From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: owner@emacsbugs.donarmstrong.com (Emacs bug Tracking System) Newsgroups: gmane.emacs.bugs Subject: bug#3712: marked as done (23.1.50; SECURITY: Tramp creates -rwxrwxrwx permission files with /su and /sudo method) Date: Tue, 30 Jun 2009 16:40:05 +0000 Message-ID: References: <878wj9fzlb.fsf@iki.fi> <87ljnbax4h.fsf@iki.fi> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_1246380005-13090-0" X-Trace: ger.gmane.org 1246381347 17210 80.91.229.12 (30 Jun 2009 17:02:27 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 30 Jun 2009 17:02:27 +0000 (UTC) To: Teemu Likonen Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Jun 30 19:02:08 2009 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from mail-forward1.uio.no ([129.240.10.70]) by lo.gmane.org with esmtp (Exim 4.50) id 1MLghw-0005Lx-Lf for geb-bug-gnu-emacs@m.gmane.org; Tue, 30 Jun 2009 19:01:24 +0200 Original-Received: from exim by mail-out1.uio.no with local-bsmtp (Exim 4.69) (envelope-from ) id 1MLgfL-0001lA-PU for geb-bug-gnu-emacs@m.gmane.org; Tue, 30 Jun 2009 18:58:43 +0200 Original-Received: from mail-mx6.uio.no ([129.240.10.47]) by mail-out1.uio.no with esmtp (Exim 4.69) (envelope-from ) id 1MLgfL-0001l7-OI for geb-bug-gnu-emacs@m.gmane.org; Tue, 30 Jun 2009 18:58:43 +0200 Original-Received: from lists.gnu.org ([199.232.76.165]) by mail-mx6.uio.no with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1MLgfK-0000Nc-Jm for geb-bug-gnu-emacs@m.gmane.org; Tue, 30 Jun 2009 18:58:43 +0200 Original-Received: from localhost ([127.0.0.1]:34319 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1MLgfI-0002rg-Rp for geb-bug-gnu-emacs@m.gmane.org; Tue, 30 Jun 2009 12:58:40 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1MLgeC-0002bz-Sm for bug-gnu-emacs@gnu.org; Tue, 30 Jun 2009 12:57:33 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1MLge8-0002ZY-0U for bug-gnu-emacs@gnu.org; Tue, 30 Jun 2009 12:57:32 -0400 Original-Received: from [199.232.76.173] (port=52988 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1MLge7-0002ZJ-NL for bug-gnu-emacs@gnu.org; Tue, 30 Jun 2009 12:57:27 -0400 Original-Received: from rzlab.ucr.edu ([138.23.92.77]:44579) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1MLge7-0007ia-3a for bug-gnu-emacs@gnu.org; Tue, 30 Jun 2009 12:57:27 -0400 Original-Received: from rzlab.ucr.edu (rzlab.ucr.edu [127.0.0.1]) by rzlab.ucr.edu (8.14.3/8.14.3/Debian-5) with ESMTP id n5UGvOZU016094; Tue, 30 Jun 2009 09:57:25 -0700 Original-Received: (from debbugs@localhost) by rzlab.ucr.edu (8.14.3/8.14.3/Submit) id n5UGe5ZE013110; Tue, 30 Jun 2009 09:40:05 -0700 X-Mailer: MIME-tools 5.427 (Entity 5.427) X-Loop: owner@emacsbugs.donarmstrong.com X-Emacs-PR-Message: closed 3712 X-Emacs-PR-Package: emacs X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer, 2) X-BeenThere: bug-gnu-emacs@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org X-UiO-Spam-info: not spam, SpamAssassin (score=-4.0, required=5.0, autolearn=disabled, RCVD_IN_DNSWL_MED=-4, uiobl=NO, uiouri=_URIID_) X-UiO-Scanned: 21B32F38996C88BFAC2FE6FF286C1B0E8CED2722 X-UiO-SPAM-Test: remote_host: 199.232.76.165 spam_score: -39 maxlevel 80 minaction 2 bait 0 mail/h: 18 total 102145 max/h 424 blacklist 0 greylist 0 ratelimit 0 Xref: news.gmane.org gmane.emacs.bugs:29110 Archived-At: This is a multi-part message in MIME format... ------------=_1246380005-13090-0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Your message dated Tue, 30 Jun 2009 19:36:32 +0300 with message-id <878wj9fzlb.fsf@iki.fi> and subject line Re: bug#3712: 23.1.50; SECURITY: Tramp creates -rwxrwxrwx = permission files with /su and /sudo method has caused the Emacs bug report #3712, regarding 23.1.50; SECURITY: Tramp creates -rwxrwxrwx permission files with= /su and /sudo method to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@emacsbugs.donarmstrong.com immediately.) --=20 3712: http://emacsbugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=3D3712 Emacs Bug Tracking System Contact owner@emacsbugs.donarmstrong.com with problems ------------=_1246380005-13090-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by emacsbugs.donarmstrong.com; 29 Jun 2009 15:17:16 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on rzlab.ucr.edu X-Spam-Level: X-Spam-Bayes: score:0.5 Bayes not run. spammytokens:Tokens not available. hammytokens:Tokens not available. X-Spam-Status: No, score=0.2 required=4.0 tests=AWL,FOURLA,IMPRONONCABLE_1, MURPHY_WRONG_WORD1,MURPHY_WRONG_WORD2,SARE_SUB_6CONS_WORD,SARE_SUB_9CONS_WORD autolearn=no version=3.2.5-bugs.debian.org_2005_01_02 Received: from fencepost.gnu.org (fencepost.gnu.org [140.186.70.10]) by rzlab.ucr.edu (8.14.3/8.14.3/Debian-5) with ESMTP id n5TFH9O1010661 for ; Mon, 29 Jun 2009 08:17:10 -0700 Received: from mx10.gnu.org ([199.232.76.166]:55484) by fencepost.gnu.org with esmtp (Exim 4.67) (envelope-from ) id 1MLIbU-00018K-KX for emacs-pretest-bug@gnu.org; Mon, 29 Jun 2009 11:17:08 -0400 Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim 4.60) (envelope-from ) id 1MLIbR-0003Yd-40 for emacs-pretest-bug@gnu.org; Mon, 29 Jun 2009 11:17:07 -0400 Received: from mx20.gnu.org ([199.232.41.8]:36682) by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1MLIbP-0003Ut-Ti for emacs-pretest-bug@gnu.org; Mon, 29 Jun 2009 11:17:04 -0400 Received: from mta-out.inet.fi ([195.156.147.13] helo=kirsi1.inet.fi) by mx20.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1MLIbH-0003X1-Cv for emacs-pretest-bug@gnu.org; Mon, 29 Jun 2009 11:16:55 -0400 Received: from mithlond.arda.local (80.220.180.181) by kirsi1.inet.fi (8.5.014) id 49F6055A0244348C for emacs-pretest-bug@gnu.org; Mon, 29 Jun 2009 18:16:46 +0300 Received: from dtw by mithlond.arda.local with local (Exim 4.69) (envelope-from ) id 1MLIas-00051f-1M for emacs-pretest-bug@gnu.org; Mon, 29 Jun 2009 18:16:30 +0300 From: Teemu Likonen To: emacs-pretest-bug@gnu.org Subject: 23.1.50; SECURITY: Tramp creates -rwxrwxrwx permission files with /su and /sudo method Date: Mon, 29 Jun 2009 18:16:30 +0300 Message-ID: <87ljnbax4h.fsf@iki.fi> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Detected-Operating-System: by mx20.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by monty-python.gnu.org: Genre and OS details not recognized. When method /su: or /sudo: is used to _create_ a file the file's permission will be set to -rwxrwxrwx (777), that is, allow everything for everyone. Obviously this is serious security bug. Steps to reproduce: 1. Start Emacs as a normal user: emacs -Q 2. Create a file in a directory to which the user who launched this Emacs session doesn't have write access. C-x C-f /su::/root/test.txt 3. Write some content to the file and save it with "C-x C-s". 4. Check file's permissions. It has 777 permission bits: $ ls -l /root/test.txt -rwxrwxrwx 1 root root 5 2009-06-29 17:58 /root/test.txt For some reason, if I create similar file to the same user's home directory who launched this Emacs session (/su::$HOME/test.txt) then it gets 644 permissions (probably honoring umask settings). In GNU Emacs 23.1.50.4 (i686-pc-linux-gnu, GTK+ Version 2.12.12) of 2009-06-29 on mithlond Windowing system distributor `The X.Org Foundation', version 11.0.10402000 configured using `configure '--prefix=/home/dtw/local'' ------------=_1246380005-13090-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 3712-done) by emacsbugs.donarmstrong.com; 30 Jun 2009 16:36:38 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on rzlab.ucr.edu X-Spam-Level: X-Spam-Bayes: score:0.5 Bayes not run. spammytokens:Tokens not available. hammytokens:Tokens not available. X-Spam-Status: No, score=-1.2 required=4.0 tests=AWL,HAS_BUG_NUMBER, IMPRONONCABLE_1,MURPHY_WRONG_WORD1,MURPHY_WRONG_WORD2,SARE_SUB_6CONS_WORD, SARE_SUB_9CONS_WORD autolearn=ham version=3.2.5-bugs.debian.org_2005_01_02 Received: from jenni2.inet.fi (mta-out.inet.fi [195.156.147.13]) by rzlab.ucr.edu (8.14.3/8.14.3/Debian-5) with ESMTP id n5UGaYWL012879 for <3712-done@emacsbugs.donarmstrong.com>; Tue, 30 Jun 2009 09:36:35 -0700 Received: from mithlond.arda.local (80.220.180.181) by jenni2.inet.fi (8.5.014) id 49F5CB64024BEFF0; Tue, 30 Jun 2009 19:36:33 +0300 Received: from dtw by mithlond.arda.local with local (Exim 4.69) (envelope-from ) id 1MLgJs-0003Op-Ew; Tue, 30 Jun 2009 19:36:32 +0300 From: Teemu Likonen To: Michael Albinus Cc: 3712-done@emacsbugs.donarmstrong.com Subject: Re: bug#3712: 23.1.50; SECURITY: Tramp creates -rwxrwxrwx permission files with /su and /sudo method In-Reply-To: (Michael Albinus's message of "Tue, 30 Jun 2009 17:34:27 +0200") References: <87ljnbax4h.fsf@iki.fi> <8763eevosc.fsf@iki.fi> <87ws6uzqqg.fsf@gmx.de> <878wjau0x5.fsf@iki.fi> <871vp1bz95.fsf@iki.fi> Date: Tue, 30 Jun 2009 19:36:32 +0300 Message-ID: <878wj9fzlb.fsf@iki.fi> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii On 2009-06-30 17:34 (+0200), Michael Albinus wrote: > OK, you've convinced me. Execution bits are removed now for newly > created remote files. > If it works also for you it is OK for me. It seems to work perfectly now. Huge thanks! I'm happy to close this bug. ------------=_1246380005-13090-0--