Re: org-persist files in /tmp

[Tim Cross]

Max Nikulin <manikulin@gmail.com> writes:

> On 22/12/2022 19:34, Ruijie Yu wrote:
>> One possible approach to this is to have all org-persist related
>> temporary directories into an overall "$TMPDIR/org-persist" directory.
>
> Predictable name in a "world" writable directory generally is not a good 
> idea. Multiple
> users may try to run Org on the same machine. There are some kernel 
> parameters to prevent
> certain type of attacks, however I am unsure concerning their default values 
> in various
> Linux distributions and what will happen if one user creates a symlink to 
> somewhere the
> under home directory of another one. So unfortunately a directory reusable by 
> different
> emacs sessions should be avoided.
>
> Ihor, I do not like that after your latest changes temporary directory became 
> world
> readable.
>
> Another point is that creating temporary files and directories must be an 
> atomic
> operation. In between of removing and recreating it an attacker might manage 
> to create a
> file with the same name.

Could some of the issues people are concerned about regarding use of
/tmp be avoided if instead the temporary files were put into ~/.cache?
To me, that would seem to be the appropriate location for such files. It
would mean that org would need to 'manage' or clean out old files, but
that shouldn't be a big issue.