From mboxrd@z Thu Jan 1 00:00:00 1970 Path: main.gmane.org!not-for-mail From: Davis Herring Newsgroups: gmane.emacs.devel Subject: Re: The `risky-local-variable' blacklist Date: Tue, 31 Aug 2004 17:07:02 -0600 (MDT) Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Message-ID: References: NNTP-Posting-Host: deer.gmane.org Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Trace: sea.gmane.org 1093993651 22854 80.91.224.253 (31 Aug 2004 23:07:31 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Tue, 31 Aug 2004 23:07:31 +0000 (UTC) Cc: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Sep 01 01:07:21 2004 Return-path: Original-Received: from lists.gnu.org ([199.232.76.165]) by deer.gmane.org with esmtp (Exim 3.35 #1 (Debian)) id 1C2Hij-0006lL-00 for ; Wed, 01 Sep 2004 01:07:21 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.33) id 1C2Hnc-0001x1-JU for ged-emacs-devel@m.gmane.org; Tue, 31 Aug 2004 19:12:24 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.33) id 1C2HnS-0001ww-Nq for emacs-devel@gnu.org; Tue, 31 Aug 2004 19:12:15 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.33) id 1C2HnQ-0001wk-Dx for emacs-devel@gnu.org; Tue, 31 Aug 2004 19:12:14 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.33) id 1C2HnQ-0001wh-3k for emacs-devel@gnu.org; Tue, 31 Aug 2004 19:12:12 -0400 Original-Received: from [192.65.95.54] (helo=mailwasher-b.lanl.gov) by monty-python.gnu.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.34) id 1C2HiS-0001pZ-R2; Tue, 31 Aug 2004 19:07:05 -0400 Original-Received: from mailrelay1.lanl.gov (localhost.localdomain [127.0.0.1]) by mailwasher-b.lanl.gov (8.12.10/8.12.10/(ccn-5)) with ESMTP id i7VN736U022772; Tue, 31 Aug 2004 17:07:03 -0600 Original-Received: from x-mail.lanl.gov (x-mail.lanl.gov [128.165.4.125]) by mailrelay1.lanl.gov (8.12.10/8.12.11/(ccn-5)) with ESMTP id i7VN721p010544; Tue, 31 Aug 2004 17:07:02 -0600 Original-Received: from x-mail.lanl.gov (localhost.localdomain [127.0.0.1]) by x-mail.lanl.gov (8.12.10/8.12.10/(ccn-5)) with ESMTP id i7VN72u6027661; Tue, 31 Aug 2004 17:07:02 -0600 Original-Received: from localhost (herring@localhost) by x-mail.lanl.gov (8.12.10/8.12.10/Submit) with ESMTP id i7VN72h2027657; Tue, 31 Aug 2004 17:07:02 -0600 X-Authentication-Warning: x-mail.lanl.gov: herring owned process doing -bs Original-To: Richard Stallman In-Reply-To: X-PMX-Version: 4.6.0.99824 X-Scanned-By: MIMEDefang 2.35 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: main.gmane.org gmane.emacs.devel:26666 X-Report-Spam: http://spam.gmane.org/gmane.emacs.devel:26666 > The problem with the change you've proposed is that we'd have to go > through and find check nearly all the variables in Emacs, and mark > most of them as ok to change. That is a lot of work. I believe that few variables are really useful to set locally; that's why I gave the list from the Emacs lisp/ directory. There is no need, for instance, to give a per-file value to `abbrev-all-caps', nor `blink-cursor', `c-default-style', `c-tab-always-indent', `christian-holidays', `comint-highlight-input' (to what file would this even apply?), `comment-auto-fill-only-comments', `compilation-ask-about-save', `confirm-kill-emacs', `crisp-mode', `delete-exited-processes', `ediff-make-buffers-readonly-at-startup', `eol-mnemonic-mac', `executable-chmod', nor many others (I obviously was looking alphabetically). In summary, in my Emacs (21.3.1) "emacs -q --no-site-file" yields only 498 non-risky user variables (as tested by `user-variable-p', `boundp', and `risky-local-variable-p'), 48 of which are "-mode$" variables that (according to the manual) should almost never be set by a file. It is not unreasonable to mark the most useful of these (and of those in the regular-file major-mode lisp files, of which there are relatively few) `safe'; `files.el' already marks nearly 50 `risky'. If any truly useful ones were missed, they would be quickly noticed and easily accounted for. I did say (sincerely) that I was willing to undertake the tedium associated with this, including (perhaps) an easy way to report (to me, say) a variable as obviously safe when a prompt is perceived as unneeded. While the probability of Emacs exploits this way is fairly small, the resulting damage (to, among other things, people's opinions of Emacs) would be notable, and none of us want to see that happen. > The default is already no for the kinds of variable names > that are typically used for dangerous variables, those that > hold commands, function names, expressions, etc. Given that > Emacs users don't regularly get files in the mail and give > their local variables a chance to run, I don't think we have > enough of a danger to justify all that work. (Note of course my offer of work above; notwithstanding that:) It may not be, but some of the suggestions would still be useful (like making `normal-mode' not override the user's preference; this would never do worse than cause a re-prompting, which would be resolved by your suggestion below). > * Do not make `compile-command' safe; > > This is a commonly used feature. Simply eliminating it would make > users quite unhappy. I am not advocating eliminating anything; Emacs would always -allow- the user to use such features. It would simply no longer -assume- that such requests were safe except in very specific circumstances (variables blessed as safe, such as `tab-width'). > Here's an idea that might do the job and be acceptable. Each time > Emacs sees a variable/value combination that is new for the current > user, it asks the user to confirm that combination. Any given > combination only needs to be confirmed once by any given user. This > could reduce the repetitive nuisance down to the point where people > will (1) accept the burden and (2) not zone out when they see the > questions. > > What do you think? That sounds like it would work, but it also sounds like a lot of overhead (and more user-data to keep up with in one dot-file or another); since users could of course put `safe-local-variable' declarations into their .emacs, it might not be necessary. Combined with the arbitrary filter feature (where the `safe-local-variable' property stores a check-function through which to run the file's value for the variable) and a simple interface (like that provided for disabled commands), my original suggestion would be almost entirely equivalent. > Also, the protection versus honoring `eval' settings when root does little > good since it does not apply in other cases; anyone interested in rooting > via Emacs surely knows this. > > Sorry, I do not follow you here. When emacs has UID 0, it will not evaluate `eval' "local variable settings" at all. However, since (my claim is that) setting true variables with no "security properties" (neither `risky-local-variable' nor `safe-local-variable' set) is also dangerous, this protection is incomplete. Anyone wishing to use Emacs to exploit a root account would be unlikely to use something obvious like `eval' anyway. > * Do not use `enable-local-eval' as a local flag to prevent dangerous bugs > in its handling; > > Why not? Er, perhaps I miswrote. I meant "Do not use `enable-local-eval' as a dynamically-bound flag as well as a global user-option because that risks confusion and bugs with a rather important variable." However, this is not at all the most important suggestion: the amount of code dealing with that variable is small and easily audited. The dual use just confused me when I first read the code, and I imagine it might confuse someone changing it as well. Davis Herring -- This product is sold by volume, not by mass. If it seems too dense or too sparse, it means mass-energy conversion has occurred during shipping.