From: Eli Zaretskii <eliz@gnu.org>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: romain@orebokech.com, emacs-devel@gnu.org
Subject: Re: set-file-extended-attributes and backups
Date: Fri, 21 Dec 2012 20:08:17 +0200 [thread overview]
Message-ID: <837gobqnvy.fsf@gnu.org> (raw)
In-Reply-To: <50D4A0E4.3050004@cs.ucla.edu>
> Date: Fri, 21 Dec 2012 09:48:20 -0800
> From: Paul Eggert <eggert@cs.ucla.edu>
> CC: emacs-devel@gnu.org, romain@orebokech.com
>
> On 12/21/12 08:44, Eli Zaretskii wrote:
> > How about if it tried to copy ACLs, and if that failed, attempted to
> > copy the file modes? That would DTRT if possible, and fall back on
> > the pre-ACL method if not.
>
> That could lead to security issues if the file modes are more
> permissive than the ACLs.
But we did that until a week ago. If we want Emacs to be more secure,
just because it can now access ACLs, this decision should be left to
the user, i.e. be a user option. Otherwise, we are forcing users the
level of security they not necessary want.
> Is there an easy way to test whether a file's ACLs could deny
> access when the file's modes would allow it?
There are no modes without ACLs. Systems that support ACLs always
provide ACLs for files, just the default ones. So what you ask is
whether the default ACLs will allow some access that a specific ACLs
won't. And the answer to that is "it depends on the user" whose
access we are interested in. E.g., if the default ACLs allow some
access to the file's group, the answer depends on whether a user
belongs to that group.
> The simplest conservative approximation that I can think of offhand
> is to test whether a file has any nontrivial ACLs.
That's not good enough, I think: if the nontrivial ACLs specify the
same group as the file's group, the modes and the ACLs are equivalent,
although the ACLs are "nontrivial".
> Whatever test Emacs uses, if the test says "yes" Emacs should
> be more cautious: create a destination file with a restrictive
> mode (e.g., -rw-------), copy the data, then attempt to copy the ACLs,
> and if the ACL copy fails then Emacs should not attempt to change
> the mode.
That assumes that -rw------- is secure. But that assumption is false,
because ACLs can be more restrictive than that, even on Posix
platforms. E.g., they could disallow write access to the user who
makes the copy, or disallow attributes changes.
next prev parent reply other threads:[~2012-12-21 18:08 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-21 14:53 set-file-extended-attributes and backups Eli Zaretskii
2012-12-21 16:00 ` Paul Eggert
2012-12-21 16:44 ` Eli Zaretskii
2012-12-21 17:48 ` Paul Eggert
2012-12-21 18:08 ` Eli Zaretskii [this message]
2012-12-21 18:31 ` Paul Eggert
2012-12-23 16:59 ` Romain Francoise
2012-12-23 17:35 ` Eli Zaretskii
2012-12-24 0:59 ` Stefan Monnier
2012-12-24 3:44 ` Eli Zaretskii
2012-12-24 5:18 ` Stefan Monnier
2012-12-24 8:25 ` Michael Albinus
2012-12-24 16:24 ` Eli Zaretskii
2012-12-21 18:31 ` Romain Francoise
2012-12-22 23:03 ` Fabrice Popineau
2012-12-23 3:54 ` Eli Zaretskii
2012-12-23 17:17 ` Eli Zaretskii
2012-12-22 16:05 ` Stefan Monnier
2012-12-22 17:03 ` Eli Zaretskii
2012-12-23 13:37 ` Stefan Monnier
2012-12-29 17:20 ` Eli Zaretskii
2012-12-29 17:50 ` Eli Zaretskii
2012-12-29 19:12 ` Michael Albinus
2012-12-30 10:59 ` Michael Albinus
2012-12-30 17:21 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=837gobqnvy.fsf@gnu.org \
--to=eliz@gnu.org \
--cc=eggert@cs.ucla.edu \
--cc=emacs-devel@gnu.org \
--cc=romain@orebokech.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).