unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
* bug#17187: 24.3.50.1 open-dribble-file stores pw
@ 2014-04-04 17:35 Andreas Röhler
  2014-04-04 21:42 ` Glenn Morris
  0 siblings, 1 reply; 15+ messages in thread
From: Andreas Röhler @ 2014-04-04 17:35 UTC (permalink / raw)
  To: 17187

Emacs -Q from 2014-02-19

Passwort gets stored in plain text





^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-04 17:35 bug#17187: 24.3.50.1 open-dribble-file stores pw Andreas Röhler
@ 2014-04-04 21:42 ` Glenn Morris
  2014-04-05  7:54   ` Andreas Röhler
                     ` (2 more replies)
  0 siblings, 3 replies; 15+ messages in thread
From: Glenn Morris @ 2014-04-04 21:42 UTC (permalink / raw)
  To: 17187


As suggested a decade ago,

http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html

the dribble file should be created with file permission bits = 600.







^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-04 21:42 ` Glenn Morris
@ 2014-04-05  7:54   ` Andreas Röhler
  2014-04-05  7:58   ` Andreas Röhler
  2014-04-05 15:50   ` Stefan Monnier
  2 siblings, 0 replies; 15+ messages in thread
From: Andreas Röhler @ 2014-04-05  7:54 UTC (permalink / raw)
  To: 17187

Am 04.04.2014 23:42, schrieb Glenn Morris:
>
> As suggested a decade ago,
>
> http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html
>
> the dribble file should be created with file permission bits = 600.

So why Emacs doesn't set permissions accordingly?






^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-04 21:42 ` Glenn Morris
  2014-04-05  7:54   ` Andreas Röhler
@ 2014-04-05  7:58   ` Andreas Röhler
  2014-04-05 15:50   ` Stefan Monnier
  2 siblings, 0 replies; 15+ messages in thread
From: Andreas Röhler @ 2014-04-05  7:58 UTC (permalink / raw)
  To: 17187

Am 04.04.2014 23:42, schrieb Glenn Morris:
>
> As suggested a decade ago,
>
> http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html
>
> the dribble file should be created with file permission bits = 600.
>

BTW IMHO it's a serious security-hole, should be flagged accordingly.
There will be numerous users with these kind of stuff during session.






^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-04 21:42 ` Glenn Morris
  2014-04-05  7:54   ` Andreas Röhler
  2014-04-05  7:58   ` Andreas Röhler
@ 2014-04-05 15:50   ` Stefan Monnier
  2014-04-05 16:37     ` Andreas Röhler
  2014-04-05 17:22     ` Glenn Morris
  2 siblings, 2 replies; 15+ messages in thread
From: Stefan Monnier @ 2014-04-05 15:50 UTC (permalink / raw)
  To: Glenn Morris; +Cc: 17187

severity 17187 important
thanks

> As suggested a decade ago,
> http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html
> the dribble file should be created with file permission bits = 600.

Very much agreed.


        Stefan





^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-05 15:50   ` Stefan Monnier
@ 2014-04-05 16:37     ` Andreas Röhler
  2014-04-05 16:55       ` Andreas Schwab
  2014-04-05 17:22     ` Glenn Morris
  1 sibling, 1 reply; 15+ messages in thread
From: Andreas Röhler @ 2014-04-05 16:37 UTC (permalink / raw)
  To: 17187

Am 05.04.2014 17:50, schrieb Stefan Monnier:
> severity 17187 important
> thanks
>
>> As suggested a decade ago,
>> http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html
>> the dribble file should be created with file permission bits = 600.
>
> Very much agreed.
>
>
>          Stefan
>

Will that solve the matter already? IMO a pw should never be stored as plain-text.
File-permissions are not considered save in that context.

Should be a way to replace the chars by "*" for example before writing it.

Andreas






^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-05 16:37     ` Andreas Röhler
@ 2014-04-05 16:55       ` Andreas Schwab
  2014-04-05 18:07         ` Andreas Röhler
  0 siblings, 1 reply; 15+ messages in thread
From: Andreas Schwab @ 2014-04-05 16:55 UTC (permalink / raw)
  To: Andreas Röhler; +Cc: 17187

Andreas Röhler <andreas.roehler@easy-emacs.de> writes:

> Will that solve the matter already? IMO a pw should never be stored as plain-text.

The dribble file does not know what a password is.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."





^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-05 15:50   ` Stefan Monnier
  2014-04-05 16:37     ` Andreas Röhler
@ 2014-04-05 17:22     ` Glenn Morris
  2014-04-05 22:02       ` Stefan Monnier
  1 sibling, 1 reply; 15+ messages in thread
From: Glenn Morris @ 2014-04-05 17:22 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: 17187

Stefan Monnier wrote:

>> As suggested a decade ago,
>> http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html
>> the dribble file should be created with file permission bits = 600.
>
> Very much agreed.

PS maybe it should also abort with an error if the file already exists
(and is a symlink or is not owned by the current user?).





^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-05 16:55       ` Andreas Schwab
@ 2014-04-05 18:07         ` Andreas Röhler
  2014-04-05 19:24           ` Andreas Schwab
  0 siblings, 1 reply; 15+ messages in thread
From: Andreas Röhler @ 2014-04-05 18:07 UTC (permalink / raw)
  To: Andreas Schwab; +Cc: 17187

Am 05.04.2014 18:55, schrieb Andreas Schwab:
> Andreas Röhler <andreas.roehler@easy-emacs.de> writes:
>
>> Will that solve the matter already? IMO a pw should never be stored as plain-text.
>
> The dribble file does not know what a password is.
>
> Andreas.
>

As Emacs shell sent as prompt for pw, at least Emacs knows.
All remains to do is to ship that info.





^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-05 18:07         ` Andreas Röhler
@ 2014-04-05 19:24           ` Andreas Schwab
  0 siblings, 0 replies; 15+ messages in thread
From: Andreas Schwab @ 2014-04-05 19:24 UTC (permalink / raw)
  To: Andreas Röhler; +Cc: 17187

Andreas Röhler <andreas.roehler@easy-emacs.de> writes:

> Am 05.04.2014 18:55, schrieb Andreas Schwab:
>> Andreas Röhler <andreas.roehler@easy-emacs.de> writes:
>>
>>> Will that solve the matter already? IMO a pw should never be stored as plain-text.
>>
>> The dribble file does not know what a password is.
>>
>> Andreas.
>>
>
> As Emacs shell sent as prompt for pw, at least Emacs knows.

Not at this level.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."





^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-05 17:22     ` Glenn Morris
@ 2014-04-05 22:02       ` Stefan Monnier
  2014-04-05 23:01         ` Glenn Morris
  0 siblings, 1 reply; 15+ messages in thread
From: Stefan Monnier @ 2014-04-05 22:02 UTC (permalink / raw)
  To: Glenn Morris; +Cc: 17187

>>> As suggested a decade ago,
>>> http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html
>>> the dribble file should be created with file permission bits = 600.
>> Very much agreed.
> PS maybe it should also abort with an error if the file already exists
> (and is a symlink or is not owned by the current user?).

You mean it should be created with EXCL?
Maybe.  Then again, AFAIK this is only used for debugging purposes, so
I'm not sure it's that important and you could assume that the user will
normally specify a file in a directory she owns, where the attacker
shouldn't be able to place a surreptitious symlink.


        Stefan





^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-05 22:02       ` Stefan Monnier
@ 2014-04-05 23:01         ` Glenn Morris
  2014-04-05 23:14           ` Daniel Colascione
  2014-04-11  5:49           ` Glenn Morris
  0 siblings, 2 replies; 15+ messages in thread
From: Glenn Morris @ 2014-04-05 23:01 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: 17187


Lightly tested:

*** src/keyboard.c	2014-04-05 18:33:55 +0000
--- src/keyboard.c	2014-04-05 22:59:00 +0000
***************
*** 20,25 ****
--- 20,26 ----
  #include <config.h>
  
  #include "sysstdio.h"
+ #include <sys/stat.h>
  
  #include "lisp.h"
  #include "termchar.h"
***************
*** 10085,10092 ****
      }
    if (!NILP (file))
      {
        file = Fexpand_file_name (file, Qnil);
!       dribble = emacs_fopen (SSDATA (file), "w");
        if (dribble == 0)
  	report_file_error ("Opening dribble", file);
      }
--- 10086,10100 ----
      }
    if (!NILP (file))
      {
+       int fd;
        file = Fexpand_file_name (file, Qnil);
!       if (! NILP (Ffile_exists_p (file)))
!         {
!           if (chmod (SSDATA (file), 0600) < 0)
!             report_file_error ("Doing chmod", file);
!         }
!       fd = emacs_open (SSDATA (file), O_WRONLY | O_CREAT | O_TRUNC, 0600);
!       dribble = fd < 0 ? 0 : fdopen (fd, "w");
        if (dribble == 0)
  	report_file_error ("Opening dribble", file);
      }






^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-05 23:01         ` Glenn Morris
@ 2014-04-05 23:14           ` Daniel Colascione
  2014-04-06  2:05             ` Glenn Morris
  2014-04-11  5:49           ` Glenn Morris
  1 sibling, 1 reply; 15+ messages in thread
From: Daniel Colascione @ 2014-04-05 23:14 UTC (permalink / raw)
  To: Glenn Morris, Stefan Monnier; +Cc: 17187

[-- Attachment #1: Type: text/plain, Size: 934 bytes --]

On 04/05/2014 04:01 PM, Glenn Morris wrote:
> ***************
> *** 10085,10092 ****
>       }
>     if (!NILP (file))
>       {
>         file = Fexpand_file_name (file, Qnil);
> !       dribble = emacs_fopen (SSDATA (file), "w");
>         if (dribble == 0)
>   	report_file_error ("Opening dribble", file);
>       }
> --- 10086,10100 ----
>       }
>     if (!NILP (file))
>       {
> +       int fd;
>         file = Fexpand_file_name (file, Qnil);
> !       if (! NILP (Ffile_exists_p (file)))
> !         {
> !           if (chmod (SSDATA (file), 0600) < 0)
> !             report_file_error ("Doing chmod", file);
> !         }
> !       fd = emacs_open (SSDATA (file), O_WRONLY | O_CREAT | O_TRUNC, 0600);
> !       dribble = fd < 0 ? 0 : fdopen (fd, "w");
>         if (dribble == 0)

That's racy. What about using fchmod and falling back to post-open chmod
for systems that don't have fchmod?


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 901 bytes --]

^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-05 23:14           ` Daniel Colascione
@ 2014-04-06  2:05             ` Glenn Morris
  0 siblings, 0 replies; 15+ messages in thread
From: Glenn Morris @ 2014-04-06  2:05 UTC (permalink / raw)
  To: Daniel Colascione; +Cc: 17187

Daniel Colascione wrote:

> That's racy. What about using fchmod and falling back to post-open chmod
> for systems that don't have fchmod?

I'm no C coder, please feel free to improve it.
But IIUC it's been argued that we don't need to guard against malicious
intent here, only user oversight.





^ permalink raw reply	[flat|nested] 15+ messages in thread

* bug#17187: 24.3.50.1 open-dribble-file stores pw
  2014-04-05 23:01         ` Glenn Morris
  2014-04-05 23:14           ` Daniel Colascione
@ 2014-04-11  5:49           ` Glenn Morris
  1 sibling, 0 replies; 15+ messages in thread
From: Glenn Morris @ 2014-04-11  5:49 UTC (permalink / raw)
  To: 17187-done

Version: 24.4

File now created private.





^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2014-04-11  5:49 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-04 17:35 bug#17187: 24.3.50.1 open-dribble-file stores pw Andreas Röhler
2014-04-04 21:42 ` Glenn Morris
2014-04-05  7:54   ` Andreas Röhler
2014-04-05  7:58   ` Andreas Röhler
2014-04-05 15:50   ` Stefan Monnier
2014-04-05 16:37     ` Andreas Röhler
2014-04-05 16:55       ` Andreas Schwab
2014-04-05 18:07         ` Andreas Röhler
2014-04-05 19:24           ` Andreas Schwab
2014-04-05 17:22     ` Glenn Morris
2014-04-05 22:02       ` Stefan Monnier
2014-04-05 23:01         ` Glenn Morris
2014-04-05 23:14           ` Daniel Colascione
2014-04-06  2:05             ` Glenn Morris
2014-04-11  5:49           ` Glenn Morris

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).