Hello! > Recent snapshots (2002-12-23-17 and similar ones) of mc create the > directory /tmp/mc-$USER. (src/utilunix.c: mc_tmpdir()) > > This is a bad idea, since another user may create this directory with > arbitrary permissions and files in it, causing mc to misbehave for me.
Yes, I can reproduce this problem. I was going to release 4.6.0-pre2 today, but now I have to delay it until this security issue is fixed. I don't want to delete the directory on exit because there are many reasons why mc can exit (including crash and killing it when rebooting the system). Considering that the temporary directory may have huge files in it, I would prefer to have a fixed name for it, so that it could be easily cleaned up by scripts if mc exists without cleaning some files. I completely agree that using home is not a good idea for NFS based systems. Let's separate the security issue from everything else and address it as soon as possible, ideally without any other changes and without using any non-portable functions. mkdtemp would be great if it was more portable. "info libc" says it comes from OpenBSD, so I don't think you can find mkdtemp on every UNIX. It is important to have a fallback for the case if something is wrong with the temporary directory. Midnight Commander should be useful even on systems with all filesystems mounted read-only. Any help with this fix will be appreciated. All other issues have been addressed. As soon as this issue is fixed, 4.6.0-pre2 will be released. -- Regards, Pavel Roskin _______________________________________________ Mc-devel mailing list [EMAIL PROTECTED] http://mail.gnome.org/mailman/listinfo/mc-devel