* bug#45245: 28.0.50; Feature request: tramp sudo autosaves/backups shouldn't be exposed without right config
@ 2020-12-14 20:13 Vandrus Zoltán
2021-06-14 9:39 ` Michael Albinus
0 siblings, 1 reply; 3+ messages in thread
From: Vandrus Zoltán @ 2020-12-14 20:13 UTC (permalink / raw)
To: 45245
It's mentioned in (tramp)Auto-save and Backup that root owned file could
be exposed, but it would be more newbie friendly if emacs did the right
thing without configuration. The defaults for backups are fine, but for
autosaves are not. In emacs -Q after:
C-x C-f /sudo::/tmp/secretfile
M-x do-auto-save
There is a file '/tmp/#!sudo:root@hostname:!tmp!secretfile#' owned by
the user.
Even if the defaults are fixed, there are problems. Protecting root
owned files is somewhat complicated. For example the user might not use
tramp from the beginning, but littering directories with backups and
autosaves files are easily seen and can be annoying enough to look for a
solution. Looking on the net the suggested code is some variant of
(setq auto-save-file-name-transforms
'((".*" ,auto-save-dir t)))
(setq backup-directory-alist
'("." ,backup-dir))
And then they are fine, until they start to use tramp, because the
autosaves/backups will be owned by the normal user even for sudo and su
methods.
For backups following the tramp manual is easy:
(customize-set-variable
'tramp-backup-directory-alist backup-directory-alist)
But the user could have forgotten already about the problem and never
look there. For autosaves there is not even info on how to achieve
something sensible.
I suggest, that tramp could refuse exposing root-owned files or there
could be an easier switch to put all autosaves/backup in the same
directory which also deals with tramp.
There is also a comparably minor problem of exposing the file name in
the autosave files.
-------------
In GNU Emacs 28.0.50 (build 2, x86_64-pc-linux-gnu, GTK+ Version
3.24.24, cairo version 1.17.4)
of 2020-12-14
Repository revision: b857ea24f7bc5288faa920e6c3174cf1ee958b70
Repository branch: master
Windowing system distributor 'The X.Org Foundation', version 11.0.12010000
System Description: Arch Linux
Configured features:
XPM JPEG TIFF GIF PNG RSVG CAIRO SOUND GPM DBUS GSETTINGS GLIB NOTIFY
INOTIFY ACL GNUTLS LIBXML2 FREETYPE HARFBUZZ M17N_FLT LIBOTF ZLIB
TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS LIBSYSTEMD JSON
PDUMPER LCMS2
Important settings:
value of $LC_TIME: C
value of $LANG: hu_HU.utf8
locale-coding-system: utf-8-unix
Major mode: Fundamental
Minor modes in effect:
shell-dirtrack-mode: t
tooltip-mode: t
global-eldoc-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
Load-path shadows:
None found.
Features:
(shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs
rfc822 mml mml-sec epa derived epg epg-config gnus-util rmail
rmail-loaddefs text-property-search mm-decode mm-bodies mm-encode
mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047
rfc2045 ietf-drums mm-util mail-prsvr mail-utils warnings misearch
multi-isearch tramp-cmds bug-reference noutline outline mule-util info
vc-hg vc-git diff-mode easy-mmode vc-bzr tramp-cache tramp-sh tramp
tramp-loaddefs trampver tramp-integration files-x tramp-compat shell
pcomplete comint ansi-color ring parse-time iso8601 ls-lisp format-spec
auth-source cl-seq eieio eieio-core cl-macs eieio-loaddefs
password-cache json map time-date subr-x cl-extra seq byte-opt gv
bytecomp byte-compile cconv cl-print thingatpt help-fns radix-tree
help-mode easymenu cl-loaddefs cl-lib iso-transl tooltip eldoc electric
uniquify ediff-hook vc-hooks lisp-float-type mwheel term/x-win x-win
term/common-win x-dnd tool-bar dnd fontset image regexp-opt fringe
tabulated-list replace newcomment text-mode elisp-mode lisp-mode
prog-mode register page tab-bar menu-bar rfn-eshadow isearch timer
select scroll-bar mouse jit-lock font-lock syntax facemenu font-core
term/tty-colors frame minibuffer cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese composite charscript charprop case-table epa-hook
jka-cmpr-hook help simple abbrev obarray cl-preloaded nadvice button
loaddefs faces cus-face macroexp files window text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote threads dbusbind inotify lcms2
dynamic-setting system-font-setting font-render-setting cairo
move-toolbar gtk x-toolkit x multi-tty make-network-process emacs)
Memory information:
((conses 16 94008 11777)
(symbols 48 9769 1)
(strings 32 35507 2034)
(string-bytes 1 1116270)
(vectors 16 16704)
(vector-slots 8 222506 9788)
(floats 8 52 269)
(intervals 56 737 240)
(buffers 984 16))
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#45245: 28.0.50; Feature request: tramp sudo autosaves/backups shouldn't be exposed without right config
2020-12-14 20:13 bug#45245: 28.0.50; Feature request: tramp sudo autosaves/backups shouldn't be exposed without right config Vandrus Zoltán
@ 2021-06-14 9:39 ` Michael Albinus
2021-06-25 12:29 ` Michael Albinus
0 siblings, 1 reply; 3+ messages in thread
From: Michael Albinus @ 2021-06-14 9:39 UTC (permalink / raw)
To: Vandrus Zoltán; +Cc: 45245
Vandrus Zoltán <vandrus.zoltan@gmail.com> writes:
Hi Zoltán,
> It's mentioned in (tramp)Auto-save and Backup that root owned file
> could be exposed, but it would be more newbie friendly if emacs did
> the right thing without configuration. The defaults for backups are
> fine, but for autosaves are not. In emacs -Q after:
>
> C-x C-f /sudo::/tmp/secretfile
> M-x do-auto-save
>
> There is a file '/tmp/#!sudo:root@hostname:!tmp!secretfile#' owned by
> the user.
>
> Even if the defaults are fixed, there are problems. Protecting root
> owned files is somewhat complicated. For example the user might not
> use tramp from the beginning, but littering directories with backups
> and autosaves files are easily seen and can be annoying enough to look
> for a solution. Looking on the net the suggested code is some variant
> of
>
> (setq auto-save-file-name-transforms
> '((".*" ,auto-save-dir t)))
>
> (setq backup-directory-alist
> '("." ,backup-dir))
>
> And then they are fine, until they start to use tramp, because the
> autosaves/backups will be owned by the normal user even for sudo and
> su methods.
> For backups following the tramp manual is easy:
>
> (customize-set-variable
> 'tramp-backup-directory-alist backup-directory-alist)
>
> But the user could have forgotten already about the problem and never
> look there. For autosaves there is not even info on how to achieve
> something sensible.
>
> I suggest, that tramp could refuse exposing root-owned files or there
> could be an easier switch to put all autosaves/backup in the same
> directory which also deals with tramp.
>
> There is also a comparably minor problem of exposing the file name in
> the autosave files.
Finally, I've found the time to work on the problem. I've pushed a patch
to master, that Tramp asks for confirmation for the first time a
root-owned auto-save or backup file name is to be written to the local
temporary directory. This is the most common case to handle.
See also the Tramp manual patch about.
Best regards, Michael.
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#45245: 28.0.50; Feature request: tramp sudo autosaves/backups shouldn't be exposed without right config
2021-06-14 9:39 ` Michael Albinus
@ 2021-06-25 12:29 ` Michael Albinus
0 siblings, 0 replies; 3+ messages in thread
From: Michael Albinus @ 2021-06-25 12:29 UTC (permalink / raw)
To: Vandrus Zoltán; +Cc: 45245-done
Version:28.1
Hi Zoltán,
> Finally, I've found the time to work on the problem. I've pushed a patch
> to master, that Tramp asks for confirmation for the first time a
> root-owned auto-save or backup file name is to be written to the local
> temporary directory. This is the most common case to handle.
>
> See also the Tramp manual about.
No further information, so I'm closing the bug.
Best regards, Michael.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-25 12:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-12-14 20:13 bug#45245: 28.0.50; Feature request: tramp sudo autosaves/backups shouldn't be exposed without right config Vandrus Zoltán
2021-06-14 9:39 ` Michael Albinus
2021-06-25 12:29 ` Michael Albinus
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).