Nick Rusnov wrote:
On Sat, Apr 05, 2008 at 10:52:05PM +0100,
pmaydell(_at_)chiark(_dot_)greenend(_dot_)org(_dot_)uk wrote:
So I think that it might be better to sidestep the whole issue
by just having nmh create its temporary files in ~/Mail. Because
this directory isn't writable except by the user, there's no
danger of malicious attackers creating symlinks in it as there
is with putting files in /tmp/. Some work would still be
required, but nowhere near as much.
I have to agree that this is a good solution short of massive code changes. I
believe that users can currently do this by setting their TEMP variable to a
directory that they control
Nope. The code hardcodes /tmp/...
, but a systematic use of a temporary directory specially
for nmh seems like a good policy. Something like ~/Mail/.temp or some such so
as
not to interfere with a potential folder called temp.
I thought about having these files be in a subdir, but we'd have to create it
(and hope it isn't used by a user for something already), and it just seemed
to me that it would be easier to put it all in ~/Mail. Judging by some of
the things I have in Mail/ it looks as if mhshow might be putting temp files
there already...
-- PMM
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
http://lists.nongnu.org/mailman/listinfo/nmh-workers