secure mktemp

2026-03-16 10:11:08 +01:00 · 2025-12-27 07:29:47 +01:00
parent b233c18709
commit 95e5a58f15
7 changed files with 15 additions and 8 deletions
--- a/configs/admin-essentials.nix
+++ b/configs/admin-essentials.nix
@@ -68,12 +68,19 @@ in {
      };
    };

+  environment.interactiveShellInit = ''
+    # Use XDG_RUNTIME_DIR for temporary files if available
+    if [ -d "$XDG_RUNTIME_DIR" ]; then
+      export TMPDIR="$XDG_RUNTIME_DIR"
+    fi
+  '';
+
  environment.shellAliases = let
    take = pkgs.writers.writeDash "take" ''
      mkdir "$1" && cd "$1"
    '';
    cdt = pkgs.writers.writeDash "cdt" ''
-      cd "$(mktemp -d)"
+      cd $(mktemp -p "$XDG_RUNTIME_DIR" -d "cdt-XXXXXX")
      pwd
    '';
    wcd = pkgs.writers.writeDash "wcd" ''
--- a/configs/aerc.nix
+++ b/configs/aerc.nix
@@ -306,7 +306,7 @@
        openers =
          let
            as-pdf = pkgs.writers.writeDash "as-pdf" ''
-              d=$(mktemp -d)
+              d=$(mktemp -p "$XDG_RUNTIME_DIR" -d)
              trap clean EXIT
              clean() {
                rm -rf "$d"
--- a/configs/backup.nix
+++ b/configs/backup.nix
@@ -41,7 +41,7 @@
      ${pkgs.restic}/bin/restic -r ${pkgs.lib.niveum.restic.repository} -p ${config.age.secrets.restic.path} "$@"
    '')
    (pkgs.writers.writeDashBin "restic-mount" ''
-      mountdir=$(mktemp -d)
+      mountdir=$(mktemp -p "$XDG_RUNTIME_DIR" -d "restic-mount-XXXXXXX")
      trap clean EXIT
      clean() {
        rm -r "$mountdir"
--- a/configs/cloud.nix
+++ b/configs/cloud.nix
@@ -89,7 +89,7 @@
        selection="$(${megatools "ls"} | ${pkgs.fzf}/bin/fzf)"
        test -n "$selection" || exit 1

-        tmpdir="$(mktemp -d)"
+        tmpdir="$(mktemp -p "$XDG_RUNTIME_DIR" -d)"
        trap clean EXIT
        clean() {
          rm -rf "$tmpdir"
--- a/packages/cro.nix
+++ b/packages/cro.nix
@@ -4,7 +4,7 @@ chromium.override {
    "--disable-sync"
    "--no-default-browser-check"
    "--no-first-run"
-    "--user-data-dir=$(${coreutils}/bin/mktemp -d)"
+    "--user-data-dir=$(${coreutils}/bin/mktemp -p $XDG_RUNTIME_DIR -d chromium-XXXXXX)"
    "--incognito"
  ];
 }
--- a/packages/fzfmenu.nix
+++ b/packages/fzfmenu.nix
@@ -12,8 +12,8 @@ writers.writeBashBin "fzfmenu" ''

  PATH=$PATH:${lib.makeBinPath [st fzf dash]}

-  input=$(mktemp -u --suffix .fzfmenu.input)
-  output=$(mktemp -u --suffix .fzfmenu.output)
+  input=$(mktemp -p "$XDG_RUNTIME_DIR" -u --suffix .fzfmenu.input)
+  output=$(mktemp -p "$XDG_RUNTIME_DIR" -u --suffix .fzfmenu.output)
  mkfifo "$input"
  mkfifo "$output"
  chmod 600 "$input" "$output"
--- a/packages/qrpaste.nix
+++ b/packages/qrpaste.nix
@@ -6,7 +6,7 @@
  nsxiv,
 }:
 writers.writeDashBin "qrpaste" ''
-  file="$(${mktemp}/bin/mktemp --tmpdir)"
+  file="$(${mktemp}/bin/mktemp -p "$XDG_RUNTIME_DIR" qrpaste-XXXXXX.png)"
  trap clean EXIT
  clean() {
    rm "$file"