From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Re: master 739593d 3/5: Make gnus-copy-file act like copy-file etc.
Date: Fri, 15 Sep 2017 12:16:08 +0300
Message-ID: <838thgmief.fsf@gnu.org>
References: <20170911053128.28763.28434@vcs0.savannah.gnu.org>
	<20170911053130.C5F002068F@vcs0.savannah.gnu.org>
	<b4mr2vc3k1x.fsf@jpl.org>
	<b7492377-81d8-138d-9f91-c7ab0fc0eabf@cornell.edu>
	<b4mr2vczlva.fsf@jpl.org>
	<83fa9922-8d83-9d2f-82af-f34e90521d88@cs.ucla.edu>
	<jwvo9qddiig.fsf-monnier+gmane.emacs.devel@gnu.org>
	<8360clnrv8.fsf@gnu.org>
	<4ee490a4-c3ce-c9b7-7ef8-8e0248881de9@cs.ucla.edu>
	<83o9qdm8hc.fsf@gnu.org>
	<31d79f93-2b0d-f465-72bb-88ce4532c7ee@cs.ucla.edu>
Reply-To: Eli Zaretskii <eliz@gnu.org>
NNTP-Posting-Host: blaine.gmane.org
X-Trace: blaine.gmane.org 1505466981 18126 195.159.176.226 (15 Sep 2017 09:16:21 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Fri, 15 Sep 2017 09:16:21 +0000 (UTC)
Cc: monnier@iro.umontreal.ca, emacs-devel@gnu.org
To: Paul Eggert <eggert@cs.ucla.edu>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Sep 15 11:16:16 2017
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dsmjP-0004UQ-79
	for ged-emacs-devel@m.gmane.org; Fri, 15 Sep 2017 11:16:15 +0200
Original-Received: from localhost ([::1]:52161 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dsmjT-0001CH-3o
	for ged-emacs-devel@m.gmane.org; Fri, 15 Sep 2017 05:16:19 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:52785)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eliz@gnu.org>) id 1dsmjH-0001AJ-7C
	for emacs-devel@gnu.org; Fri, 15 Sep 2017 05:16:08 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eliz@gnu.org>) id 1dsmjD-0002Z9-2w
	for emacs-devel@gnu.org; Fri, 15 Sep 2017 05:16:07 -0400
Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:45346)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@gnu.org>)
	id 1dsmjC-0002Z5-VG; Fri, 15 Sep 2017 05:16:03 -0400
Original-Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:2777
	helo=home-c4e4a596f7)
	by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
	(Exim 4.82) (envelope-from <eliz@gnu.org>)
	id 1dsmjC-0007IJ-CH; Fri, 15 Sep 2017 05:16:02 -0400
In-reply-to: <31d79f93-2b0d-f465-72bb-88ce4532c7ee@cs.ucla.edu> (message from
	Paul Eggert on Thu, 14 Sep 2017 21:04:16 -0700)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:218317
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/218317>

> Cc: monnier@iro.umontreal.ca, emacs-devel@gnu.org
> From: Paul Eggert <eggert@cs.ucla.edu>
> Date: Thu, 14 Sep 2017 21:04:16 -0700
> 
> Eli Zaretskii wrote:
> > no bot or person can reasonably
> > know in advance what file or directory the user will copy/rename.
> 
> Sure they can. Here's a scenario off the top of my head. A sysadmin uses Emacs 
> to examine files, and has the bad (but all-too-common) habit of copying files to 
> /tmp and examining the copies so that he doesn't mistakenly change the 
> originals. A malicious user asks the sysadmin to take a look at "problems" in 
> the user's ~/.ssh/known_hosts file. The sysadmin does this:
> 
> M-x copy-file RET ~malicious/.ssh/known_hosts RET /tmp/known_hosts RET
> 
> but it doesn't seem to work (there's no file in /tmp afterwards), so the tired 
> sysadmin figures he mistyped the command, does the copy-file again and this time 
> it works so he diagnoses the "problems". Because of the Emacs security bug with 
> destination directories, the malicious user has now taken over the sysadmin's 
> personal and private known_hosts file.
> 
> The scenario works partly because the attacker knows the habits of the victim. 
> Such habits are often easy to discover.
> 
> One possible solution to all this is to tell ones' sysadmins "Do not use Emacs: 
> it has too many security holes". But I'm fond of Emacs, and would rather that 
> sysadmins could trust it to do their work.

The same sysadmin could do the same with Coreutils, with the same
results, right?

Sorry, Paul, this is not going to fly with me.  I still think that
changing the interactive behavior in these cases is wrong, and we
shouldn't do it.