unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Lars Ingebrigtsen <larsi@gnus.org>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: Katsumi Yamaoka <yamaoka@jpl.org>, emacs-devel@gnu.org
Subject: Re: master 739593d 3/5: Make gnus-copy-file act like copy-file etc.
Date: Wed, 13 Sep 2017 23:10:52 +0200	[thread overview]
Message-ID: <87tw06b8yr.fsf@mouse.gnus.org> (raw)
In-Reply-To: <122fe4a2-2e96-9167-c815-42aa962c3da0@cs.ucla.edu> (Paul Eggert's message of "Wed, 13 Sep 2017 13:41:25 -0700")

Paul Eggert <eggert@cs.ucla.edu> writes:

> If the attacker knows what the user is up to (and this can be guessed
> often enough by looking at what Emacs has done to the file system
> recently), the attacker can hijack the rename. For example, if you
> type 'M-x rename-file RET abc RET /tmp/def RET', the attacker can
> create a symlink /tmp/def to a victim directory D so that the file abc
> is moved to D/abc rather than to its intended location /tmp/def.

Hm...  I see...

> This attack can happen only when the destination's parent directory
> (/tmp in the above example) is writable to the attacker. So we could
> bring back support for interactive renames to destination directories
> whose parents are writable only by self or root.

The attack surface you're trying to cover is when the user is writing a
file to a world-writable directory that contains a symlink that has
exactly the same name as the file you're trying to write?

Altering Emacs' way of renaming/copying/saving files everywhere for just
this single (and extremely unlikely) attack seems rather misguided, in
my opinion.  If we want to protect against that case, then we should
instead revert all the changes you've made to these functions and
introduce a new

(barf-if-you're-writing-a-file-with-the-same-name-to-a-symlink-in-a-world-writable-directory FILE)

function that we can slap into the affected functions and leave the
interactive parts working as they have always.

These days nobody lives on shared computers, anyway, so crippling these
common interactive commands to protect against non-existent people
making symlinks in /tmp does not seem like a good idea to me.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no



  reply	other threads:[~2017-09-13 21:10 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20170911053128.28763.28434@vcs0.savannah.gnu.org>
     [not found] ` <20170911053130.C5F002068F@vcs0.savannah.gnu.org>
2017-09-11 23:14   ` master 739593d 3/5: Make gnus-copy-file act like copy-file etc Katsumi Yamaoka
2017-09-12  2:12     ` Ken Brown
2017-09-12  2:33       ` Katsumi Yamaoka
2017-09-12 19:22         ` Paul Eggert
2017-09-14  4:17           ` Stefan Monnier
2017-09-14 16:54             ` Eli Zaretskii
2017-09-14 17:59               ` Paul Eggert
2017-09-14 18:38                 ` Eli Zaretskii
2017-09-15  4:04                   ` Paul Eggert
2017-09-15  9:16                     ` Eli Zaretskii
2017-09-12  2:42       ` Eli Zaretskii
2017-09-13 19:33     ` Lars Ingebrigtsen
2017-09-13 20:07       ` Paul Eggert
2017-09-13 20:11         ` Lars Ingebrigtsen
2017-09-13 20:41           ` Paul Eggert
2017-09-13 21:10             ` Lars Ingebrigtsen [this message]
2017-09-13 23:32               ` Paul Eggert
2017-09-14 11:25                 ` Lars Ingebrigtsen
2017-09-14  2:35         ` Eli Zaretskii

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87tw06b8yr.fsf@mouse.gnus.org \
    --to=larsi@gnus.org \
    --cc=eggert@cs.ucla.edu \
    --cc=emacs-devel@gnu.org \
    --cc=yamaoka@jpl.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).