perl-Cikl-scripts-0.5.1-alt1.noarch	unsafe-tmp-usage-in-scripts	fail	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/cikl_crontool: $ grep /tmp/ /usr/bin/cikl_crontool my $throttle = $opts{'T'} || 'medium'; my $cron_tool = $opts{'b'} || 'cikl_smrt'; my $config = $opts{'C'} || $ENV{'HOME'}.'/.cikl'; my $debug = $opts{'d'}; my $debug_level = $opts{'v'}; my $mutex = $opts{'L'} || '/tmp/cikl_crontool.lock.'.$period; my $start_at = $opts{'S'}; my $dir = $opts{'F'} || '/opt/cikl'; my $admin = $opts{'A'} || 'root'; my $fail_closed = $opts{'N'} || 0; } remove_lock(); sub bail { my $msg = shift; if(-e '/tmp/.cikl_crontool.err'){ print $msg."\n"; } else { my $msg = MIME::Lite->new( To => $admin, Subject => 'cikl_crontool failure', Data => $msg || 'unknown', ); $msg->send(); system('touch /tmp/.cikl_crontool.err'); open(MUTEX, ">>/tmp/.cikl_crontool.err") or die "/tmp/.cikl_crontool.err: $!"; close(MUTEX); } warn($msg); exit(-1); };