Description
While checking my AppArmor logs, I noticed that git accesses
/tmp/git-index-private* r,
/tmp/git-index-private*.lock rw,
where * is the pid of bash.
After some searching, I found that gitprompt.sh uses this predictable filename:
function createPrivateIndex {
[...]
__GIT_INDEX_PRIVATE="${TMPDIR:-/tmp}/git-index-private$$"
command cp "${__GIT_INDEX_FILE}" "${__GIT_INDEX_PRIVATE}" 2>/dev/null
echo "${__GIT_INDEX_PRIVATE}"
}
A pid-based filename is predictable, and can be used by attackers, for example to do a symlink attack - which results in cp overwriting an attacker-chosen file. (In this specific case, the attacker doesn't need to be very fast, since bash is typically running for quite a while, and the attacker can easily find the bash pid using ps.)
I'd recommend to use a mktemp-generated filename to avoid this problem.
Something I couldn't find in the script is the creator of the *.lock file, so I can only guess that git does it. This somewhat bypasses the mktemp-generated filename.
If you want to be on the safe side, create a temporary directory with mktemp -d and copy the file into that directory. With that, the *.lock file should also end up in that directory.
Please let me know if you have any questions.