Shared library referenced in /tmp/.zef? Potential security issue.

[bbkr]

I've encountered very weird issue and I'm not sure if it's zef, Raku %?RESOURCES handling or something else. Reproducible on rakudo-star 2024.03 from DockerHub:

$ docker run --interactive --tty rakudo-star sh

# apt-get update
# apt-get install build-essentials
# zef install FastCGI::NativeCall
# rm -r /tmp/.zef
# raku

[0] >  use FastCGI::NativeCall;
Nil
[1] >  my $fcgi = FastCGI::NativeCall.new( socket => 0 );
Cannot locate native library '/tmp/.zef/1718034907.1533/1718034910.1533.4017.3101204930063/resources/A048D458613D368752FEAC5B8C9040FC6E126330.so': /tmp/.zef/1718034907.1533/1718034910.1533.4017.3101204930063/resources/A048D458613D368752FEAC5B8C9040FC6E126330.so: cannot open shared object file: No such file or directory

Mentioned file A048D458613D368752FEAC5B8C9040FC6E126330.so is also properly installed in share/perl6/site/sources/, but for unknown reason when this module refers to %?RESOURCES<libraries/fcgi> it is pointed to zef temporary directory.

Which looks like big security issue, because anyone with access to /tmp can swap loaded library.

[niner]

That's a bug in the module. I have opened a PR for that module with a trivial fix.

[bbkr]

Thanks for quick reply!