Anyone can list the files of /tmp
This bug report was converted into a question: question #145134: Anyone can list the files of /tmp.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Hello,
Not a Unix/Linux professional, I noticed /tmp in 10.10 has the rights:
drwxrwxrwt 12 root root 4096 2011-02-12 09:59 tmp/
The sticky bit being here to avoid a user to delete another user's file.
However, by nature of these rights, anyone can list the files in this folder, and e.g. Firefox stores the temporary pdfs at /tmp; therefore anyone can read the bank account name when you open an account file with explicit name.
Isn't that a privacy threat ?
Why not make any user's tmp directory in /tmp/'$user' and forbid any user-loaded program write in /tmp, leaving it accessible only for the system ?
Even more, to allow efficiency of using encrypting the home directory, it should just use ~/.tmp so that anything is anyway encrypted (even root couldn't decrypt without the user logged I believe), shouldn't it ?
I understand there is a reason if it isn't done but I can't see...
Thanks for your clarification.
Bye
Thank you for taking the time to report this issue and helping to make Ubuntu better. Examining the information you have given us, this does not appear to be a bug report so we are closing it and converting it to a question in the support tracker. We appreciate the difficulties you are facing, but it would make more sense to raise problems you are having in the support tracker at https:/ /answers. launchpad. net/ubuntu if you are uncertain if they are bugs. For help on reporting bugs, see https:/ /help.ubuntu. com/community/ ReportingBugs# When%20not% 20to%20file% 20a%20bug.