Unix: Default to a users-specific temp directory for extracting single-file apps

[swaroop-sridhar]

In .net core 3, single file apps run by extracting the bundled contents to a temp directory.
The extraction directory is machine specific, and can be set through DOTNET_BUNDLE_EXTRACT_BASE_DIR environment variable.

When this setting is not configured, the host tries to use certain default directories.
On windows, extraction is within %TMPDIR%, which is user specific.
On Unix systems $TMPDIR/.net if set, which may be user specific (ex: MAC)
Otherwise, the extraction directory is within /var/tmp/ or /tmp/ which is common to all users, and may be locked by a specific user on first creation.

Therefore, this change fixes this issue by defaulting the extraction base directory in Unix systems to
<temp-dir>/.net/<user-ID> , where
<temp-dir>/.net/ has permission 0777, and
<temp-dir>/.net/<user-ID>/ has permission 0700.

This fix will be migrated to coreclr/3.1 branch for servicing.

Testing: Manual testing on Unix/Mac systems, since we don't have the setup to add automated tests with multiple users.

Fixes https://github.com/dotnet/core-setup/issues/8882

[jkotas]

dotnet/designs#88

[lpereira]

I'd also set S_ISVTX (01000) in these two mkdir() calls in addition to their access permissions. This is the sticky bit.

With this bit set, only the owner of extraction_dir can rename or delete that directory. (Otherwise, there's a potential race condition here: while you can only remove empty directories -- and need to recursively delete files from a directory -- a malicious process can remove the directory even before we were able to start extracting the files there.)

[swaroop-sridhar]

Thanks @lpereira, I've fixed this on the extraction_dir, per our discussion.

[swaroop-sridhar]

@lpereira I've addressed your comments about S_ISVTX bit, and made another change to replace the getlogin() call, in the last two commits. Please take a look. Thanks,.

[lpereira]

What happens if you run a program with $TMPDIR/.net already created, but with the permissions different than the one you set with chmod() because someone went there and changed them?

[swaroop-sridhar]

That would be too bad. We just provide the $TPMDIR/.net/$UID as the default for $DOTNET_BUNDLE_EXTRACTION_BASE_DIR. If the default directory is not available/accessible on a system, then the user should set DOTNET_BUNDLE_EXTRACTION_BASE_DIR to an alternate location.

[ghost]

Hello @lpereira!

Because this pull request has the auto-merge label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.

[omajid]

Can you help me understand why we are using an error prone approach where /tmp/.net (with a predictable name) is used? Wouldn't it be more secure to fall back to a user-specific path? $XDG_CACHE_HOME (falling back to $HOME/.cache/) seems like a location that would be much less susceptible attacks and accidental clashes.

Also, most recent distributions treat /tmp as temporary. systemd, for example, wipes things older than 10 days on /tmp/ on my machine. Compare this with the persistent $HOME/.cache. On the other hand, if we want things cleaned up, using the more secure /run/user/$UID (created on user login, secure without races) seems like the better way to go.

[danmoseley]

@omajid might be best to open a new issue so folks see it.