On Mon, 06 May 2024 at 13:41:58 +0100, Barak A. Pearlmutter wrote: > As someone who regularly deals with large datasets, and keeps them in > the "approved" don't-back-these-up location /var/tmp
Independent of whether we make the change Luca is suggesting or not, I don't think /var/tmp is a good recommendation for users storing temporary data manually, because safe use of "obvious" filenames in a world-writeable location like /var/tmp requires you to be aware of the possibility of symlink attacks, and either ensure that your kernel has a mitigation for them (as Debian's does with default runtime configuration), or be careful to avoid them, or be OK with any human user account and any system uid on the system being able to achieve at least denial of service and maybe privilege escalation to your account. /tmp and /var/tmp are fine places for *programs* to store temporary data - for example Flatpak uses a subdirectory in /var/tmp for half-downloaded apps and runtimes - but only if they're using mkstemp(), mkdtemp() or equivalent to generate an unpredictable location and allocate it without race conditions, which is the only way these directories are safe to use in portable software. This is not particularly user-friendly to do manually. For files you don't want backed up, I'd personally recommend storing them somewhere in your home directory, perhaps ~/tmp, with a CACHEDIR.TAG (http://justsolve.archiveteam.org/wiki/Cache_Directory_Tagging_Standard), and using backup software that understands that convention (for example borg, restic, tar). smcv
