Anyone can list the files of /tmp
This bug report was converted into a question: question #145134: Anyone can list the files of /tmp.
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ubuntu |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Hello,
Not a Unix/Linux professional, I noticed /tmp in 10.10 has the rights:
drwxrwxrwt 12 root root 4096 2011-02-12 09:59 tmp/
The sticky bit being here to avoid a user to delete another user's file.
However, by nature of these rights, anyone can list the files in this folder, and e.g. Firefox stores the temporary pdfs at /tmp; therefore anyone can read the bank account name when you open an account file with explicit name.
Isn't that a privacy threat ?
Why not make any user's tmp directory in /tmp/'$user' and forbid any user-loaded program write in /tmp, leaving it accessible only for the system ?
Even more, to allow efficiency of using encrypting the home directory, it should just use ~/.tmp so that anything is anyway encrypted (even root couldn't decrypt without the user logged I believe), shouldn't it ?
I understand there is a reason if it isn't done but I can't see...
Thanks for your clarification.
Bye
| Fabio Marconi (fabiomarconi) wrote | #1 |
| Changed in ubuntu: | |
| status: | New → Invalid |
Thank you for taking the time to report this issue and helping to make Ubuntu better. Examining the information you have given us, this does not appear to be a bug report so we are closing it and converting it to a question in the support tracker. We appreciate the difficulties you are facing, but it would make more sense to raise problems you are having in the support tracker at https:/