Re: The `risky-local-variable' blacklist

[Davis Herring <herring@lanl.gov>]

> The problem with the change you've proposed is that we'd have to go
> through and find check nearly all the variables in Emacs, and mark
> most of them as ok to change.  That is a lot of work.

I believe that few variables are really useful to set locally; that's why
I gave the list from the Emacs lisp/ directory.  There is no need, for
instance, to give a per-file value to `abbrev-all-caps', nor
`blink-cursor', `c-default-style', `c-tab-always-indent',
`christian-holidays', `comint-highlight-input' (to what file would this
even apply?), `comment-auto-fill-only-comments',
`compilation-ask-about-save', `confirm-kill-emacs', `crisp-mode',
`delete-exited-processes', `ediff-make-buffers-readonly-at-startup',
`eol-mnemonic-mac', `executable-chmod', nor many others (I obviously was
looking alphabetically).

In summary, in my Emacs (21.3.1) "emacs -q --no-site-file" yields only 498
non-risky user variables (as tested by `user-variable-p', `boundp', and
`risky-local-variable-p'), 48 of which are "-mode$" variables that
(according to the manual) should almost never be set by a file.  It is not
unreasonable to mark the most useful of these (and of those in the
regular-file major-mode lisp files, of which there are relatively few)  
`safe'; `files.el' already marks nearly 50 `risky'.  If any truly useful
ones were missed, they would be quickly noticed and easily accounted for.

I did say (sincerely) that I was willing to undertake the tedium
associated with this, including (perhaps) an easy way to report (to me,
say) a variable as obviously safe when a prompt is perceived as unneeded.  
While the probability of Emacs exploits this way is fairly small, the
resulting damage (to, among other things, people's opinions of Emacs)
would be notable, and none of us want to see that happen.

> The default is already no for the kinds of variable names
> that are typically used for dangerous variables, those that
> hold commands, function names, expressions, etc.  Given that
> Emacs users don't regularly get files in the mail and give
> their local variables a chance to run, I don't think we have
> enough of a danger to justify all that work.

(Note of course my offer of work above; notwithstanding that:) It may not
be, but some of the suggestions would still be useful (like making
`normal-mode' not override the user's preference; this would never do
worse than cause a re-prompting, which would be resolved by your
suggestion below).

>     * Do not make `compile-command' safe;
> 
> This is a commonly used feature.  Simply eliminating it would make
> users quite unhappy.

I am not advocating eliminating anything; Emacs would always -allow- the 
user to use such features.  It would simply no longer -assume- that such 
requests were safe except in very specific circumstances (variables 
blessed as safe, such as `tab-width').

> Here's an idea that might do the job and be acceptable.  Each time
> Emacs sees a variable/value combination that is new for the current
> user, it asks the user to confirm that combination.  Any given
> combination only needs to be confirmed once by any given user.  This
> could reduce the repetitive nuisance down to the point where people
> will (1) accept the burden and (2) not zone out when they see the
> questions.
>
> What do you think?

That sounds like it would work, but it also sounds like a lot of overhead 
(and more user-data to keep up with in one dot-file or another); since 
users could of course put `safe-local-variable' declarations into their 
.emacs, it might not be necessary.  Combined with the arbitrary filter 
feature (where the `safe-local-variable' property stores a check-function 
through which to run the file's value for the variable) and a simple 
interface (like that provided for disabled commands), my original 
suggestion would be almost entirely equivalent.

>     Also, the protection versus honoring `eval' settings when root does little 
>     good since it does not apply in other cases; anyone interested in rooting 
>     via Emacs surely knows this.
> 
> Sorry, I do not follow you here.

When emacs has UID 0, it will not evaluate `eval' "local variable 
settings" at all.  However, since (my claim is that) setting true 
variables with no "security properties" (neither `risky-local-variable' 
nor `safe-local-variable' set) is also dangerous, this protection is 
incomplete.  Anyone wishing to use Emacs to exploit a root account would 
be unlikely to use something obvious like `eval' anyway.

>     * Do not use `enable-local-eval' as a local flag to prevent dangerous bugs 
>     in its handling;
> 
> Why not?

Er, perhaps I miswrote.  I meant "Do not use `enable-local-eval' as a
dynamically-bound flag as well as a global user-option because that risks
confusion and bugs with a rather important variable."  However, this is
not at all the most important suggestion: the amount of code dealing with
that variable is small and easily audited.  The dual use just confused me
when I first read the code, and I imagine it might confuse someone
changing it as well.

Davis Herring

-- 
This product is sold by volume, not by mass.  If it seems too dense or too 
sparse, it means mass-energy conversion has occurred during shipping.