From mboxrd@z Thu Jan 1 00:00:00 1970 Path: quimby.gnus.org!not-for-mail From: Al Petrofsky Newsgroups: gmane.emacs.devel Subject: Re: many packages write to `temporary-file-directory' insecurely Date: Mon, 4 Mar 2002 18:26:40 -0800 Message-ID: <200203050226.SAA32321@radish.petrofsky.org> References: <1014945351.23435.102.camel@space-ghost> <1015103550.7365.17.camel@space-ghost> <200203031718.g23HIKt23295@rum.cs.yale.edu> <200203032036.MAA29961@radish.petrofsky.org> <200203042341.g24NfAA00521@aztec.santafe.edu> NNTP-Posting-Host: quimby2.netfonds.no X-Trace: quimby2.netfonds.no 1015295624 30536 195.204.10.66 (5 Mar 2002 02:33:44 GMT) X-Complaints-To: usenet@quimby2.netfonds.no NNTP-Posting-Date: 5 Mar 2002 02:33:44 GMT Cc: monnier+gnu/emacs@RUM.cs.yale.edu, Pavel@Janik.cz, walters@verbum.org, emacs-devel@gnu.org Original-Received: from fencepost.gnu.org ([199.232.76.164]) by quimby2.netfonds.no with esmtp (Exim 3.12 #1 (Debian)) id 16i4lr-0007wQ-00 for ; Tue, 05 Mar 2002 03:33:44 +0100 Original-Received: from localhost ([127.0.0.1] helo=fencepost.gnu.org) by fencepost.gnu.org with esmtp (Exim 3.33 #1 (Debian)) id 16i4fV-0003a8-00; Mon, 04 Mar 2002 21:27:09 -0500 Original-Received: from radish.petrofsky.org ([216.240.48.33]) by fencepost.gnu.org with esmtp (Exim 3.33 #1 (Debian)) id 16i4f4-0003YB-00; Mon, 04 Mar 2002 21:26:42 -0500 Original-Received: (from al@localhost) by radish.petrofsky.org (8.9.3/8.9.3/Debian 8.9.3-21) id SAA32321; Mon, 4 Mar 2002 18:26:40 -0800 Original-To: rms@gnu.org In-reply-to: <200203042341.g24NfAA00521@aztec.santafe.edu> (message from Richard Stallman on Mon, 4 Mar 2002 16:41:10 -0700 (MST)) Errors-To: emacs-devel-admin@gnu.org X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.0.5 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Emacs development discussions. List-Unsubscribe: , List-Archive: Xref: quimby.gnus.org gmane.emacs.devel:1732 X-Report-Spam: http://spam.gmane.org/gmane.emacs.devel:1732 > From: Richard Stallman > That code needs comments to explain what it is trying to do and why > that is right. After some study, I think I see WHAT it does, but I > can't see why one would want to do that. The original problem was that when we wrote over /tmp/snake-scores we couldn't be sure that /tmp/snake-scores hadn't just been changed from a file to a symbolic link pointing to one of our important files. My solution is to first write the scores securely into a temp file and then move it to the desired place. This is safe, because if someone has made the destination filename a symbolic link, then the rename system call removes the link, rather than overwriting the linked-to file. This requires storing the file in a subdirectory of /tmp that is world-writable without restriction, as opposed to /tmp itself, which normally has its sticky bit set, thus forbidding people from deleting others' files or renaming over them. The catch is that if someone has made /tmp/emacs-game-scores a symbolic link to one of our directories, then we could overwrite the file named snake-scores in that directory. So the improvement is that only our files named snake-scores are vulnerable, rather than all of them. > It seems to make the file read-only; why do that? The point of (set-file-modes temp #o444) is to ensure the file is world-readable, in case the user has a paranoid umask. Making the file non-writable is not necessary. -al _______________________________________________ Emacs-devel mailing list Emacs-devel@gnu.org http://mail.gnu.org/mailman/listinfo/emacs-devel