Predictable filename in /tmp
jsegitz opened this issue · comments
Johannes Segitz commented
In /usr/bin/powerline-daemon on non-linux systems:
33 USE_FILESYSTEM = not sys.platform.lower().startswith('linux')
a predictable filename is used in /tmp
438 if USE_FILESYSTEM:
439 address = '/tmp/powerline-ipc-%d'
that allows local attackers to take over the socket by racing with the check in check_existing.
This is also a (minor) information leak possibility.
Please move the socket to /run/user/
Ciaran commented
thumbs up I think.