rpm-build-vm-checkinstall-1.65-alt3.noarch	unsafe-tmp-usage-in-scripts	fail	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/vm-run.ci/checkinstall: $ grep /tmp/ /usr/lib/vm-run.ci/checkinstall # Bringing up secondary CPUs" message. ls /dev/kvm set | grep ^LD_ # Simulate filetrigger run find /boot > /tmp/filelist /usr/lib/rpm/posttrans-filetriggers /tmp/filelist rm /tmp/filelist # Remove trigger so it does not re-create '/tmp/vm-ext4.img'. > /usr/lib/rpm/z-vm-createimage.filetrigger kvm-ok timeout 300 vm-run <<-'EOF' uname ! timeout --preserve-status 300 vm-run "true; false; true" || exit 1 timeout 300 vm-run --mem=max free -g timeout 300 vm-run --cpu=max lscpu df -h /tmp timeout 300 vm-run --tmp=max df -h /tmp rm /tmp/vm-tmpfs.qcow2 timeout 300 vm-run --verbose --overlay=ext4 uname -a rmdir /mnt/0 rm /usr/src/ext4.0.img timeout 300 vm-run --rootfs --verbose df rm /tmp/vm-ext4.img timeout 300 vm-run --hvc --no-quiet 'dmesg -r | grep Unknown' timeout 300 vm-run --tcg --mem='' --cpu=1 cat /proc/cpuinfo # Clean up without '-f' ensures these files existed. rm /tmp/initramfs-*un-def-alt*.img # SCRIPT and exit code files form each vm-run invocation. Each SCRIPT file # should correspond to '.ret' file. find /tmp/vm.?????????? -maxdepth 0 | xargs -t -i -n1 rm {} {}.ret;