* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
@ 2009-08-19 3:25 Drew Adams
2009-08-21 9:24 ` Eli Zaretskii
0 siblings, 1 reply; 20+ messages in thread
From: Drew Adams @ 2009-08-19 3:25 UTC (permalink / raw)
To: bug-gnu-emacs
In the Emacs bin directory:
.\cmdproxy.exe
At the cmd prompt:
.\runemacs.exe -Q
In *scratch* buffer, eval this: (server-start)
Debugger entered--Lisp error: (error "The directory c:/.emacs.d/server is
unsafe")
signal(error ("The directory c:/.emacs.d/server is unsafe"))
error("The directory %s is unsafe" "c:/.emacs.d/server")
server-ensure-safe-dir("c:/.emacs.d/server/")
server-start()
eval((server-start))
eval-last-sexp-1(nil)
eval-last-sexp(nil)
call-interactively(eval-last-sexp nil nil)
In GNU Emacs 23.1.1 (i386-mingw-nt5.1.2600)
of 2009-07-29 on SOFT-MJASON
Windowing system distributor `Microsoft Corp.', version 5.1.2600
configured using `configure --with-gcc (4.4)'
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-19 3:25 bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe Drew Adams
@ 2009-08-21 9:24 ` Eli Zaretskii
2009-08-21 14:30 ` Drew Adams
0 siblings, 1 reply; 20+ messages in thread
From: Eli Zaretskii @ 2009-08-21 9:24 UTC (permalink / raw)
To: Drew Adams, 4197
merge 865 4197
> From: "Drew Adams" <drew.adams@oracle.com>
> Date: Tue, 18 Aug 2009 20:25:25 -0700
> Cc:
>
> In the Emacs bin directory:
>
> .\cmdproxy.exe
>
> At the cmd prompt:
>
> .\runemacs.exe -Q
>
> In *scratch* buffer, eval this: (server-start)
>
> Debugger entered--Lisp error: (error "The directory c:/.emacs.d/server is
> unsafe")
> signal(error ("The directory c:/.emacs.d/server is unsafe"))
> error("The directory %s is unsafe" "c:/.emacs.d/server")
> server-ensure-safe-dir("c:/.emacs.d/server/")
> server-start()
> eval((server-start))
> eval-last-sexp-1(nil)
> eval-last-sexp(nil)
> call-interactively(eval-last-sexp nil nil)
I think this is the same as bug #865; merged.
What do the following three expression evaluate to, in the Emacs session
that signals this error?
(user-uid)
(file-attributes "c:/.emacs.d/server/" 'integer)
(file-attributes "c:/.emacs.d/server/" 'string)
Finally, does it help to set w32-get-true-file-attributes to nil?
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-21 9:24 ` Eli Zaretskii
@ 2009-08-21 14:30 ` Drew Adams
2009-08-21 17:43 ` Eli Zaretskii
0 siblings, 1 reply; 20+ messages in thread
From: Drew Adams @ 2009-08-21 14:30 UTC (permalink / raw)
To: 'Eli Zaretskii', 4197
> I think this is the same as bug #865; merged.
> What do the following three expression evaluate to, in the
> Emacs session that signals this error?
>
> (user-uid)
19729
> (file-attributes "c:/.emacs.d/server/" 'integer)
(t 1 0 0 (18967 40688) (18657 6612) (18657 6611) 0
"drwxrwxrwx" t (572354 . 24704) 240391127)
> (file-attributes "c:/.emacs.d/server/" 'string)
(t 1 "Everyone" "Everyone" (18967 40688) (18657 6612)
(18657 6611) 0 "drwxrwxrwx" t (572354 . 24704) 240391127)
> Finally, does it help to set w32-get-true-file-attributes to nil?
Yes! Thanks for your prompt reply.
If this is the same as #865, then I guess it is pretty old. Dunno whether my
laptop configuration (Windows XP SP3, with FAT32 drive) is atypical or not.
If not, until the bug is fixed you might consider changing the default value to
nil, since this stops users with a similar config from using emacsclient at all
(out of the box, emacs -Q). Unless they know about the workaround, that is.
Without your help, I never would have guessed it. I don't even understand the
error message, "The directory is unsafe" - maybe that message could refer me to
a manual section explaining unsafe directories?
Anyway, thanks for the workaround.
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-21 14:30 ` Drew Adams
@ 2009-08-21 17:43 ` Eli Zaretskii
2009-08-21 18:12 ` Drew Adams
0 siblings, 1 reply; 20+ messages in thread
From: Eli Zaretskii @ 2009-08-21 17:43 UTC (permalink / raw)
To: Drew Adams; +Cc: 4197
> From: "Drew Adams" <drew.adams@oracle.com>
> Cc: "'Lennart Borgman'" <lennart.borgman@gmail.com>
> Date: Fri, 21 Aug 2009 07:30:11 -0700
>
> > I think this is the same as bug #865; merged.
> > What do the following three expression evaluate to, in the
> > Emacs session that signals this error?
> >
> > (user-uid)
>
> 19729
>
> > (file-attributes "c:/.emacs.d/server/" 'integer)
>
> (t 1 0 0 (18967 40688) (18657 6612) (18657 6611) 0
> "drwxrwxrwx" t (572354 . 24704) 240391127)
>
> > (file-attributes "c:/.emacs.d/server/" 'string)
>
> (t 1 "Everyone" "Everyone" (18967 40688) (18657 6612)
> (18657 6611) 0 "drwxrwxrwx" t (572354 . 24704) 240391127)
Ah! a FAT32 filesystem!
> If this is the same as #865, then I guess it is pretty old.
It's been on my TODO forever to fix this, and I even wrote some code
towards that goal. But the problem is not easy to crack, since
Windows sometimes attribute files not to the user who created them,
but to the Administrators group instead, and that doesn't go well with
the Posix-at-heart code which triggers this error. Eventually, we
will need to add more code to file-attributes and to make-directory,
so that Emacs could create really private directories on Windows.
> Dunno whether my
> laptop configuration (Windows XP SP3, with FAT32 drive) is atypical or not.
It's the FAT32 thing that trips you. It doesn't support Windows
native security features, so every file is attributed to Everyone
(user-id of zero). emacsclient wants to be sure the directory where
it places its socket file cannot be written to by any other user, but
the fact its owner is Everyone, not you, tells emacsclient that the
directory isn't private.
Can you perhaps convert the drive to NTFS?
> If not, until the bug is fixed you might consider changing the default value to
> nil, since this stops users with a similar config from using emacsclient at all
> (out of the box, emacs -Q). Unless they know about the workaround, that is.
We never heard about the problem until now, since Emacs 23 was
released (the original bug was reported long ago, when Emacs 23 was
still in development). So it seems the problem is not too frequent:
the number of people who use emacsclient on a FAT32 volume or that
belong to the local Administrators group is apparently low enough for
this gotcha not to hit too frequently.
> Without your help, I never would have guessed it. I don't even understand the
> error message, "The directory is unsafe" - maybe that message could refer me to
> a manual section explaining unsafe directories?
I will add this to PROBLEMS, and look into modifying the message. I
think the message text is not very clear even on Unix. Thanks for
pointing this out.
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-21 17:43 ` Eli Zaretskii
@ 2009-08-21 18:12 ` Drew Adams
2009-08-21 18:28 ` Eli Zaretskii
2009-08-22 4:49 ` Stefan Monnier
0 siblings, 2 replies; 20+ messages in thread
From: Drew Adams @ 2009-08-21 18:12 UTC (permalink / raw)
To: 'Eli Zaretskii'; +Cc: 4197
> Ah! a FAT32 filesystem!
You sound surprised. That's really not uncommon. ;-) Might even be more common
than NTFS.
> > If this is the same as #865, then I guess it is pretty old.
>
> It's been on my TODO forever to fix this, and I even wrote some code
> towards that goal. But the problem is not easy to crack, since
> Windows sometimes attribute files not to the user who created them,
> but to the Administrators group instead, and that doesn't go well with
> the Posix-at-heart code which triggers this error. Eventually, we
> will need to add more code to file-attributes and to make-directory,
> so that Emacs could create really private directories on Windows.
>
> > Dunno whether my laptop configuration (Windows XP SP3,
> > with FAT32 drive) is atypical or not.
>
> It's the FAT32 thing that trips you. It doesn't support Windows
> native security features, so every file is attributed to Everyone
> (user-id of zero).
OK, but FAT32 is very common. I wonder about the default for the variable being
non-nil, even after the bug is fixed, but especially before then.
> emacsclient wants to be sure the directory where
> it places its socket file cannot be written to by any other user, but
> the fact its owner is Everyone, not you, tells emacsclient that the
> directory isn't private.
>
> Can you perhaps convert the drive to NTFS?
No. Is it a joke?
FWIW, when I had a personal machine, I used NTFS. This is not my personal
laptop. This is the standard issue for my company. My guess is that others,
beyond my company, are in the same boat. The answer is not to ask them to
convert their disk drives.
I think Emacs should be able to coexist and behave nicely with FAT32 - don't
you? If some extra Emacs features are not available for FAT32, so be it, but
using FAT32 should not prevent one from using Emacs (e.g. emacsclient).
> > If not, until the bug is fixed you might consider changing
> > the default value to nil, since this stops users with a
> > similar config from using emacsclient at all (out of the box,
> > emacs -Q). Unless they know about the workaround, that is.
>
> We never heard about the problem until now, since Emacs 23 was
> released (the original bug was reported long ago, when Emacs 23 was
> still in development). So it seems the problem is not too frequent:
> the number of people who use emacsclient on a FAT32 volume or that
> belong to the local Administrators group is apparently low enough for
> this gotcha not to hit too frequently.
I wouldn't bet on that at all.
* Emacs 23 was just released. I never tried to use emacsclient - I did so in
order to follow a bug report (for my code, and unrelated to emacsclient, as it
turns out).
* FAT32 is very common.
* AFAIK, every user in my company belongs to the local Administrators group for
his/her machine (e.g. laptop), so that s?he can easily install stuff etc. Other
organizations might have similar policies.
It doesn't make sense to make the default behavior dependent on assuming that
users do not have FAT32 and are not in the local Administrators group. IMO.
That's a crippling assumption.
> > Without your help, I never would have guessed it. I don't
> > even understand the error message, "The directory is unsafe"
> > - maybe that message could refer me to
> > a manual section explaining unsafe directories?
>
> I will add this to PROBLEMS, and look into modifying the message. I
> think the message text is not very clear even on Unix. Thanks for
> pointing this out.
Beyond the message text, what does it mean? Where is this notion of "unsafe
directory" documented in the manuals?
I see in the Emacs manual a discussion of unsafe variables, but not of unsafe
directories. I see in the Elisp manual mention of unsafe variables and unsafe
functions, but nothing about unsafe directories.
I think this should be explained in the manual(s) - we shouldn't simply improve
the message (though that too should be done). It is especially important to
document things that concern safety (if this really does).
Thx - Drew
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-21 18:12 ` Drew Adams
@ 2009-08-21 18:28 ` Eli Zaretskii
2009-08-21 18:55 ` Drew Adams
2009-08-22 4:49 ` Stefan Monnier
1 sibling, 1 reply; 20+ messages in thread
From: Eli Zaretskii @ 2009-08-21 18:28 UTC (permalink / raw)
To: Drew Adams; +Cc: 4197
> From: "Drew Adams" <drew.adams@oracle.com>
> Cc: <4197@emacsbugs.donarmstrong.com>, <lennart.borgman@gmail.com>
> Date: Fri, 21 Aug 2009 11:12:16 -0700
>
> OK, but FAT32 is very common. I wonder about the default for the variable being
> non-nil, even after the bug is fixed, but especially before then.
The variable does more than just influence server.el. It makes
file-attributes more accurate, which has its own benefits, most
prominently in Dired.
> > Can you perhaps convert the drive to NTFS?
>
> No. Is it a joke?
No, I tried to help you work around the problem (and get a better
filesystem while at that).
> This is not my personal laptop. This is the standard issue for my
> company.
I couldn't know that, could I?
> I think Emacs should be able to coexist and behave nicely with FAT32 - don't
> you?
I do, and it does -- mostly.
> It doesn't make sense to make the default behavior dependent on assuming that
> users do not have FAT32 and are not in the local Administrators group. IMO.
> That's a crippling assumption.
The code in server.el assumes a Posix filesystem. We are trying to
get it to work nicely on Windows, when some of these assumptions don't
hold. IOW, no one specifically assumed users do not have FAT32.
> Beyond the message text, what does it mean? Where is this notion of "unsafe
> directory" documented in the manuals?
It is a more or less common knowledge in the Posix world. But I do
agree that the message text should be more self-explanatory.
> I think this should be explained in the manual(s) - we shouldn't simply improve
> the message (though that too should be done). It is especially important to
> document things that concern safety (if this really does).
If the message is explicit enough, it will explain itself.
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-21 18:28 ` Eli Zaretskii
@ 2009-08-21 18:55 ` Drew Adams
2009-08-21 20:35 ` Eli Zaretskii
0 siblings, 1 reply; 20+ messages in thread
From: Drew Adams @ 2009-08-21 18:55 UTC (permalink / raw)
To: 'Eli Zaretskii'; +Cc: 4197
> > OK, but FAT32 is very common. I wonder about the default
> > for the variable being non-nil, even after the bug is fixed,
> > but especially before then.
>
> The variable does more than just influence server.el. It makes
> file-attributes more accurate, which has its own benefits, most
> prominently in Dired.
I don't doubt that. I know that NTFS offers a good deal more in terms of file
security possibilities than does FAT32.
But if the default value of the variable is inappropriate for some platform
(disk format), then it should be changed - at least on that platform.
Can you not test for this (e.g. using code similar to what you asked me to
evaluate to test this), and set the default value accordingly?
Or perhaps (since a user can have multiple drives with different formats) the
code that uses this option should check whether a non-nil value makes sense for
the drive in question, before simply proceeding as it does today.
Anyway, I'm unfamilar with the implementation, and I'm no expert on this
subject, so I'll leave the bug fix to others. From a user point of view,
something needs to be fixed here; that's all.
> > > Can you perhaps convert the drive to NTFS?
> >
> > No. Is it a joke?
>
> No, I tried to help you work around the problem (and get a better
> filesystem while at that).
>
> > This is not my personal laptop. This is the standard issue for my
> > company.
>
> I couldn't know that, could I?
No, I didn't say that you could have or should have. You asked, and I told you;
that's all.
I'm letting you know that (a) no, unfortunately, I cannot change the drive
format, (b) changing the drive format cannot be the general answer to the
problem, even if it might help some users sometimes, and (c) this is a
widespread policy, in at least some organizations, so this likely does not
represent an isolated case, even if it's the first reported case.
> > I think Emacs should be able to coexist and behave nicely
> > with FAT32 - don't you?
>
> I do, and it does -- mostly.
Clearly I meant including in this regard - the question at hand.
There is no reason to be defensive (if you are doing that) about a bug. I can
understand that the bug might be difficult to fix in the best way, and that
takes time.
In the meantime, something can perhaps be done as a preventive measure. If the
drive format for Windows could be tested, that might be a solution. If not, if
nothing else can be done in the immediate, then I would suggest changing the
default for at least all Windows users to nil.
IOW, better to forego the bells and whistles while waiting for a real fix, and
to at least let users use emacsclient without customizing. In this meantime
period, the doc can let Windows users know that if they happen to have NTFS
storage, then they can get more bells and whistles by changing the value to
non-nil.
I can understand that a developer wants to show off new, enhanced behavior, but
that shouldn't be the default if it leads to fundamental problems. Users who
have NTFS can easily customize to get the enhanced behavior.
> > It doesn't make sense to make the default behavior
> > dependent on assuming that users do not have FAT32 and are
> > not in the local Administrators group. IMO.
> > That's a crippling assumption.
>
> The code in server.el assumes a Posix filesystem. We are trying to
> get it to work nicely on Windows, when some of these assumptions don't
> hold.
I understand. Good.
> IOW, no one specifically assumed users do not have FAT32.
I didn't think so. I imagine that it was just an oversight (implicit
assumption).
> > Beyond the message text, what does it mean? Where is this
> > notion of "unsafe directory" documented in the manuals?
>
> It is a more or less common knowledge in the Posix world. But I do
> agree that the message text should be more self-explanatory.
The world of Emacs users is not identical to the Posix world. Emacs doc should
not assume that Emacs users have all the "common knowledge" of the Posix world.
This needs to be documented, beyond the error message. Users need to know how to
use this, including, at least for now, how to use it with FAT32 vs NTFS.
> > I think this should be explained in the manual(s) - we
> > shouldn't simply improve the message (though that too should
> > be done). It is especially important to
> > document things that concern safety (if this really does).
>
> If the message is explicit enough, it will explain itself.
The message explaining itself will be corrected when the message is corrected.
My concern is beyond the message: Providing the essential info in this bug
report to users. Thx.
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-21 18:55 ` Drew Adams
@ 2009-08-21 20:35 ` Eli Zaretskii
2009-08-21 21:03 ` Drew Adams
2009-08-22 10:07 ` Eli Zaretskii
0 siblings, 2 replies; 20+ messages in thread
From: Eli Zaretskii @ 2009-08-21 20:35 UTC (permalink / raw)
To: Drew Adams; +Cc: 4197
> From: "Drew Adams" <drew.adams@oracle.com>
> Cc: <4197@emacsbugs.donarmstrong.com>, <lennart.borgman@gmail.com>
> Date: Fri, 21 Aug 2009 11:55:27 -0700
>
> But if the default value of the variable is inappropriate for some platform
> (disk format), then it should be changed - at least on that platform.
>
> Can you not test for this (e.g. using code similar to what you asked me to
> evaluate to test this), and set the default value accordingly?
I don't think we need to change the value of
w32-get-true-file-attributes on FAT32 volumes. All we need is fix
server.el to not barf on FAT32 volumes. I'll see what I can do.
> There is no reason to be defensive (if you are doing that) about a
> bug.
There's no need to become angry, either.
> I can understand that a developer wants to show off new, enhanced behavior, but
> that shouldn't be the default if it leads to fundamental problems.
This developer simply doesn't have enough time to fix everything right
away. That is the only reason this bug is not yet fixed. That, and
the fact that no one else beat me to it. There's no show-off anywhere
in sight.
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-21 20:35 ` Eli Zaretskii
@ 2009-08-21 21:03 ` Drew Adams
2009-08-22 10:07 ` Eli Zaretskii
1 sibling, 0 replies; 20+ messages in thread
From: Drew Adams @ 2009-08-21 21:03 UTC (permalink / raw)
To: 'Eli Zaretskii'; +Cc: 4197
> I don't think we need to change the value of
> w32-get-true-file-attributes on FAT32 volumes. All we need is fix
> server.el to not barf on FAT32 volumes. I'll see what I can do.
OK, great.
> > There is no reason to be defensive (if you are doing that) about a
> > bug.
>
> There's no need to become angry, either.
I'm not at all angry (if you meant me).
And I'm grateful that this will be fixed.
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-21 18:12 ` Drew Adams
2009-08-21 18:28 ` Eli Zaretskii
@ 2009-08-22 4:49 ` Stefan Monnier
2009-08-22 8:07 ` Eli Zaretskii
2009-08-22 9:53 ` Jason Rumney
1 sibling, 2 replies; 20+ messages in thread
From: Stefan Monnier @ 2009-08-22 4:49 UTC (permalink / raw)
To: Drew Adams; +Cc: 4197
> I think Emacs should be able to coexist and behave nicely with FAT32 - don't
IIUC how Windows on FAT32 works, using emacsserver on such a system
means that any process running on this machine (from your own user or
any other user) can control your Emacs session.
Stefan
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-22 4:49 ` Stefan Monnier
@ 2009-08-22 8:07 ` Eli Zaretskii
2009-08-23 1:57 ` Stefan Monnier
2009-08-22 9:53 ` Jason Rumney
1 sibling, 1 reply; 20+ messages in thread
From: Eli Zaretskii @ 2009-08-22 8:07 UTC (permalink / raw)
To: Stefan Monnier; +Cc: 4197
> From: Stefan Monnier <monnier@iro.umontreal.ca>
> Cc: 4197@emacsbugs.donarmstrong.com, "'Eli Zaretskii'" <eliz@gnu.org>
> Date: Sat, 22 Aug 2009 00:49:03 -0400
>
> > I think Emacs should be able to coexist and behave nicely with FAT32 - don't
>
> IIUC how Windows on FAT32 works, using emacsserver on such a system
> means that any process running on this machine (from your own user or
> any other user) can control your Emacs session.
That's true. There's no file security on FAT32 volumes.
I was thinking about displaying yes-or-no-p prompt with a warning to
that effect, but if the user consents, letting them to proceed. Maybe
we should do that on Posix as well, instead of flatly refusing to run.
WDYT?
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-22 4:49 ` Stefan Monnier
2009-08-22 8:07 ` Eli Zaretskii
@ 2009-08-22 9:53 ` Jason Rumney
2009-08-22 10:35 ` Eli Zaretskii
1 sibling, 1 reply; 20+ messages in thread
From: Jason Rumney @ 2009-08-22 9:53 UTC (permalink / raw)
To: Stefan Monnier, 4197
Stefan Monnier wrote:
>> I think Emacs should be able to coexist and behave nicely with FAT32 - don't
>>
>
> IIUC how Windows on FAT32 works, using emacsserver on such a system
> means that any process running on this machine (from your own user or
> any other user) can control your Emacs session.
>
Yes. The security feature of emacsclient should probably be abstracted
so that appropriate methods for the platform can be used. Then on
Windows (NT) we could use Security Descriptors directly without relying
on the filesystem to be secure. Windows 95/98/ME would require a
different solution, but I don't think it is worth expending any more
effort than the Yes/No dialog that Eli suggests.
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-21 20:35 ` Eli Zaretskii
2009-08-21 21:03 ` Drew Adams
@ 2009-08-22 10:07 ` Eli Zaretskii
1 sibling, 0 replies; 20+ messages in thread
From: Eli Zaretskii @ 2009-08-22 10:07 UTC (permalink / raw)
To: 4197
> Date: Fri, 21 Aug 2009 23:35:58 +0300
> From: Eli Zaretskii <eliz@gnu.org>
> Cc: 4197@emacsbugs.donarmstrong.com
>
> > From: "Drew Adams" <drew.adams@oracle.com>
> > Cc: <4197@emacsbugs.donarmstrong.com>, <lennart.borgman@gmail.com>
> > Date: Fri, 21 Aug 2009 11:55:27 -0700
> >
> > But if the default value of the variable is inappropriate for some platform
> > (disk format), then it should be changed - at least on that platform.
> >
> > Can you not test for this (e.g. using code similar to what you asked me to
> > evaluate to test this), and set the default value accordingly?
>
> I don't think we need to change the value of
> w32-get-true-file-attributes on FAT32 volumes. All we need is fix
> server.el to not barf on FAT32 volumes. I'll see what I can do.
Can you please try the following patch to server.el? It is checked in
on the release branch.
2009-08-22 Eli Zaretskii <eliz@gnu.org>
* server.el (server-ensure-safe-dir): Disable the security check
for Windows.
Index: lisp/server.el
===================================================================
RCS file: /cvsroot/emacs/emacs/lisp/server.el,v
retrieving revision 1.192
diff -u -r1.192 server.el
--- lisp/server.el 10 Mar 2009 14:09:26 -0000 1.192
+++ lisp/server.el 22 Aug 2009 10:06:05 -0000
@@ -452,9 +452,10 @@
(unless attrs
(letf (((default-file-modes) ?\700)) (make-directory dir t))
(setq attrs (file-attributes dir)))
- ;; Check that it's safe for use.
- (unless (and (eq t (car attrs)) (eql (nth 2 attrs) (user-uid))
- (or (eq system-type 'windows-nt)
+ ;; Check that it's safe for use. Windows doesn't support
+ ;; Posix-style file security, so don't check there.
+ (unless (or (eq system-type 'windows-nt)
+ (and (eq t (car attrs)) (eql (nth 2 attrs) (user-uid))
(zerop (logand ?\077 (file-modes dir)))))
(error "The directory %s is unsafe" dir))))
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-22 9:53 ` Jason Rumney
@ 2009-08-22 10:35 ` Eli Zaretskii
2009-08-22 16:59 ` Jason Rumney
0 siblings, 1 reply; 20+ messages in thread
From: Eli Zaretskii @ 2009-08-22 10:35 UTC (permalink / raw)
To: Jason Rumney, 4197
> Date: Sat, 22 Aug 2009 17:53:15 +0800
> From: Jason Rumney <jasonr@f2s.com>
> Cc:
>
> Yes. The security feature of emacsclient should probably be abstracted
> so that appropriate methods for the platform can be used. Then on
> Windows (NT) we could use Security Descriptors directly without relying
> on the filesystem to be secure.
Sorry, I don't quite understand your suggestion. NT file security
cannot be used on FAT32 volumes, even if the OS is of the NT family
(Windows 2000, XP, etc.). So, if you meant to use the NT file
security as the back-end of the abstraction you propose, that back-end
will be inoperable on FAT32 volumes, even for Windows XP.
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-22 10:35 ` Eli Zaretskii
@ 2009-08-22 16:59 ` Jason Rumney
2009-08-22 17:10 ` Lennart Borgman
0 siblings, 1 reply; 20+ messages in thread
From: Jason Rumney @ 2009-08-22 16:59 UTC (permalink / raw)
To: Eli Zaretskii, 4197
Eli Zaretskii wrote:
> Sorry, I don't quite understand your suggestion. NT file security
> cannot be used on FAT32 volumes, even if the OS is of the NT family
> (Windows 2000, XP, etc.). So, if you meant to use the NT file
> security as the back-end of the abstraction you propose, that back-end
> will be inoperable on FAT32 volumes, even for Windows XP.
>
No, I mean instead of using the file system, which is only secure if it
is NTFS, use Access Tokens, or switch to using Named Pipes instead of a
TCP socket, so that a Security Descriptor can be attached to it.
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-22 16:59 ` Jason Rumney
@ 2009-08-22 17:10 ` Lennart Borgman
2009-08-23 1:57 ` Stefan Monnier
0 siblings, 1 reply; 20+ messages in thread
From: Lennart Borgman @ 2009-08-22 17:10 UTC (permalink / raw)
To: Jason Rumney, 4197
On Sat, Aug 22, 2009 at 6:59 PM, Jason Rumney<jasonr@gnu.org> wrote:
> Eli Zaretskii wrote:
>>
>> Sorry, I don't quite understand your suggestion. NT file security
>> cannot be used on FAT32 volumes, even if the OS is of the NT family
>> (Windows 2000, XP, etc.). So, if you meant to use the NT file
>> security as the back-end of the abstraction you propose, that back-end
>> will be inoperable on FAT32 volumes, even for Windows XP.
>>
>
> No, I mean instead of using the file system, which is only secure if it is
> NTFS, use Access Tokens, or switch to using Named Pipes instead of a TCP
> socket, so that a Security Descriptor can be attached to it.
Didn't someone write an implementation of emacsclient on w32 using
Named Pipes? Would not that also be preferrable to avoid problems with
firewalls on the local computer?
But what about connecting to servers on other hosts? Or is that
perhaps not something that can be done? Or can that possibility be
kept open by also allowing for using TCP on w32?
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-22 17:10 ` Lennart Borgman
@ 2009-08-23 1:57 ` Stefan Monnier
0 siblings, 0 replies; 20+ messages in thread
From: Stefan Monnier @ 2009-08-23 1:57 UTC (permalink / raw)
To: Lennart Borgman; +Cc: 4197
> Didn't someone write an implementation of emacsclient on w32 using
> Named Pipes? Would not that also be preferrable to avoid problems with
> firewalls on the local computer?
The generic code works well, so we shouldn't expend efforts on
supporting another protocol. If we can support Unix sockets under w32,
that would be an acceptable alternative. But in any case, the check
made by emacsserver is meaningless in an unsecure system such as
w32-on-fat32, so we should just skip it in such a circumstance.
Stefan
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-22 8:07 ` Eli Zaretskii
@ 2009-08-23 1:57 ` Stefan Monnier
2009-08-23 3:21 ` Eli Zaretskii
0 siblings, 1 reply; 20+ messages in thread
From: Stefan Monnier @ 2009-08-23 1:57 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 4197
>> > I think Emacs should be able to coexist and behave nicely with
>> > FAT32 - don't
>> IIUC how Windows on FAT32 works, using emacsserver on such a system
>> means that any process running on this machine (from your own user or
>> any other user) can control your Emacs session.
> That's true. There's no file security on FAT32 volumes.
> I was thinking about displaying yes-or-no-p prompt with a warning to
> that effect, but if the user consents, letting them to proceed. Maybe
> we should do that on Posix as well, instead of flatly refusing to run.
I don't see a need for a prompt under POSIX.
For a FAT32 system under w32, we probably don't need a prompt either (we
should just skip the test instead) either the user is aware of the
inherent insecurity of his system (in which case we can go on and ignore
the problem without prompting), or he's not, in which case a prompt will
just confuse him even more.
Stefan
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-23 1:57 ` Stefan Monnier
@ 2009-08-23 3:21 ` Eli Zaretskii
2009-08-23 22:30 ` Stefan Monnier
0 siblings, 1 reply; 20+ messages in thread
From: Eli Zaretskii @ 2009-08-23 3:21 UTC (permalink / raw)
To: Stefan Monnier; +Cc: 4197
> From: Stefan Monnier <monnier@iro.umontreal.ca>
> Cc: drew.adams@oracle.com, 4197@emacsbugs.donarmstrong.com
> Date: Sat, 22 Aug 2009 21:57:49 -0400
>
> For a FAT32 system under w32, we probably don't need a prompt either (we
> should just skip the test instead) either the user is aware of the
> inherent insecurity of his system (in which case we can go on and ignore
> the problem without prompting), or he's not, in which case a prompt will
> just confuse him even more.
The user might have more than one filesystem on her machine. Telling
her that the one she uses for ~/.emacs_d is insecure might cause her
to change her configuration, I think.
^ permalink raw reply [flat|nested] 20+ messages in thread
* bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe
2009-08-23 3:21 ` Eli Zaretskii
@ 2009-08-23 22:30 ` Stefan Monnier
0 siblings, 0 replies; 20+ messages in thread
From: Stefan Monnier @ 2009-08-23 22:30 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 4197
>> For a FAT32 system under w32, we probably don't need a prompt either (we
>> should just skip the test instead) either the user is aware of the
>> inherent insecurity of his system (in which case we can go on and ignore
>> the problem without prompting), or he's not, in which case a prompt will
>> just confuse him even more.
> The user might have more than one filesystem on her machine. Telling
> her that the one she uses for ~/.emacs_d is insecure might cause her
> to change her configuration, I think.
Could be. But I don't think this slim hope warrants imposing a prompt
on all the other lusers. A message should be sufficient.
Stefan
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2009-08-23 22:30 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-19 3:25 bug#4197: 23.1; error when try to run `server-start': directory .emacs.d/server is unsafe Drew Adams
2009-08-21 9:24 ` Eli Zaretskii
2009-08-21 14:30 ` Drew Adams
2009-08-21 17:43 ` Eli Zaretskii
2009-08-21 18:12 ` Drew Adams
2009-08-21 18:28 ` Eli Zaretskii
2009-08-21 18:55 ` Drew Adams
2009-08-21 20:35 ` Eli Zaretskii
2009-08-21 21:03 ` Drew Adams
2009-08-22 10:07 ` Eli Zaretskii
2009-08-22 4:49 ` Stefan Monnier
2009-08-22 8:07 ` Eli Zaretskii
2009-08-23 1:57 ` Stefan Monnier
2009-08-23 3:21 ` Eli Zaretskii
2009-08-23 22:30 ` Stefan Monnier
2009-08-22 9:53 ` Jason Rumney
2009-08-22 10:35 ` Eli Zaretskii
2009-08-22 16:59 ` Jason Rumney
2009-08-22 17:10 ` Lennart Borgman
2009-08-23 1:57 ` Stefan Monnier
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.