Files in /var/tmp/ are controllable by any user. In particular, an
unprivileged user could create an sosreport* file containing a `'` and a
shell command, which would then run with root privileges when the
admin Cockpit user tried to delete the report.
Use the `cockpit.file()` API instead, which entirely avoids shell. The
main motivation for using shell and the glob was to ensure that the
auxiliary files like *.gpg and *.sha256 get cleaned up -- do that
explicitly (which is much safer anyway), and let our tests make sure
that we don't leave files behind.
https://bugzilla.redhat.com/show_bug.cgi?id=2271614https://bugzilla.redhat.com/show_bug.cgi?id=2271815
Cherry-picked from main commit 9c4cc9b6df