Good catch, @ander!
I think we could easily replace
# upload file to temp location
upload_destination="$(mktemp -u "${destination}.cdist.XXXXXXXXXX")"
with
…
@romain-dartigues if using your PR, it would make sense to remove the script remove-apt-repository as well.
The existing PR does not look bad to me, don't have an ubuntu at hand right now. I guess if it works with Ubuntu 18.04, then we can merge it - as anything older is ancient anyway.
@matze, I think there is one important point to highlight: the attack for predictable names only applies to directories that are user writable. Typically mktemp and friends have to deal with…
LGTM - please go ahead. I'd suggest we make a major release out of this one, as changes on the file type affect basically everyone. So if we screwed something up, we have at least an indicator for…
mktemp works differently. What we are doing now is similar to mktemp -u.
Again, whether this is an actual problem, is a different question.
The typical issue mktemp is trying to solve:
*…
Guys,
I think we are having a security problem here.
Let's say we __file /some/dir/foo and a user has write access to /some/dir and the user can run ps on the target system.
Thus the…
Just wondering, are we adding a behaviour change here? I.e. before we unconditionally deleted the file/directory/socket/whatever. Now we fail if it exists?