Grain backup fails if /var contains irregular files (sockets, pipes)

[dwrensha]

Backup failed: Error: Zip process failed. [500]

[jparyani]

This is caused by the dovecot process leaving socket files under /var, and the zip command failing when it encounters them.

I'd rather fix this on Sandstorm's end, but I will also try and see if I can change dovecot to put these under /tmp.

[CameronNemo]

@jparyani putting them in /tmp leaves huge vectors for security exploitation of Dovecot and/or leaked information from what feeds into Dovecot's socket.

[kentonv]

@CameronNemo - How so? Under Sandstorm, every app sees a unique /tmp which is not visible to anyone else.

[CameronNemo]

From attacks from within the app container. Unless there is only one process, or if they are all running under the same user. I am guessing it falls under the latter definition, so there is no actual risk?

[kentonv]

Each container contains a single app instance owned by a single user. Our security model is based on every user having their own private instance of each app. So, I don't think there's a security issue here.

[amluto]

FWIW, /run seems to be the new consensus place for things like this.