As mentioned in https://lwn.net/Articles/250468/ and https://bugs.debian.org/496426 there may be a vulnerability when using tempfiles in /tmp.
In the rancid context the vulnerability isn't that grave, since rancid usually doesn't run as user root but as user rancid, but since rancid is some kind of backup, this may allow to attack your backup.
In the Debian package I fixed this vulnerability with the following patch: https://salsa.debian.org/debian/rancid/-/blob/master/debian/patches/06_tmp_security.patch
This uses mktemp(1) from the coreutils package to create a safe temp directory. In some situations it simply uses /var/lib/rancid (which is not permission 1777 but only accessible by user rancid) as an alternative implementation (not sure, whether I not always used mktemp, but this was 12 years ago...).
I'm not fully sure, what the best solution for upstream rancid package is, since I don't know whether mktemp can be considered to be available on every system (or how to integrate this into autoconf).
Since Debian requests maintainers to forward all Debian optimizations upstream, I'll open this issue here...
As mentioned in https://lwn.net/Articles/250468/ and https://bugs.debian.org/496426 there may be a vulnerability when using tempfiles in /tmp. In the rancid context the vulnerability isn't that grave, since rancid usually doesn't run as user root but as user rancid, but since rancid is some kind of backup, this may allow to attack your backup.
In the Debian package I fixed this vulnerability with the following patch: https://salsa.debian.org/debian/rancid/-/blob/master/debian/patches/06_tmp_security.patch This uses mktemp(1) from the coreutils package to create a safe temp directory. In some situations it simply uses /var/lib/rancid (which is not permission 1777 but only accessible by user rancid) as an alternative implementation (not sure, whether I not always used mktemp, but this was 12 years ago...).
I'm not fully sure, what the best solution for upstream rancid package is, since I don't know whether mktemp can be considered to be available on every system (or how to integrate this into autoconf).
Since Debian requests maintainers to forward all Debian optimizations upstream, I'll open this issue here...
Greetings Roland