1. Teach mkdtemp() to make a non-world-accessible directory. This is required to be able to make a socket that other processes can't connect to, to match the paranoia level used on Unix. This was written just by reading documentation, because I am not a Windows user, so I would be grateful for a second opinion and/or testing from a Windows hacker, which would involve testing with two different users. The idea is that Windows' mkdir() is completely ignoring the permissions (we can see in the mingw headers that it literally throws away the mode argument), so we shouldn't use that, but native CreateDirectory() when given a pointer to a SECURITY_ATTRIBUTES with lpSecurityDesciptor set to NULL should only allow the current user to access the object (directory). Does this really work, and would it be better to create some more explicit private-keep-out SECURITY_ATTRIBUTE, and how would that look?
A directory created with a NULL SECURITY_ATTRIBUTES inherits the ACL from its parent directory [1]. In this case, its parent is the designated temporary location, which already should have a limited access.
You can create an explicit DACL for that directory, PFA a patch for so. This is just an example, not something that I'm proposing as a committable alternative.
I'm fairly sure that filesystem permissions must be enough to stop another OS user from connecting, because it's clear from documentation that AF_UNIX works on Windows by opening the file and reading some magic "reparse" data from inside it, so if you can't see into the containing directory, you can't do it. This patch is the one the rest are standing on, because the tests should match Unix in their level of security.
Yes, this is correct.
Only the first patch is modified, but I'm including all of them so they go through the cfbot.