it seems like g10k hardcodes /tmp/g10k as a cache directory for the modules it downloads. this seems unsafe: if an (local) attacker knows about this, they can prepopulate the directory with evil files that they own.
another directory should be used, for example /var/cache/g10k (when running as root) or ~/.cache/g10k (otherwise). see also https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html for that standard. otherwise we could follow the lead set by librarian and just use the directory where the Puppetfile is...
I understand that I can specify the -cachedir commandline parameter (or the g10k_cachedir environment) to work around this problem, but I think proper defaults should be enforced, especially since it's not possible to specify the cache directory in a puppetfile.
hi
it seems like g10k hardcodes /tmp/g10k as a cache directory for the modules it downloads. this seems unsafe: if an (local) attacker knows about this, they can prepopulate the directory with evil files that they own.
another directory should be used, for example
/var/cache/g10k
(when running as root) or~/.cache/g10k
(otherwise). see also https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html for that standard. otherwise we could follow the lead set by librarian and just use the directory where the Puppetfile is...I understand that I can specify the
-cachedir
commandline parameter (or theg10k_cachedir
environment) to work around this problem, but I think proper defaults should be enforced, especially since it's not possible to specify the cache directory in a puppetfile.