GNOME Bugzilla – Bug 150329
File roller creates predictable /tmp directories
Last modified: 2004-12-22 21:47:04 UTC
Description of Problem: When viewing a file within an archive using file roller's internal viewer will cause file roller to create directories in /tmp which have a predictable format, 'file-roller.<PID>.<NUM>' where PID is the process id of the currently running file-roller. NUM is incremented starting from 0. Steps to reproduce the problem: 1. Create an archive 'foo.tgz' with some files in it. 2. Right click on desktop and choose 'Open Terminal' 3. Run command 'file-roller' 4. Click on 'Open' and open the archive 'foo.tgz' 5. Select any file within the archive and click on 'View' in the toolbar 6. Select 'View with internal viewer' and click on OK 7. Check the /tmp directory listing. Actual Results: A directory of the name 'file-roller.PID.NUM' is created. Expected Results: Files with predictable names should not be created in world writable directories.
Created attachment 30631 [details] Proposed patch
why predictable directory names are a problem?
In a multi-user scenario, If one user creates these /tmp directories by predicting them and set the mode 000, It might create problems, so only I feel these namse should be unpredictable as in many other applications like webbrowser, acrobat-reader etc..
If you feel this is right, I think we can change the way of creating theses /tmp directories in rest of the code also, as we create these around 8-9 portions of the code while extracting, executing some commands etc... Please let me know your comments, so that I will proceed ahead.
ok go ahead, you only have to change the get_temp_work_dir_name function and remove the ensure_dir_exists calls on the temp dirs because after the change the get_temp_work_dir_name function will create the directory also.
done ;)
Paolo, Thanks for fixing it in CVS :-) I was far from work for quite some time.. Anyway I am closing this to be FIXED.