Re: many packages write to `temporary-file-directory' insecurely

[Colin Walters]

On Fri, 2002-03-08 at 04:08, Richard Stallman wrote:
> The game-state-directory should not be world-writable.  If it is
> world-writable, it will have the same security problem as /tmp, except
> worse if it does not have the sticky bit--make-temp-file won't
> be reliable in that case.

The original security problem was in the way `gamegrid-add-score'
created files in /tmp, not in the attributes of /tmp itself.  If /tmp is
world-writable with the sticky bit, then it is possible for applications
to securely create files in it.

> One way to solve this problem is by having Emacs installation create
> the desired files under /var/games/emacs, make them world-writable,
> and make /var/games/emacs read-only.

The problem I see with this is that we can't use `rename-file', and thus
we lose atomicity of score file updates.  If multiple users are
concurrently reading and writing the same file, it will eventually be
corrupted.  We could perhaps try to come up with a locking scheme, but
things get very complicated at that point.

We also can't use my proposed solution, which is secure and atomic, but
as I realized right after posting it, fails to allow people to share
scores :)

> Does anyone see a better way?

At this point, my gut feeling is that we're going to be better off just
definining `game-state-directory' to be ~/.emacs.d/games or something,
and leave it at that.