From 95e5a58f15c3993b6ab0dc2d879c3dbd7957568f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kier=C3=A1n=20Meinhardt?= Date: Sat, 27 Dec 2025 07:29:47 +0100 Subject: [PATCH] secure mktemp --- configs/admin-essentials.nix | 9 ++++++++- configs/aerc.nix | 2 +- configs/backup.nix | 2 +- configs/cloud.nix | 2 +- packages/cro.nix | 2 +- packages/fzfmenu.nix | 4 ++-- packages/qrpaste.nix | 2 +- 7 files changed, 15 insertions(+), 8 deletions(-) diff --git a/configs/admin-essentials.nix b/configs/admin-essentials.nix index e8ab98f..aa6618d 100644 --- a/configs/admin-essentials.nix +++ b/configs/admin-essentials.nix @@ -68,12 +68,19 @@ in { }; }; + environment.interactiveShellInit = '' + # Use XDG_RUNTIME_DIR for temporary files if available + if [ -d "$XDG_RUNTIME_DIR" ]; then + export TMPDIR="$XDG_RUNTIME_DIR" + fi + ''; + environment.shellAliases = let take = pkgs.writers.writeDash "take" '' mkdir "$1" && cd "$1" ''; cdt = pkgs.writers.writeDash "cdt" '' - cd "$(mktemp -d)" + cd $(mktemp -p "$XDG_RUNTIME_DIR" -d "cdt-XXXXXX") pwd ''; wcd = pkgs.writers.writeDash "wcd" '' diff --git a/configs/aerc.nix b/configs/aerc.nix index 19ea95d..5088941 100644 --- a/configs/aerc.nix +++ b/configs/aerc.nix @@ -306,7 +306,7 @@ openers = let as-pdf = pkgs.writers.writeDash "as-pdf" '' - d=$(mktemp -d) + d=$(mktemp -p "$XDG_RUNTIME_DIR" -d) trap clean EXIT clean() { rm -rf "$d" diff --git a/configs/backup.nix b/configs/backup.nix index 8229b1a..ff901c1 100644 --- a/configs/backup.nix +++ b/configs/backup.nix @@ -41,7 +41,7 @@ ${pkgs.restic}/bin/restic -r ${pkgs.lib.niveum.restic.repository} -p ${config.age.secrets.restic.path} "$@" '') (pkgs.writers.writeDashBin "restic-mount" '' - mountdir=$(mktemp -d) + mountdir=$(mktemp -p "$XDG_RUNTIME_DIR" -d "restic-mount-XXXXXXX") trap clean EXIT clean() { rm -r "$mountdir" diff --git a/configs/cloud.nix b/configs/cloud.nix index c29fc31..245aad9 100644 --- a/configs/cloud.nix +++ b/configs/cloud.nix @@ -89,7 +89,7 @@ selection="$(${megatools "ls"} | ${pkgs.fzf}/bin/fzf)" test -n "$selection" || exit 1 - tmpdir="$(mktemp -d)" + tmpdir="$(mktemp -p "$XDG_RUNTIME_DIR" -d)" trap clean EXIT clean() { rm -rf "$tmpdir" diff --git a/packages/cro.nix b/packages/cro.nix index 75ed96e..c11d06b 100644 --- a/packages/cro.nix +++ b/packages/cro.nix @@ -4,7 +4,7 @@ chromium.override { "--disable-sync" "--no-default-browser-check" "--no-first-run" - "--user-data-dir=$(${coreutils}/bin/mktemp -d)" + "--user-data-dir=$(${coreutils}/bin/mktemp -p $XDG_RUNTIME_DIR -d chromium-XXXXXX)" "--incognito" ]; } diff --git a/packages/fzfmenu.nix b/packages/fzfmenu.nix index 8ebbd95..3ea67af 100644 --- a/packages/fzfmenu.nix +++ b/packages/fzfmenu.nix @@ -12,8 +12,8 @@ writers.writeBashBin "fzfmenu" '' PATH=$PATH:${lib.makeBinPath [st fzf dash]} - input=$(mktemp -u --suffix .fzfmenu.input) - output=$(mktemp -u --suffix .fzfmenu.output) + input=$(mktemp -p "$XDG_RUNTIME_DIR" -u --suffix .fzfmenu.input) + output=$(mktemp -p "$XDG_RUNTIME_DIR" -u --suffix .fzfmenu.output) mkfifo "$input" mkfifo "$output" chmod 600 "$input" "$output" diff --git a/packages/qrpaste.nix b/packages/qrpaste.nix index d059b4e..52b0fa3 100644 --- a/packages/qrpaste.nix +++ b/packages/qrpaste.nix @@ -6,7 +6,7 @@ nsxiv, }: writers.writeDashBin "qrpaste" '' - file="$(${mktemp}/bin/mktemp --tmpdir)" + file="$(${mktemp}/bin/mktemp -p "$XDG_RUNTIME_DIR" qrpaste-XXXXXX.png)" trap clean EXIT clean() { rm "$file"