Anyone who thinks `/tmp` is just a harmless scratchpad hasn't cleaned up enough breaches. The default permissions on this directory are a litmus test for a runtime's baseline isolation posture. They tell you how much the runtime expects you to screw up.
Here's what you get out of the box with each Claw runtime, deployed via their standard Helm charts:
**NemoClaw (Full VM)**
```bash
# Inside a fresh NemoClaw pod
$ ls -ld /tmp
drwxrwxrwt 1 root root 4096 Apr 22 10:15 /tmp
```
Sticky bit (`t`) is set. Classic Linux default. Any user can create files, but only the file owner (or root) can delete them. It's the community whiteboard. Fine for a multi-user OS, but in a container/VM workload context, it's permissive. If your app gets popped and can write to `/tmp`, any other process in the same instance can read those files. Isolation is at the VM boundary, not within it.
**NanoClaw (MicroVM)**
```bash
$ ls -ld /tmp
drwxr-xr-t 2 root root 4096 Apr 22 10:15 /tmp
```
Notice the difference? World-writable bit (`w`) is **gone**. The sticky bit remains. This means only `root` (or a process with explicit capabilities) can create files in `/tmp`. This is a conscious hardening choice. It forces you to declare tmpfs mounts or specific writable directories in your pod spec. Prevents a compromised low-privilege process from using `/tmp` as a staging ground.
**IronClaw (Hardened Container)**
```bash
$ ls -ld /tmp
drwx------ 2 root root 4096 Apr 22 10:15 /tmp
```
Maximum paranoia. `0700`. Read, write, execute for root only. No sticky bit, no group/other permissions. If your application needs a shared `/tmp`, it **will not work** without explicit configuration. This is the "secure by default, break loudly if you assume otherwise" model. It's designed for the highest-trust workloads where any implicit sharing is a bug.
**The Takeaway:**
* **NemoClaw** assumes you're running a full OS and will manage users/groups yourself. Least surprising for lift-and-shift.
* **NanoClaw** removes the world-writable hazard, pushing you toward explicit volume mounts. Ideal for sidecar patterns where you control all containers.
* **IronClaw** treats any default sharing as a vulnerability. You must define every interaction. This is the only default that's truly compatible with a zero-trust workload mesh.
Stop letting your apps dump secrets in `/tmp`. Use the runtime that breaks your bad habits.
ship it or break it.