From: Paul Eggert <eggert@cs.ucla.edu>
To: Eli Zaretskii <eliz@gnu.org>
Cc: p.stephani2@gmail.com, 27986@debbugs.gnu.org
Subject: bug#27986: 26.0.50; 'rename-file' can rename files without confirmation
Date: Wed, 16 Aug 2017 08:15:34 -0700 [thread overview]
Message-ID: <7f0c12f6-57eb-63b9-c296-e062cbf0710c@cs.ucla.edu> (raw)
In-Reply-To: <83valnfv9u.fsf@gnu.org>
Eli Zaretskii wrote:
> You are describing a situation where the attacker somehow knows what
> file/directory will be accessed_ahead_ of Emacs actually accessing
> it.
Sure, and this happens all the time. Emacs prepares a copy of a file with the
intent to rename the copy to the original atomically. The attacker will know
that this is what Emacs will do, by looking at the file system or the syscalls
Emacs issues before its code calls rename-file (e.g., Emacs will read the old
file). So I am not supposing any kind of superhuman attack.
I do take your point that interactive use is different. So, here is a proposed
change to the patch: if the ok-is-already-exists flag is an integer (which
suggests interactive use), and if the destination is not a directory name
(trailing "/") but happens to be an existing directory, then Emacs asks the user
if it is OK to rename to a subfile of the destination. This would allay most the
security concerns that I have, and I hope it would address most of the
backward-compatibility concerns that you have.
> I thought you were proposing to redirect the interactive commands to
> the new functions.
I was not proposing to redirect 'M-x rename-file' etc. They would continue to
use the old insecure behavior, for compatibility reasons.
> we cannot obsolete user commands.
Not immediately, no. But we can mark them as obsolescent and warn users about
their use, and remove them eventually.
This issue of obsolescence is moot, though, if you agree with the above
suggestion about ok-if-already-exists.
> if people want secure code,
> they _will_ use the more secure variants
Emacs is a relatively large and complex system, and we cannot expect users to be
familiar with every detail. Emacs should have safe defaults, not unsafe ones.
The situation with "mv" was different, as POSIX and longstanding documentation
required the unsafe behavior and many scripts relied on it. In contrast, the
Emacs documentation is thoroughly muddled and contradictory in this area, and
code using rename-file etc. would more likely benefit from the proposed change
(because of improved security) than be hurt by it (by loss of backward
compatibility with poorly-documented and insecure behavior).
next prev parent reply other threads:[~2017-08-16 15:15 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-06 15:40 bug#27986: 26.0.50; `rename-file' can rename files without confirmation Philipp
2017-08-06 17:05 ` Eli Zaretskii
2017-08-14 17:09 ` Philipp Stephani
2017-08-14 17:22 ` Eli Zaretskii
2017-08-11 8:15 ` bug#27986: 26.0.50; 'rename-file' " Paul Eggert
2017-08-13 22:42 ` Paul Eggert
2017-08-14 15:40 ` Eli Zaretskii
2017-08-14 23:31 ` Paul Eggert
2017-08-15 16:04 ` Eli Zaretskii
2017-08-15 17:24 ` Paul Eggert
2017-08-15 17:42 ` Eli Zaretskii
2017-08-15 19:27 ` Paul Eggert
2017-08-16 2:36 ` Eli Zaretskii
2017-08-16 5:06 ` Paul Eggert
2017-08-16 14:21 ` Eli Zaretskii
2017-08-16 15:15 ` Paul Eggert [this message]
2017-08-16 16:06 ` Eli Zaretskii
2017-08-16 17:19 ` Paul Eggert
2017-08-16 17:30 ` Eli Zaretskii
2017-08-16 18:06 ` Glenn Morris
2017-08-16 22:31 ` Stefan Monnier
2017-08-16 23:56 ` Paul Eggert
2017-08-17 0:04 ` Stefan Monnier
2017-08-19 6:54 ` Eli Zaretskii
2017-09-10 22:49 ` Paul Eggert
2017-09-11 6:07 ` Paul Eggert
2017-09-11 14:47 ` Eli Zaretskii
2017-09-11 16:45 ` Paul Eggert
2017-09-11 17:09 ` Eli Zaretskii
2017-09-11 17:25 ` Paul Eggert
2017-09-12 9:25 ` Michael Albinus
2017-08-13 23:48 ` Paul Eggert
2017-08-14 13:44 ` Ken Brown
2017-08-14 15:21 ` Eli Zaretskii
2017-08-14 15:34 ` Eli Zaretskii
2017-08-14 16:33 ` Eli Zaretskii
2017-08-14 16:58 ` Philipp Stephani
2017-08-14 17:04 ` Eli Zaretskii
2017-08-14 16:50 ` Philipp Stephani
2017-08-14 23:03 ` Paul Eggert
2017-08-15 1:19 ` Paul Eggert
2017-08-15 2:35 ` Eli Zaretskii
2017-08-15 7:00 ` Paul Eggert
2017-08-15 16:08 ` Eli Zaretskii
2017-08-16 19:33 ` Ken Brown
2017-08-19 21:30 ` Ken Brown
2017-08-19 21:37 ` Paul Eggert
2017-08-19 22:04 ` Ken Brown
2017-08-19 22:38 ` Paul Eggert
2017-08-15 12:45 ` Andy Moreton
2017-08-15 16:18 ` Eli Zaretskii
2017-08-19 21:33 ` bug#27986: 26.0.50; 'rename-file' can rename files without Richard Stallman
2017-08-20 2:37 ` Eli Zaretskii
2017-08-25 20:33 ` John Wiegley
2017-08-26 7:30 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7f0c12f6-57eb-63b9-c296-e062cbf0710c@cs.ucla.edu \
--to=eggert@cs.ucla.edu \
--cc=27986@debbugs.gnu.org \
--cc=eliz@gnu.org \
--cc=p.stephani2@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.