From 715723c7ceb35be1b6a592e51c70f54f3fc00bdb Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Tue, 24 Mar 2026 20:18:15 +0000
Subject: mkhtemp: harden tmpdir access control

faccessat used this way respects uid/gid,
handles ACLs (where used), and matches whatt
many real security tools might do.

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 util/libreboot-utils/lib/mkhtemp.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'util/libreboot-utils/lib')

diff --git a/util/libreboot-utils/lib/mkhtemp.c b/util/libreboot-utils/lib/mkhtemp.c
index 56d2bf74..cd4a9cde 100644
--- a/util/libreboot-utils/lib/mkhtemp.c
+++ b/util/libreboot-utils/lib/mkhtemp.c
@@ -475,6 +475,12 @@ world_writeable_and_sticky(
 		goto sticky_hell; /* not sticky */
 	}
 
+	/* if anyone even looks at you funny, drop
+	 * everything on the floor and refuse to function
+	 */
+	if (faccessat(dirfd, 	".", X_OK, AT_EACCESS) < 0)
+		goto sticky_hell;
+
 	/* non-world-writeable, so
 	 * stickiness is do-not-care
 	 */
-- 
cgit v1.2.1