From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Re: set-file-extended-attributes and backups
Date: Fri, 21 Dec 2012 20:08:17 +0200
Message-ID: <837gobqnvy.fsf@gnu.org>
References: <83obhntq1m.fsf@gnu.org> <50D48781.1050303@cs.ucla.edu>
	<83a9t7qrrw.fsf@gnu.org> <50D4A0E4.3050004@cs.ucla.edu>
Reply-To: Eli Zaretskii <eliz@gnu.org>
NNTP-Posting-Host: plane.gmane.org
X-Trace: ger.gmane.org 1356113328 18107 80.91.229.3 (21 Dec 2012 18:08:48 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Fri, 21 Dec 2012 18:08:48 +0000 (UTC)
Cc: romain@orebokech.com, emacs-devel@gnu.org
To: Paul Eggert <eggert@cs.ucla.edu>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Dec 21 19:09:03 2012
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Tm71q-0001vw-8F
	for ged-emacs-devel@m.gmane.org; Fri, 21 Dec 2012 19:09:02 +0100
Original-Received: from localhost ([::1]:41879 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Tm71c-0000Cm-DA
	for ged-emacs-devel@m.gmane.org; Fri, 21 Dec 2012 13:08:48 -0500
Original-Received: from eggs.gnu.org ([208.118.235.92]:55412)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eliz@gnu.org>) id 1Tm71T-0000Be-9N
	for emacs-devel@gnu.org; Fri, 21 Dec 2012 13:08:46 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eliz@gnu.org>) id 1Tm71M-0007mr-NL
	for emacs-devel@gnu.org; Fri, 21 Dec 2012 13:08:39 -0500
Original-Received: from mtaout21.012.net.il ([80.179.55.169]:40429)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@gnu.org>)
	id 1Tm71M-0007ln-FA
	for emacs-devel@gnu.org; Fri, 21 Dec 2012 13:08:32 -0500
Original-Received: from conversion-daemon.a-mtaout21.012.net.il by
	a-mtaout21.012.net.il (HyperSendmail v2007.08) id
	<0MFE00G007DFBA00@a-mtaout21.012.net.il> for
	emacs-devel@gnu.org; Fri, 21 Dec 2012 20:08:30 +0200 (IST)
Original-Received: from HOME-C4E4A596F7 ([87.69.4.28]) by a-mtaout21.012.net.il
	(HyperSendmail v2007.08) with ESMTPA id
	<0MFE00GNB7Q66V70@a-mtaout21.012.net.il>;
	Fri, 21 Dec 2012 20:08:30 +0200 (IST)
In-reply-to: <50D4A0E4.3050004@cs.ucla.edu>
X-012-Sender: halo1@inter.net.il
X-detected-operating-system: by eggs.gnu.org: Solaris 10
X-Received-From: 80.179.55.169
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:155740
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/155740>

> Date: Fri, 21 Dec 2012 09:48:20 -0800
> From: Paul Eggert <eggert@cs.ucla.edu>
> CC: emacs-devel@gnu.org, romain@orebokech.com
> 
> On 12/21/12 08:44, Eli Zaretskii wrote:
> > How about if it tried to copy ACLs, and if that failed, attempted to
> > copy the file modes?  That would DTRT if possible, and fall back on
> > the pre-ACL method if not.
> 
> That could lead to security issues if the file modes are more
> permissive than the ACLs.

But we did that until a week ago.  If we want Emacs to be more secure,
just because it can now access ACLs, this decision should be left to
the user, i.e. be a user option.  Otherwise, we are forcing users the
level of security they not necessary want.

> Is there an easy way to test whether a file's ACLs could deny
> access when the file's modes would allow it?

There are no modes without ACLs.  Systems that support ACLs always
provide ACLs for files, just the default ones.  So what you ask is
whether the default ACLs will allow some access that a specific ACLs
won't.  And the answer to that is "it depends on the user" whose
access we are interested in.  E.g., if the default ACLs allow some
access to the file's group, the answer depends on whether a user
belongs to that group.

> The simplest conservative approximation that I can think of offhand
> is to test whether a file has any nontrivial ACLs.

That's not good enough, I think: if the nontrivial ACLs specify the
same group as the file's group, the modes and the ACLs are equivalent,
although the ACLs are "nontrivial".

> Whatever test Emacs uses, if the test says "yes" Emacs should
> be more cautious: create a destination file with a restrictive
> mode (e.g., -rw-------), copy the data, then attempt to copy the ACLs,
> and if the ACL copy fails then Emacs should not attempt to change
> the mode.

That assumes that -rw------- is secure.  But that assumption is false,
because ACLs can be more restrictive than that, even on Posix
platforms.  E.g., they could disallow write access to the user who
makes the copy, or disallow attributes changes.