From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.bugs Subject: bug#27986: 26.0.50; 'rename-file' can rename files without confirmation Date: Wed, 16 Aug 2017 08:15:34 -0700 Organization: UCLA Computer Science Department Message-ID: <7f0c12f6-57eb-63b9-c296-e062cbf0710c@cs.ucla.edu> References: <61980dde-3d68-7200-e7f4-98f62e410060@cs.ucla.edu> <1002ee73-0ab5-409b-831f-0c283c322264@cs.ucla.edu> <83o9rignt6.fsf@gnu.org> <83d17whl72.fsf@gnu.org> <8e6de468-600c-4f2d-a21a-c2ff3a63d065@cs.ucla.edu> <83zib0g221.fsf@gnu.org> <2bb4b7ee-6bf9-df3d-5cd8-ae7992b9f2e7@cs.ucla.edu> <83wp64fdc4.fsf@gnu.org> <83valnfv9u.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Trace: blaine.gmane.org 1502896580 779 195.159.176.226 (16 Aug 2017 15:16:20 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 16 Aug 2017 15:16:20 +0000 (UTC) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 Cc: p.stephani2@gmail.com, 27986@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Aug 16 17:16:16 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1di03D-00081Q-7p for geb-bug-gnu-emacs@m.gmane.org; Wed, 16 Aug 2017 17:16:07 +0200 Original-Received: from localhost ([::1]:53380 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1di03J-0005E2-PK for geb-bug-gnu-emacs@m.gmane.org; Wed, 16 Aug 2017 11:16:13 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:49108) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1di03C-0005C1-Hw for bug-gnu-emacs@gnu.org; Wed, 16 Aug 2017 11:16:07 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1di038-0006TH-Gs for bug-gnu-emacs@gnu.org; Wed, 16 Aug 2017 11:16:06 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:60890) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1di038-0006T9-Cl for bug-gnu-emacs@gnu.org; Wed, 16 Aug 2017 11:16:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1di038-0003Ya-6F for bug-gnu-emacs@gnu.org; Wed, 16 Aug 2017 11:16:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 16 Aug 2017 15:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27986 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 27986-submit@debbugs.gnu.org id=B27986.150289654913647 (code B ref 27986); Wed, 16 Aug 2017 15:16:02 +0000 Original-Received: (at 27986) by debbugs.gnu.org; 16 Aug 2017 15:15:49 +0000 Original-Received: from localhost ([127.0.0.1]:41337 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1di02t-0003Y0-M8 for submit@debbugs.gnu.org; Wed, 16 Aug 2017 11:15:49 -0400 Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:44130) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1di02r-0003Xl-5q for 27986@debbugs.gnu.org; Wed, 16 Aug 2017 11:15:45 -0400 Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 6237F160871; Wed, 16 Aug 2017 08:15:39 -0700 (PDT) Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id Lz1wychl2WUw; Wed, 16 Aug 2017 08:15:38 -0700 (PDT) Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 8F976160887; Wed, 16 Aug 2017 08:15:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ChZW86kxmp5J; Wed, 16 Aug 2017 08:15:38 -0700 (PDT) Original-Received: from [192.168.1.9] (unknown [47.153.184.153]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 66FBE160871; Wed, 16 Aug 2017 08:15:38 -0700 (PDT) In-Reply-To: <83valnfv9u.fsf@gnu.org> Content-Language: en-US X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:135817 Archived-At: Eli Zaretskii wrote: > You are describing a situation where the attacker somehow knows what > file/directory will be accessed_ahead_ of Emacs actually accessing > it. Sure, and this happens all the time. Emacs prepares a copy of a file with= the=20 intent to rename the copy to the original atomically. The attacker will k= now=20 that this is what Emacs will do, by looking at the file system or the sys= calls=20 Emacs issues before its code calls rename-file (e.g., Emacs will read the= old=20 file). So I am not supposing any kind of superhuman attack. I do take your point that interactive use is different. So, here is a pro= posed=20 change to the patch: if the ok-is-already-exists flag is an integer (whic= h=20 suggests interactive use), and if the destination is not a directory name= =20 (trailing "/") but happens to be an existing directory, then Emacs asks t= he user=20 if it is OK to rename to a subfile of the destination. This would allay m= ost the=20 security concerns that I have, and I hope it would address most of the=20 backward-compatibility concerns that you have. > I thought you were proposing to redirect the interactive commands to > the new functions. I was not proposing to redirect 'M-x rename-file' etc. They would continu= e to=20 use the old insecure behavior, for compatibility reasons. > we cannot obsolete user commands. Not immediately, no. But we can mark them as obsolescent and warn users a= bout=20 their use, and remove them eventually. This issue of obsolescence is moot, though, if you agree with the above=20 suggestion about ok-if-already-exists. > if people want secure code, > they _will_ use the more secure variants Emacs is a relatively large and complex system, and we cannot expect user= s to be=20 familiar with every detail. Emacs should have safe defaults, not unsafe o= nes. The situation with "mv" was different, as POSIX and longstanding document= ation=20 required the unsafe behavior and many scripts relied on it. In contrast, = the=20 Emacs documentation is thoroughly muddled and contradictory in this area,= and=20 code using rename-file etc. would more likely benefit from the proposed c= hange=20 (because of improved security) than be hurt by it (by loss of backward=20 compatibility with poorly-documented and insecure behavior).