There is currently an Ubuntu Bug open that describes this behaviour. https://bugs.edge.launchpad.net/blender/+bug/6671
From the bug
Reproduced in versions:
2.42a-linux-glibc232-py24-i386-static (blender.org binary)
Blender writes to files in /tmp/ in an insecure fashion. For example, launching blender and then selecting "Render > Render Animation", writes to the file /tmp/0001.jpg.
This can be exploited by a malicious user to overwrite arbitrary files of another user using blender:
mallory@myhost$ ln -s /home/bob/thesis.tex /tmp/0001.jpg
I have also reproduced this in 2.48a.
I know you can change the render location with -o, but would think it would be better for blender to write these to possibly to the home directory somewhere (.blender/render) ? or the like by default.
- To Do
Such security issues we don't tackle. A malicous user can abuse Blender in hundreds of ways. The only thing we could do is not use the /tmp/ as a default in Blender, that has been discussed and is on our todo.