foreman-3.5.1-alt8.1.noarch	unsafe-tmp-usage-in-scripts	fail	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/foreman/test/unit/foreman/renderer/snapshots/ProvisioningTemplate/user_data/Kickstart_default_user_data.host4dhcp.snap.txt: $ grep -A5 -B5 /tmp/ /usr/lib/foreman/test/unit/foreman/renderer/snapshots/ProvisioningTemplate/user_data/Kickstart_default_user_data.host4dhcp.snap.txt echo "Performing initial puppet run for --tags no_such_tag" /usr/bin/puppet agent --config /etc/puppet/puppet.conf --onetime --tags no_such_tag --no-daemonize cat << EOF-d592f4ed > /tmp/ansible_provisioning_call.sh #!/bin/sh echo "Calling Ansible AWX/Tower provisioning callback..." /usr/bin/curl -v -k -s --data "host_config_key=" https:///api/v2/job_templates//callback/ echo "DONE" EOF-d592f4ed /bin/sh /tmp/ansible_provisioning_call.sh # UserData still needs to mark the build as finished if [ -x /usr/bin/curl ]; then /usr/bin/curl -o /dev/null --noproxy \* -H 'Content-Type: text/plain' --silent 'http://foreman.example.com/unattended/built' elif [ -x /usr/bin/wget ]; then;