bwpass: Use XDG_RUNTIME_DIR if available

For additional protection of the Bitwarden session ID file, it will now
be stored in the directory specified by the `XDG_RUNTIME_DIR`
environment variable.  On most systems, this is a tmpfs filesystem owned
and only accessible by the current user.

src/bwpass.py

@@ -25,6 +25,7 @@ XDG_CACHE_HOME = os.environ.get(
     'XDG_CACHE_HOME',
     os.path.expanduser('~/.cache'),
 )
+XDG_RUNTIME_DIR = os.environ.get('XDG_RUNTIME_DIR')
 
 BITWARDENCLI_APPDATA_DIR = os.environ.get(
     'BITWARDENCLI_APPDATA_DIR',
@@ -125,6 +126,21 @@ class Vault:
         with open(self.cache, 'w') as f:
             json.dump(self.items, f)
 
+    @property
+    def _bw_session_file(self) -> str:
+        uid = os.getuid()
+        if XDG_RUNTIME_DIR:
+            try:
+                st = os.stat(XDG_RUNTIME_DIR)
+            except FileNotFoundError:
+                pass
+            else:
+                if st.st_uid == uid:
+                    return os.path.join(XDG_RUNTIME_DIR, '.bw_session')
+                else:
+                    return os.path.join(XDG_RUNTIME_DIR, f'.bw_session-{uid}')
+        return os.path.join(tempfile.gettempdir(), f'.bw_session-{uid}')
+
     @classmethod
     def load(cls) -> 'Vault':
         self = cls()
@@ -172,11 +188,7 @@ class Vault:
             self.items = json.load(f)
 
     def lock(self) -> None:
-        uid = os.getuid()
+        fn = self._bw_session_file
-        fn = os.path.join(
-            tempfile.gettempdir(),
-            f'.bw_session-{uid}',
-        )
         try:
             os.unlink(fn)
         except FileNotFoundError:
@@ -184,11 +196,7 @@ class Vault:
         self.session_id = None
 
     def unlock(self) -> None:
-        uid = os.getuid()
+        fn = self._bw_session_file
-        fn = os.path.join(
-            tempfile.gettempdir(),
-            f'.bw_session-{uid}',
-        )
         try:
             with open(fn) as f:
                 log.debug('Loading session ID from %s', fn)