Re: many packages write to `temporary-file-directory' insecurely

[Al Petrofsky]

> From: Richard Stallman <address@hidden>

> That code needs comments to explain what it is trying to do and why
> that is right.  After some study, I think I see WHAT it does, but I
> can't see why one would want to do that.

The original problem was that when we wrote over /tmp/snake-scores we
couldn't be sure that /tmp/snake-scores hadn't just been changed from
a file to a symbolic link pointing to one of our important files.

My solution is to first write the scores securely into a temp file and
then move it to the desired place.  This is safe, because if someone
has made the destination filename a symbolic link, then the rename
system call removes the link, rather than overwriting the linked-to
file.

This requires storing the file in a subdirectory of /tmp that is
world-writable without restriction, as opposed to /tmp itself, which
normally has its sticky bit set, thus forbidding people from deleting
others' files or renaming over them.

The catch is that if someone has made /tmp/emacs-game-scores a
symbolic link to one of our directories, then we could overwrite the
file named snake-scores in that directory.  So the improvement is that
only our files named snake-scores are vulnerable, rather than all of
them.

>  It seems to make the file read-only; why do that?

The point of (set-file-modes temp #o444) is to ensure the file is
world-readable, in case the user has a paranoid umask.  Making the
file non-writable is not necessary.

-al