From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Manuel Giraud via "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#62260: 30.0.50; [PATCH] Restrict auto-save file mode
Date: Wed, 22 Mar 2023 11:13:03 +0100
Message-ID: <87lejpm6vk.fsf@ledu-giraud.fr>
References: <87v8iynl5c.fsf@ledu-giraud.fr> <83h6uiawvv.fsf@gnu.org>
 <87r0tlnbtz.fsf@ledu-giraud.fr> <83bkkpc2x6.fsf@gnu.org>
 <83a609c2q7.fsf@gnu.org> <87ilexn9tc.fsf@ledu-giraud.fr>
 <838rftbzj3.fsf@gnu.org> <837cvdbykw.fsf@gnu.org>
 <87edplm0ft.fsf@ledu-giraud.fr> <83sfe19bmk.fsf@gnu.org>
 <87r0tksyma.fsf@gmx.de> <87r0tk6d09.fsf@ledu-giraud.fr>
 <87r0tj1wbv.fsf@gmx.de>
Reply-To: Manuel Giraud <manuel@ledu-giraud.fr>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="19137"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cc: Eli Zaretskii <eliz@gnu.org>, 62260@debbugs.gnu.org
To: Michael Albinus <michael.albinus@gmx.de>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed Mar 22 11:14:20 2023
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1pevU4-0004rA-BU
	for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 22 Mar 2023 11:14:20 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1pevTo-0007A5-Qs; Wed, 22 Mar 2023 06:14:04 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pevTn-00079n-6p
 for bug-gnu-emacs@gnu.org; Wed, 22 Mar 2023 06:14:03 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pevTm-00018B-TG
 for bug-gnu-emacs@gnu.org; Wed, 22 Mar 2023 06:14:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1pevTm-00087R-Gv
 for bug-gnu-emacs@gnu.org; Wed, 22 Mar 2023 06:14:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Manuel Giraud <manuel@ledu-giraud.fr>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Wed, 22 Mar 2023 10:14:02 +0000
Resent-Message-ID: <handler.62260.B62260.167947998831129@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 62260
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: patch
Original-Received: via spool by 62260-submit@debbugs.gnu.org id=B62260.167947998831129
 (code B ref 62260); Wed, 22 Mar 2023 10:14:02 +0000
Original-Received: (at 62260) by debbugs.gnu.org; 22 Mar 2023 10:13:08 +0000
Original-Received: from localhost ([127.0.0.1]:33583 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1pevSt-000861-LK
 for submit@debbugs.gnu.org; Wed, 22 Mar 2023 06:13:08 -0400
Original-Received: from ledu-giraud.fr ([51.159.28.247]:9057)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <manuel@ledu-giraud.fr>) id 1pevSr-00085s-3u
 for 62260@debbugs.gnu.org; Wed, 22 Mar 2023 06:13:06 -0400
DKIM-Signature: v=1; a=ed25519-sha256; c=simple/simple; s=ed25519; bh=ChskvKjQ
 x8QWUNZM4sAxspwyiqJC0TA3M6tmSLpO33g=;
 h=date:references:in-reply-to:
 subject:cc:to:from; d=ledu-giraud.fr; b=JKT0u5KIWIqtyX3Lc9NAbCiRuNQYF3
 Qf00Em/wqeyy4qdJq9YJbclHgowOy7AdbrjI4oEBh3Li9YD2KYAgXMAg==
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=rsa; bh=ChskvKjQx8QWUNZM
 4sAxspwyiqJC0TA3M6tmSLpO33g=;
 h=date:references:in-reply-to:subject:
 cc:to:from; d=ledu-giraud.fr; b=xMdQKZcTCo9KRsgrVia6RmU7I6cadIBApZKXc7
 +jeZnU/CJoX9zmJdLocNQPGkiqEy7d956fW1+nUAjDMmEsapSbeJi0qkDpeM7btZpPFAaR
 4PCGbibxW7SLv3nFSwQ1Uf1SzF0jFuvxzjD4Lcc9r/2HAW2eBDl7l57+/hHrg6gwVkm81t
 KoLgcKpglC4nFvI0miNHErmA9gRbVxsO1vAI433NSDsogavJIQI4aC+qx3iUDVoPvhgsYW
 dwzGxvYMmPcyxK2ojbVDp1+7VcW6zZ6giSXfQXolLYQgOIUPY0axmRoDOvejLcgatrDUGL
 tCuQalsbE9o9JZXiuGRgN+dw==
Original-Received: from computer (<unknown> [10.1.1.1])
 by ledu-giraud.fr (OpenSMTPD) with ESMTPSA id 85410179
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Wed, 22 Mar 2023 11:13:03 +0100 (CET)
In-Reply-To: <87r0tj1wbv.fsf@gmx.de> (Michael Albinus's message of "Mon, 20
 Mar 2023 12:44:20 +0100")
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:258392
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/258392>

--=-=-=
Content-Type: text/plain

Hi Michael,

What do you think of the attached patch?

I think it fixes point 2 and 4 of bug#57395.  IMO point 3 (unsafe
non-root-owned file) is not really solvable in a remote setup: local and
remote uid can be any numbers.

What I'd like to do then is to work on point 1.  For this, my idea is to
make 'tramp-allow-unsafe-temporary-files' a three states variable with
the following possible values:

          - 'ask (default value): Prompt the user "Autosave file on
            local temporary directory, do you want to continue?"

          - nil: auto-save-mode should be disable on this file (same
            behaviour when answering "no" to the prompt)
            
          - t: auto-save-mode is on as usual (same behaviour when
            answering "yes" to the prompt)


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment; filename=0001-Narrow-unsafe-auto-save.patch

>From 2eaf3b2ef59868a349af8d5a1a1132ef1d1cbbe2 Mon Sep 17 00:00:00 2001
From: Manuel Giraud <manuel@ledu-giraud.fr>
Date: Wed, 22 Mar 2023 10:46:23 +0100
Subject: [PATCH] Narrow unsafe auto-save

* lisp/net/tramp.el (tramp-dangerous-auto-save-p): New function to
determine dangerouness of an auto-save.
(tramp-handle-make-auto-save-file-name): Use it.
---
 lisp/net/tramp.el | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/lisp/net/tramp.el b/lisp/net/tramp.el
index 6eff5b2ca60..c3ee0ae06a6 100644
--- a/lisp/net/tramp.el
+++ b/lisp/net/tramp.el
@@ -6474,6 +6474,21 @@ tramp-delete-temp-file-function
 	    (remove-hook 'kill-buffer-hook
 			 #'tramp-delete-temp-file-function)))
 
+(defun tramp-dangerous-auto-save-p (filename autosave)
+  (let ((attributes (file-attributes filename 'integer))
+        (modes (file-modes filename 'nofollow)))
+    (and
+     ;; a file own by root and rwx only by root...
+     (and (= (or (file-attribute-user-id attributes)
+	         tramp-unknown-id-integer)
+	     tramp-root-id-integer)
+          (= modes (logand modes #o700)))
+     ;; ... into world readable autosave temporary
+     (and (file-in-directory-p autosave temporary-file-directory)
+          (/= (logand (file-modes temporary-file-directory 'nofollow)
+                      #o006)
+              0)))))
+
 (defun tramp-handle-make-auto-save-file-name ()
   "Like `make-auto-save-file-name' for Tramp files.
 Returns a file name in `tramp-auto-save-directory' for autosaving
@@ -6516,11 +6531,7 @@ tramp-handle-make-auto-save-file-name
 	;; Protect against security hole.
 	(when (and (not tramp-allow-unsafe-temporary-files)
 		   auto-save-default
-		   (file-in-directory-p result temporary-file-directory)
-		   (= (or (file-attribute-user-id
-			   (file-attributes filename 'integer))
-			  tramp-unknown-id-integer)
-		      tramp-root-id-integer)
+                   (tramp-dangerous-auto-save-p filename result)
 		   (not (with-tramp-connection-property
 			    (tramp-get-process v) "unsafe-temporary-file"
 			  (yes-or-no-p
-- 
2.39.2


--=-=-=
Content-Type: text/plain

-- 
Manuel Giraud

--=-=-=--