[root@mailserver.adm.unipi.it: Dangerous: delete-file deletes current directory as root!!]

[root@mailserver.adm.unipi.it: Dangerous: delete-file deletes current directory as root!!]

[Richard Stallman]

Can someone fix this?

------- Start of forwarded message -------
Envelope-to: rms@gnu.org
Delivery-date: Wed, 09 Oct 2002 13:05:22 -0400
From: Super-User <root@mailserver.adm.unipi.it>
To: bug-gnu-emacs@gnu.org
Subject: Dangerous: delete-file deletes current directory as root!!
Reply-To: pot@gnu.org
X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/)
Sender: bug-gnu-emacs-admin@gnu.org
Date: Wed, 9 Oct 2002 18:58:37 +0200 (MEST)

This bug report will be sent to the Free Software Foundation,
not to your local site managers!
Please write in English, because the Emacs maintainers do not have
translators to read other languages for them.

Your bug report will be posted to the bug-gnu-emacs@gnu.org mailing list,
and to the gnu.emacs.bug news group.

In GNU Emacs 21.2.1 (sparc-sun-solaris2.8, X toolkit)
 of 2002-10-08 on mailserver
Important settings:
  value of $LC_ALL: nil
  value of $LC_COLLATE: nil
  value of $LC_CTYPE: nil
  value of $LC_MESSAGES: nil
  value of $LC_MONETARY: nil
  value of $LC_NUMERIC: nil
  value of $LC_TIME: nil
  value of $LANG: nil
  locale-coding-system: nil
  default-enable-multibyte-characters: t

Please describe exactly what actions triggered the bug
and the precise symptoms of the bug:

I am not knowledgeable about this platform, but here Emacs has a
serious and dangerous bug.  When running as root (did not try as a
normal user) if one does:

M-x delete-file RET

Emacs deletes the current directory!  I suspect that this is not a
recursive deletion, rather I think that it simply unlinks it, leaving
all the files there but unreachable, because the operation is
instantaneous and the directory I lost was the whole Pyhton source
tree, so it cannot have recursively deleted it in a few tenths of
second.


Recent input:
ESC O A ESC O A ESC O A ESC O B ESC O A ESC O A ESC 
O A ESC O A C-g p w d RET m k d i r SPC a RET c d SPC 
a RET ESC x d e l e t e SPC f i SPC RET RET c d SPC 
. . RET ESC p ESC p ESC p RET c d SPC a RET > b RET 
l s RET ESC x ESC O A RET RET ESC x r e p o r t - e 
m TAB RET

Recent messages:
/usr/local/src 
call-interactively: Quit
repeat-complex-command: Quit
/usr/local/src/a 
/usr/local/src 
History item: 1
History item: 2
History item: 3
/usr/local/src/a 
Loading emacsbug...done


_______________________________________________
Bug-gnu-emacs mailing list
Bug-gnu-emacs@gnu.org
http://mail.gnu.org/mailman/listinfo/bug-gnu-emacs
------- End of forwarded message -------

Re: Dangerous: delete-file deletes current directory as root!!

[Stefan Monnier]

> In GNU Emacs 21.2.1 (sparc-sun-solaris2.8, X toolkit)
[...]
> I am not knowledgeable about this platform, but here Emacs has a
> serious and dangerous bug.  When running as root (did not try as a
> normal user) if one does:
> 
> M-x delete-file RET
> 
> Emacs deletes the current directory!

Hmmm, the Single Unix Specification V2 says about unlink:

   The path argument must not name a directory unless the process
   has appropriate privileges and the implementation supports using
   unlink() on directories.

Now, I'm not sure what `delete-file' should do.  Should it mimic `unlink'
or should it first check that it is not called on a directory ?

Since the check would only be needed for `root' and since I don't
think that people should be running Emacs under root unless they really
mean it, I think the current code is fine.

Maybe we should pop up a warning message when Emacs is started
as root, reminding them that it can be dangerous ?


	Stefan

Re: Dangerous: delete-file deletes current directory as root!!

[Kai Großjohann]

"Stefan Monnier" <monnier+gnu/emacs@rum.cs.yale.edu> writes:

> Now, I'm not sure what `delete-file' should do.  Should it mimic `unlink'
> or should it first check that it is not called on a directory ?

I think that it is counter-intuitive that delete-file deletes a
directory.  Even as root.  How about asking the user if the file is a
directory and the function is called interactively?

kai
-- 
~/.signature is: umop ap!sdn    (Frank Nobis)

Re: Dangerous: delete-file deletes current directory as root!!

[Francesco Potorti`]

> Now, I'm not sure what `delete-file' should do.  Should it mimic `unlink'
> or should it first check that it is not called on a directory ?

Definitely the second one.

While unlink(1) is a different command from rm(1), and is used only on
special occasions, delete-file is the only command used to remove a
file, and it should behave just like rm(1) does.  As an added benefit,
delete-file behaves just like rmdir(1), which is fine, as it is not
dangerous, since it acts on empty directories only.  But there is not
reason whatsoever why delete-file should behave like unlink(1).

> Since the check would only be needed for `root' and since I don't
> think that people should be running Emacs under root unless they really
> mean it, I think the current code is fine.

I really mean it, but that's not a reason why I should ruin my file
system by simply making a trivial mistake, that is:

M-x delete-file RET

or worse, as it happened to me:

M-x <up> RET

> Maybe we should pop up a warning message when Emacs is started
> as root, reminding them that it can be dangerous ?

It should be no more dangerous than running a shell as root.  In fact,
it is generally less dangerous, as Emacs usually does checks before
overwriting files and the like.  The way it behaves now on Sun, or at
least under that version of OS, is certainly more dangerous, for no
added benfit.

Re: Dangerous: delete-file deletes current directory as root!!

[Richard Stallman]

    Now, I'm not sure what `delete-file' should do.  Should it mimic `unlink'
    or should it first check that it is not called on a directory ?

I think delete-file should refuse to delete a directory.
That operation is very risky, and anyone who really wants to 
do it probably will do it from the shell.
I think if Emacs simply detects that it is a directory and
signals an error, it would be fine.

Re: Dangerous: delete-file deletes current directory as root!!

[Stefan Monnier]

> > Now, I'm not sure what `delete-file' should do.  Should it mimic `unlink'
> > or should it first check that it is not called on a directory ?
> Definitely the second one.

Do you mean it for all cases, or only for interactive use ?

> > Since the check would only be needed for `root' and since I don't
> > think that people should be running Emacs under root unless they really
> > mean it, I think the current code is fine.
> 
> I really mean it, but that's not a reason why I should ruin my file
> system by simply making a trivial mistake, that is:
> 
> M-x delete-file RET
> 
> or worse, as it happened to me:
> 
> M-x <up> RET
> 
> > Maybe we should pop up a warning message when Emacs is started
> > as root, reminding them that it can be dangerous ?
> 
> It should be no more dangerous than running a shell as root.

You say "I really mean it" but obviously you're not aware of the dangers
since you think it's no more dangerous than running a shell.  You don't
realize the amount of code Emacs uses for the simplest operations
and how many hooks and tricks it provides, all of them designed for
the user's convenience but with very little thought given to the
security implications ot to the case when the user is root (and
can thus do things that would normally fail, as in your case).

Most of Emacs' elisp code is written along the lines of "let's
take care of the expected case and we'll fix the other cases
when we bump into them".

All the shells I know have been written by people who do have
security and "user might be root" in mind at least some of the
time.  So it really cannot be compared.


	Stefan

Re: Dangerous: delete-file deletes current directory as root!!

[Francesco Potorti`]

> > > Now, I'm not sure what `delete-file' should do.  Should it mimic `unlink'
> > > or should it first check that it is not called on a directory ?
> > Definitely the second one.
> 
> Do you mean it for all cases, or only for interactive use ?

I mean for all cases.  If we ever want to provide unlink(2) complete
functionality from inside Emacs (which I am not sure it is wise), we
should use a different function for that purpose.

> You say "I really mean it" but obviously you're not aware of the dangers
> since you think it's no more dangerous than running a shell.  You don't
> realize the amount of code Emacs uses for the simplest operations
> and how many hooks and tricks it provides, all of them designed for
> the user's convenience but with very little thought given to the
> security implications ot to the case when the user is root (and
> can thus do things that would normally fail, as in your case).

I agree with what you say (also in the following, that I cut), but my
conclusions are different, based on experience.  For many years I have
run Emacs as root in a dedicated text console and in a dedicated X
frame, as I often do system management.  While I do not do almost
anything as root that I could do as a normal user, I happen to use Emacs
as root daily on GNU/Linux, and this is the first time I have used it on
Sun.  The only difference between the two environments should be the
kernel and library.

In practice, I found that Emacs on GNU/Linux protects me better than the
shell does, when I am acting as root.

Re: Dangerous: delete-file deletes current directory as root!!

[Richard Stallman]

delete-file should never delete directories.