/tmp/nvmsocket is potentially insecure

[docwhat]

/tmp/nvmsocket is not safe on multi-user systems and should be stored someplace else.

My suggestion would be to use one of these in this order:

1. $XDG_RUNTIME_DIR if set. There is a lame python package for this, but just seeing if the environment variable is set should be sufficient at this time.
2. $TMPDIR for macOS for systems and systems with pam_mktemp it is tmp directory that is unique per user and is therefore safe.
3. ${TMP:-/tmp/}/nvr-${USER}/socket or ${HOME}/.nvr/socket - The first would need to create the directory then check it exists, has the right permissions, and is owned by $USER before creating the socket.

[mhinz]

Everything you said is true. I decided against implementing it anyway for these reasons:

• Changing the default after so many years will leads to more issues about "stuff not working".
• Not only the documentation in this repo, but also tutorials around the web already use /tmp/nvimsocket.
• nvr does two different things, depending on whether it is used within :terminal or in a regular shell. Only in the latter case a new nvim process is started with the default socket location unless specified otherwise. As soon as Nvim has added back the client/server mechanism, that side of nvr will be removed.

I added a short security note instead.

Probably not what you wanted to hear, but thanks for bringing it up anyway.