Just for the sake of discussion, suppose there were a special
/tmp filesystem that created (in effect) a separate /tmp directory for
each user (or, even more radically, each process group). Presumably
for this to really work properly, there would have to be some messy
hack to allow set-UID programs to access the union set of the /tmp
files of their real, effective, etc. UIDs; this brings up a potential
name collision problem, of course. Nevertheless, there ought to be
a substantial increase in system security from this relatively simple
approach.
Craig Milo Rogers