bug#62260: 30.0.50; [PATCH] Restrict auto-save file mode

[Manuel Giraud via "Bug reports for GNU Emacs, the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>]

[-- Attachment #1: Type: text/plain, Size: 785 bytes --]

Hi Michael,

What do you think of the attached patch?

I think it fixes point 2 and 4 of bug#57395.  IMO point 3 (unsafe
non-root-owned file) is not really solvable in a remote setup: local and
remote uid can be any numbers.

What I'd like to do then is to work on point 1.  For this, my idea is to
make 'tramp-allow-unsafe-temporary-files' a three states variable with
the following possible values:

          - 'ask (default value): Prompt the user "Autosave file on
            local temporary directory, do you want to continue?"

          - nil: auto-save-mode should be disable on this file (same
            behaviour when answering "no" to the prompt)
            
          - t: auto-save-mode is on as usual (same behaviour when
            answering "yes" to the prompt)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Narrow-unsafe-auto-save.patch --]
[-- Type: text/x-patch, Size: 2102 bytes --]

From 2eaf3b2ef59868a349af8d5a1a1132ef1d1cbbe2 Mon Sep 17 00:00:00 2001
From: Manuel Giraud <manuel@ledu-giraud.fr>
Date: Wed, 22 Mar 2023 10:46:23 +0100
Subject: [PATCH] Narrow unsafe auto-save

* lisp/net/tramp.el (tramp-dangerous-auto-save-p): New function to
determine dangerouness of an auto-save.
(tramp-handle-make-auto-save-file-name): Use it.
---
 lisp/net/tramp.el | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/lisp/net/tramp.el b/lisp/net/tramp.el
index 6eff5b2ca60..c3ee0ae06a6 100644
--- a/lisp/net/tramp.el
+++ b/lisp/net/tramp.el
@@ -6474,6 +6474,21 @@ tramp-delete-temp-file-function
 	    (remove-hook 'kill-buffer-hook
 			 #'tramp-delete-temp-file-function)))
 
+(defun tramp-dangerous-auto-save-p (filename autosave)
+  (let ((attributes (file-attributes filename 'integer))
+        (modes (file-modes filename 'nofollow)))
+    (and
+     ;; a file own by root and rwx only by root...
+     (and (= (or (file-attribute-user-id attributes)
+	         tramp-unknown-id-integer)
+	     tramp-root-id-integer)
+          (= modes (logand modes #o700)))
+     ;; ... into world readable autosave temporary
+     (and (file-in-directory-p autosave temporary-file-directory)
+          (/= (logand (file-modes temporary-file-directory 'nofollow)
+                      #o006)
+              0)))))
+
 (defun tramp-handle-make-auto-save-file-name ()
   "Like `make-auto-save-file-name' for Tramp files.
 Returns a file name in `tramp-auto-save-directory' for autosaving
@@ -6516,11 +6531,7 @@ tramp-handle-make-auto-save-file-name
 	;; Protect against security hole.
 	(when (and (not tramp-allow-unsafe-temporary-files)
 		   auto-save-default
-		   (file-in-directory-p result temporary-file-directory)
-		   (= (or (file-attribute-user-id
-			   (file-attributes filename 'integer))
-			  tramp-unknown-id-integer)
-		      tramp-root-id-integer)
+                   (tramp-dangerous-auto-save-p filename result)
 		   (not (with-tramp-connection-property
 			    (tramp-get-process v) "unsafe-temporary-file"
 			  (yes-or-no-p
-- 
2.39.2


[-- Attachment #3: Type: text/plain, Size: 18 bytes --]

-- 
Manuel Giraud