From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Paul Eggert <eggert@cs.ucla.edu>
Newsgroups: gmane.emacs.devel
Subject: Re: master 739593d 3/5: Make gnus-copy-file act like copy-file etc.
Date: Thu, 14 Sep 2017 21:04:16 -0700
Organization: UCLA Computer Science Department
Message-ID: <31d79f93-2b0d-f465-72bb-88ce4532c7ee@cs.ucla.edu>
References: <20170911053128.28763.28434@vcs0.savannah.gnu.org>
	<20170911053130.C5F002068F@vcs0.savannah.gnu.org>
	<b4mr2vc3k1x.fsf@jpl.org>
	<b7492377-81d8-138d-9f91-c7ab0fc0eabf@cornell.edu>
	<b4mr2vczlva.fsf@jpl.org>
	<83fa9922-8d83-9d2f-82af-f34e90521d88@cs.ucla.edu>
	<jwvo9qddiig.fsf-monnier+gmane.emacs.devel@gnu.org>
	<8360clnrv8.fsf@gnu.org>
	<4ee490a4-c3ce-c9b7-7ef8-8e0248881de9@cs.ucla.edu>
	<83o9qdm8hc.fsf@gnu.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Trace: blaine.gmane.org 1505448717 30696 195.159.176.226 (15 Sep 2017 04:11:57 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Fri, 15 Sep 2017 04:11:57 +0000 (UTC)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
	Thunderbird/52.3.0
Cc: monnier@iro.umontreal.ca, emacs-devel@gnu.org
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Sep 15 06:11:53 2017
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dshyp-0007qE-Tt
	for ged-emacs-devel@m.gmane.org; Fri, 15 Sep 2017 06:11:52 +0200
Original-Received: from localhost ([::1]:51097 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dshyw-0005dM-Mf
	for ged-emacs-devel@m.gmane.org; Fri, 15 Sep 2017 00:11:58 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:58782)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eggert@cs.ucla.edu>) id 1dshre-0007eX-D6
	for emacs-devel@gnu.org; Fri, 15 Sep 2017 00:04:27 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eggert@cs.ucla.edu>) id 1dshrd-0007me-G2
	for emacs-devel@gnu.org; Fri, 15 Sep 2017 00:04:26 -0400
Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:43078)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <eggert@cs.ucla.edu>)
	id 1dshrX-0007gq-O1; Fri, 15 Sep 2017 00:04:19 -0400
Original-Received: from localhost (localhost [127.0.0.1])
	by zimbra.cs.ucla.edu (Postfix) with ESMTP id A9568160D21;
	Thu, 14 Sep 2017 21:04:17 -0700 (PDT)
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
	by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
	with ESMTP id 9asVnjC2_lcq; Thu, 14 Sep 2017 21:04:16 -0700 (PDT)
Original-Received: from localhost (localhost [127.0.0.1])
	by zimbra.cs.ucla.edu (Postfix) with ESMTP id E5361160D1F;
	Thu, 14 Sep 2017 21:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
	by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id NQyuvZkZpaAJ; Thu, 14 Sep 2017 21:04:16 -0700 (PDT)
Original-Received: from [192.168.1.9] (unknown [47.154.18.85])
	by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id C1581160C05;
	Thu, 14 Sep 2017 21:04:16 -0700 (PDT)
In-Reply-To: <83o9qdm8hc.fsf@gnu.org>
Content-Language: en-US
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy]
X-Received-From: 131.179.128.68
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:218309
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/218309>

Eli Zaretskii wrote:
> no bot or person can reasonably
> know in advance what file or directory the user will copy/rename.

Sure they can. Here's a scenario off the top of my head. A sysadmin uses =
Emacs=20
to examine files, and has the bad (but all-too-common) habit of copying f=
iles to=20
/tmp and examining the copies so that he doesn't mistakenly change the=20
originals. A malicious user asks the sysadmin to take a look at "problems=
" in=20
the user's ~/.ssh/known_hosts file. The sysadmin does this:

M-x copy-file RET ~malicious/.ssh/known_hosts RET /tmp/known_hosts RET

but it doesn't seem to work (there's no file in /tmp afterwards), so the =
tired=20
sysadmin figures he mistyped the command, does the copy-file again and th=
is time=20
it works so he diagnoses the "problems". Because of the Emacs security bu=
g with=20
destination directories, the malicious user has now taken over the sysadm=
in's=20
personal and private known_hosts file.

The scenario works partly because the attacker knows the habits of the vi=
ctim.=20
Such habits are often easy to discover.

One possible solution to all this is to tell ones' sysadmins "Do not use =
Emacs:=20
it has too many security holes". But I'm fond of Emacs, and would rather =
that=20
sysadmins could trust it to do their work.