secure mktemp

2026-03-19 11:31:09 +01:00 · 2025-12-27 07:29:47 +01:00
parent b233c18709
commit 95e5a58f15
7 changed files with 15 additions and 8 deletions
--- a/configs/admin-essentials.nix
+++ b/configs/admin-essentials.nix
@@ -68,12 +68,19 @@ in {
      };
    };

+  environment.interactiveShellInit = ''
+    # Use XDG_RUNTIME_DIR for temporary files if available
+    if [ -d "$XDG_RUNTIME_DIR" ]; then
+      export TMPDIR="$XDG_RUNTIME_DIR"
+    fi
+  '';
+
  environment.shellAliases = let
    take = pkgs.writers.writeDash "take" ''
      mkdir "$1" && cd "$1"
    '';
    cdt = pkgs.writers.writeDash "cdt" ''
-      cd "$(mktemp -d)"
+      cd $(mktemp -p "$XDG_RUNTIME_DIR" -d "cdt-XXXXXX")
      pwd
    '';
    wcd = pkgs.writers.writeDash "wcd" ''
--- a/configs/aerc.nix
+++ b/configs/aerc.nix
@@ -306,7 +306,7 @@
        openers =
          let
            as-pdf = pkgs.writers.writeDash "as-pdf" ''
-              d=$(mktemp -d)
+              d=$(mktemp -p "$XDG_RUNTIME_DIR" -d)
              trap clean EXIT
              clean() {
                rm -rf "$d"
--- a/configs/backup.nix
+++ b/configs/backup.nix
@@ -41,7 +41,7 @@
      ${pkgs.restic}/bin/restic -r ${pkgs.lib.niveum.restic.repository} -p ${config.age.secrets.restic.path} "$@"
    '')
    (pkgs.writers.writeDashBin "restic-mount" ''
-      mountdir=$(mktemp -d)
+      mountdir=$(mktemp -p "$XDG_RUNTIME_DIR" -d "restic-mount-XXXXXXX")
      trap clean EXIT
      clean() {
        rm -r "$mountdir"
--- a/configs/cloud.nix
+++ b/configs/cloud.nix
@@ -89,7 +89,7 @@
        selection="$(${megatools "ls"} | ${pkgs.fzf}/bin/fzf)"
        test -n "$selection" || exit 1

-        tmpdir="$(mktemp -d)"
+        tmpdir="$(mktemp -p "$XDG_RUNTIME_DIR" -d)"
        trap clean EXIT
        clean() {
          rm -rf "$tmpdir"