From: Stuart Henderson Subject: Re: Move the ssh-agent socket from /tmp to $HOME/.ssh/ To: "H. Hartzer" Cc: tech@openbsd.org Date: Wed, 30 Apr 2025 09:42:45 +0100 On 2025/04/29 18:05, H. Hartzer wrote: > Theo de Raadt wrote: > > Are we missing a pledge behaviour that would block opening of > > AF_UNIX sockets? > > > > Or is gaining access to other AF_UNIX sockets the main reason why > > the browsers are accessing /tmp? > > > > And of course, the problem with a such a pledge, is that it would affect > > everywhere in the filesystem. But maybe there is some restriction we can > > impose which blocks this. > > I was curious about this and tried adjusting unveil settings for /tmp. > Sure enough, Firefox won't start. You could try setting TMPDIR and see if enough of Firefox and associated libraries honour that to be usable. > Of course if Firefox could play nicely and just store cache in say > ~/.cache/firefox, that would be easier than either of these ideas. cache *is* stored under ~.