fix(launcher-standard): move PID/log to XDG dirs (security: symlink-attack hardening) by hyperpolymath · Pull Request #175 · hyperpolymath/standards

hyperpolymath · 2026-05-26T08:24:10Z

Summary

The launcher-standard specified /tmp/{app-name}-server.pid and
/tmp/{app-name}-server.log as the required runtime paths. Predictable
names in a world-writable directory are a symlink-attack target on
any shared host:

An attacker can pre-create /tmp/<app>-server.pid containing their
own PID. The launcher's is_running() returns true, and
stop_server() will kill <attacker-pid> — DoS or signal-handling
abuse.
Similar pattern for the log: pre-symlink /tmp/<app>-server.log →
some target the attacker wants clobbered, then the launcher's
nohup ... > LOG_FILE does the write.
The standard already warns "don't log sensitive information"
(§Best Practices > Security), but the predictable-path defence is
belt-and-braces.

Fix

Route both to XDG dirs with documented fallback ladders:

PID → ${XDG_RUNTIME_DIR:-${TMPDIR:-/tmp}}/<app>-server.pid.
$XDG_RUNTIME_DIR is mode 0700 and user-scoped per the XDG Base
Directory spec (Linux). $TMPDIR covers macOS / BSDs (typically
/var/folders/.../T, per-user). /tmp remains only as a last-resort
fallback for hosts that set neither (rare).
Log → ${XDG_STATE_HOME:-$HOME/.local/state}/<app>/server.log.
Per-user, survives reboot, not world-writable. The <app> subdir
isolates each launcher's logs.

Changes

Both files in the same commit per the lock-step requirement
(and the gate in #172):

launcher/launcher-standard.a2ml
- [runtime].pid-file-pattern / log-file-pattern updated with
  fallback ladders + commented rationale
- [disinteg].preserve updated to reference the new log dir
docs/UX-standards/launcher-standard.adoc
- Standard Launcher Template snippet uses XDG paths + mkdir -p
  for the state dir
- §What --disinteg removes / does not remove: paths updated
- Desktop File Exec= example log-arg updated
- Calling Convention daemon-chain example updated
- Debugging Checklist now uses $LOG_FILE / $PID_FILE variable
  refs rather than literal paths
- §Best Practices > Logging: lead bullet rewritten with rationale
- §Best Practices > Security: new lead bullets explaining the
  attack vector and the XDG choice
- §Compliance Checklist: "Log to predictable location (/tmp/...)"
  replaced with the XDG requirement

Remaining /tmp/ mentions in the prose are in forbidden-patterns
text that explicitly tells readers NOT to use /tmp — intentional.

Compatibility

Bash-expansion syntax (${VAR:-${VAR2:-/literal}}) matches the
shell-expansion style already in the a2ml (e.g.
$HOME/.local/share/applications in [integration.linux]). Any
consumer that already interpolates $HOME here will handle ${...:-...}
without changes.

Existing launchers that hard-coded /tmp/<app>-server.pid continue to
work but become non-compliant; no break for them, just a green-field
contract change for new launchers and a flagged migration for old
ones.

Coordination

Independent of fix(launcher-standard): resolve 3 cross-doc contradictions #170, fix(launcher-standard): replace hard-coded /var/mnt/eclipse/... with a search-ladder #171, ci: add launcher-standard prose↔a2ml lock-step gate #172, feat(launcher-standard): require --version mode with machine-greppable format #173. No file overlap.
Lock-step gate (ci: add launcher-standard prose↔a2ml lock-step gate #172) will go green on first push (both files in
diff).

Notes

Spec [spec].version intentionally NOT bumped — five PRs (fix(launcher-standard): resolve 3 cross-doc contradictions #170,
fix(launcher-standard): replace hard-coded /var/mnt/eclipse/... with a search-ladder #171, feat(launcher-standard): require --version mode with machine-greppable format #173, this one, plus any future) all touch the contract; the
merger sequences them.

Test plan

a2ml parses (python tomllib): new patterns round-trip cleanly,
[disinteg].preserve reflects the new log path
No /tmp/ literals remain in non-forbidden-patterns prose
(grep verified)
Live lock-step gate (ci: add launcher-standard prose↔a2ml lock-step gate #172) goes green on first push

🤖 Generated with Claude Code

…ttack hardening) The standard specified `/tmp/{app-name}-server.pid` and `/tmp/{app-name}-server.log` as the required runtime paths. Predictable names in a world-writable directory are a symlink-attack target on any shared host: an attacker can pre-create `/tmp/<app>-server.pid` containing their own PID, after which the launcher's `is_running()` returns true and `stop_server()` will `kill <attacker-pid>` — DoS or signal-handling abuse vector. Similar for log: clobber attacks via pre-symlinked log file, or info-disclosure if logs contain anything sensitive (the standard already warns "don't log sensitive information" but trust-but-verify). Fix: route both to XDG dirs with documented fallback ladders. - **PID** → `${XDG_RUNTIME_DIR:-${TMPDIR:-/tmp}}/<app>-server.pid`. `$XDG_RUNTIME_DIR` is mode 0700 and user-scoped per the XDG Base Directory spec (Linux). `$TMPDIR` covers macOS / BSDs (typically `/var/folders/.../T`, per-user). `/tmp` remains only as a last-resort fallback for hosts that set neither (rare). - **Log** → `${XDG_STATE_HOME:-$HOME/.local/state}/<app>/server.log`. Per-user, survives reboot, not world-writable. The `<app>` subdir isolates each launcher's logs. Updates to both files in the same commit per the lock-step requirement: - `launcher/launcher-standard.a2ml`: `[runtime].pid-file-pattern` and `log-file-pattern` updated with fallback ladders; `[disinteg].preserve` updated to reference the new log dir. - `docs/UX-standards/launcher-standard.adoc`: - Standard Launcher Template snippet updated with XDG paths plus `mkdir -p "$LOG_DIR"` for the state-dir - §What --disinteg removes / does not remove: paths updated - Desktop File Standard Exec= example log-arg updated - Calling Convention daemon-chain example updated - Debugging Checklist now uses $LOG_FILE / $PID_FILE variable refs - §Best Practices > Logging: lead bullet rewritten with rationale - §Best Practices > Security: new lead bullets explaining the symlink-attack vector and the XDG choice - §Compliance Checklist: "Log to predictable location (/tmp/...)" replaced with the XDG requirement Remaining `/tmp/` mentions in the prose are in forbidden-patterns text that explicitly tells readers NOT to use /tmp — intentional. Bash-expansion ladder format (`${VAR:-${VAR2:-/literal}}`) matches the shell-expansion style already used elsewhere in the a2ml (e.g. `$HOME/.local/share/applications` in `[integration.linux]`). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

github-actions · 2026-05-26T08:25:14Z

🔍 Hypatia Security Scan

Findings: 118 issues detected

Severity	Count
🔴 Critical	64
🟠 High	43
🟡 Medium	11

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/deno-ci-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "deno-ci-reusable.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance-reusable.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Python file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/standards/standards/a2ml-templates/state-scm-to-v2.py",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/standards/standards/a2ml/bindings/deno/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/standards/standards/lol/test/vitest.config.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/standards/standards/k9-svc/bindings/deno/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "Agda postulate assumes without proof -- potential soundness hole (4 occurrences, CWE-704)",
    "type": "agda_postulate",
    "file": "/home/runner/work/standards/standards/lol/proofs/theories/information_theory.agda",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
    "type": "believe_me",
    "file": "/home/runner/work/standards/standards/lol/src/abi/Locale.idr",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
    "type": "js_wildcard_cors",
    "file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@abstract

…ifest Filed alongside the 8 launcher-standard PRs (#170, #171, #172, #173, #175, #176, #177, #179) so reviewers landing on any individual PR can find the full picture in one place. Two files following the existing `docs/audits/` convention: - launcher-standard-review-2026-05-26.adoc — prose narrative for humans. Headline findings table (class × finding × addressed-in PR), PR map (number, branch, files, class), what-this-campaign-produces summary, deferred follow-ups, method notes including the parallel-session amend incident and how recovery worked. - launcher-standard-review-2026-05-26.a2ml — machine-readable manifest for tooling (PR-batching bots, change-impact analyzers, launch-scaffolder regenerators). Same PR set as parseable A2ML: per-PR file lists, addressed-issues, new-files lists, new-a2ml-keys lists, plus coordination notes (spec-version conflict resolution, lock-step gate trigger map) and deferred-followups with gating conditions. Includes a session-lessons-captured block pointing at the two memory entries written during this campaign. Pattern matches existing gap-matrix-2026-04-17.a2ml (A2ML extension syntax including @abstract: block). Pure tomllib does NOT parse A2ML; the repo's A2ML tooling does. Signing-key fingerprint deliberately NOT recorded inline — gitleaks's generic-api-key rule misclassifies 40-char PGP fingerprints as secrets. The all-prs-gpg-signed flag is the load-bearing assertion; the fingerprint is recoverable from `git log --show-signature` if anyone needs to verify against a specific key. Independent of all 8 review PRs — touches only docs/audits/. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

hyperpolymath enabled auto-merge (squash) May 26, 2026 08:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(launcher-standard): move PID/log to XDG dirs (security: symlink-attack hardening)#175

fix(launcher-standard): move PID/log to XDG dirs (security: symlink-attack hardening)#175
hyperpolymath wants to merge 1 commit into
mainfrom
fix/launcher-xdg-pid-log-paths

hyperpolymath commented May 26, 2026

Uh oh!

github-actions Bot commented May 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

hyperpolymath commented May 26, 2026

Summary

Fix

Changes

Compatibility

Coordination

Notes

Test plan

Uh oh!

github-actions Bot commented May 26, 2026

🔍 Hypatia Security Scan

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant