Closed melezhik closed 1 month ago
fwiw you can work around this by setting ZEF_CONFIG_TEMPDIR or changing the appropriate field in the config file
Yeah, thanks for that hint, how about implementing this separation on zef side, so an end user don’t bother about that ?
On Thu, Jul 11, 2024 at 5:53 PM Nick Logan @.***> wrote:
fwiw you can work around this by setting ZEF_CONFIG_TEMPDIR or changing the appropriate field in the config file
— Reply to this email directly, view it on GitHub https://github.com/ugexe/zef/issues/563#issuecomment-2223149654, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHRHSMWI2ZAJFR3AG4YFVLZL2MAJAVCNFSM6AAAAABKXDMEK2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRTGE2DSNRVGQ . You are receiving this because you authored the thread.Message ID: @.***>
Potentially. But it is just using $*TMPDIR from core raku. I wonder if raku should consider writable permissions when it picks the value for that dynamic variable
The problem is not $*TMPDIR
itself but using a fixed subdirectory of that. That's bad practice also from a security standpoint. Predictable temp file names can be exploited via symlinks.
I suggest using something like `$*TMPDIR ~ flat('a'..'z', 'A'..'Z', 0..9, '_').roll(8).join ~ '.zef' instead
The problem is not
$*TMPDIR
itself but using a fixed subdirectory of that. That's bad practice also from a security standpoint. Predictable temp file names can be exploited via symlinks.I suggest using something like `$*TMPDIR ~ flat('a'..'z', 'A'..'Z', 0..9, '_').roll(8).join ~ '.zef' instead
Still does not guarantee collisions?
There would be a 1 in 248,155,780,267,521 chance of a collision. In other words it just won't happen. But if you are afraid, just make that prefix longer.
For now I'll be changing the TempDir
configuration entry from $*TMPDIR/.zef/{time}.{$*PID}
to $*TMPDIR/.zef.{time}.{$*PID}
. That is still a somewhat predictable-ish path, but I think it is a good enough solution for the time being.
Context
Expected Behavior
both command should succeed
Actual Behavior
the second command fails with error
The reason is zef is trying do to something with files located at /tmp/.zef/ directory which was created with root user during first run:
Your Environment
Debian12