effect, but then creates the socket during the 0777 moment, they won't notice anything amiss. And the attacker will have access to their credential socket. This is a classic /tmp race. I imagine it's less of an issue in this day and age when people mostly have their own machines and their own /tmp, but we still should not recreate the mistakes of the past. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html