Major Description
It came to our attention, that "jsvc" creates temporary files, naned like "/tmp/${PID}.jsvc_up" as a means of communication between a forked client process and the parent process.
These file names are clearly predictable, and one might get the impression, that this could be abused as part of an attack. However, evaluation has demonstrated, that the content of these files is never read. Therefore, even if an attacker created these files in advance with maliciious content, it wouldn't really affect the execution of "jsvc", apart from a prematurely ending parent process, perhaps with the wrong exit code.
Nevertheless, this behaviour should change;
1.) In either case, the file name must be built in advance in the parent process, and before forking the child. In other words: Parent and child must share the same name.
2.) If possible, for example on Linux, we suggest to use mktemp(3) to create the file name with a pattern like "${TMP}/jsvc_up.XXXXXX"
3.) On other operating systems, we suggest something like
"${TMP}//jsvc_up.${RANDOM}".
Also note, that the directory "/tmp" is not ncessarily a good location for such temporary files, because it is writable for everyone. A user of Commons Daemon might wish to create a special directory or such files with restricted write permissions. In such case, the Commons Daemon user should be able to consigure the location of "$[TMP}".