Screenshot should not use /tmp/out.png (denial of service)

[schauveau]

In the current screenshot portal implementation the image file is hard-coded to /tmp/out.png

xdg-desktop-portal-wlr/src/screenshot/screenshot.c

Line 120 in 7444be5

const char path[] = "/tmp/out.png";

This is problematic for multiple reasons:

First, the file is created with the default permissions rw-r--r-- and so is readable by all users. It should be set to rw-------

Second, if /tmp/out.png already exists and is owned by another user then it can not be removed (because of the sticky flag of /tmp) and so the screenshot portal fails. Simply speaking, denial of service can be achieved by other users with a simple touch /tmp/out.png or by 'forgetting' to delete the screenshot file after use.

Unfortunately, the portal documentation https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.freedesktop.portal.Screenshot.html does not explicitly states that the screenshot client is responsible for deleting the file after use so it can be argued whether each screenshot filenames should be unique. Imho, the fact that xdg-desktop-portal is exporting the file to containers using the flag DOCUMENT_FLAG_DELETABLE is a good hit that the client is expected to remove the file after use and so should have a unique name.

To conclude, the file should be created with permissions rw------- and its name should be something like /tmp/wlr-screenshot-$UID.png or /tmp/wlr-screenshot-$UID-XXXXXX.png where XXXXXX is randomized (as in man 3 mktemp).

[layercak3]

It can simply be put in $XDG_RUNTIME_DIR/xdpw-screenshot.png. The user runtime dir is per-user, 700, and the created screenshot will not accessible from a user's sandboxed programs because they don't get blanket access to the whole user runtime dir. If someone has XDG desktop portals set up then they certainly also have $XDG_RUNTIME_DIR.