From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#27986: 26.0.50; 'rename-file' can rename files without confirmation Date: Mon, 14 Aug 2017 18:40:37 +0300 Message-ID: <83o9rignt6.fsf@gnu.org> References: <61980dde-3d68-7200-e7f4-98f62e410060@cs.ucla.edu> <1002ee73-0ab5-409b-831f-0c283c322264@cs.ucla.edu> Reply-To: Eli Zaretskii NNTP-Posting-Host: blaine.gmane.org X-Trace: blaine.gmane.org 1502725273 4665 195.159.176.226 (14 Aug 2017 15:41:13 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 14 Aug 2017 15:41:13 +0000 (UTC) Cc: p.stephani2@gmail.com, 27986@debbugs.gnu.org To: Paul Eggert Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Aug 14 17:41:08 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dhHUG-0000lM-Jd for geb-bug-gnu-emacs@m.gmane.org; Mon, 14 Aug 2017 17:41:04 +0200 Original-Received: from localhost ([::1]:56427 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dhHUN-00008a-5C for geb-bug-gnu-emacs@m.gmane.org; Mon, 14 Aug 2017 11:41:11 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:39757) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dhHUH-00008M-2u for bug-gnu-emacs@gnu.org; Mon, 14 Aug 2017 11:41:06 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dhHUD-00024q-VQ for bug-gnu-emacs@gnu.org; Mon, 14 Aug 2017 11:41:05 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:55128) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dhHUD-00024h-S0 for bug-gnu-emacs@gnu.org; Mon, 14 Aug 2017 11:41:01 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dhHUD-0004gy-IV for bug-gnu-emacs@gnu.org; Mon, 14 Aug 2017 11:41:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 14 Aug 2017 15:41:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27986 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 27986-submit@debbugs.gnu.org id=B27986.150272525418023 (code B ref 27986); Mon, 14 Aug 2017 15:41:01 +0000 Original-Received: (at 27986) by debbugs.gnu.org; 14 Aug 2017 15:40:54 +0000 Original-Received: from localhost ([127.0.0.1]:35576 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dhHU6-0004gd-Fi for submit@debbugs.gnu.org; Mon, 14 Aug 2017 11:40:54 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:48685) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dhHU4-0004gX-6h for 27986@debbugs.gnu.org; Mon, 14 Aug 2017 11:40:52 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dhHTv-0001wX-Ko for 27986@debbugs.gnu.org; Mon, 14 Aug 2017 11:40:46 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:34633) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dhHTv-0001vm-3D; Mon, 14 Aug 2017 11:40:43 -0400 Original-Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:4343 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dhHTu-0001kD-Fw; Mon, 14 Aug 2017 11:40:42 -0400 In-reply-to: <1002ee73-0ab5-409b-831f-0c283c322264@cs.ucla.edu> (message from Paul Eggert on Sun, 13 Aug 2017 15:42:05 -0700) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:135746 Archived-At: > From: Paul Eggert > Cc: Philipp , 27986@debbugs.gnu.org > Date: Sun, 13 Aug 2017 15:42:05 -0700 > > Paul Eggert wrote: > > there are races on GNU/Linux which can lead to potential security problems. > > Perhaps we can't fix these races on MS-Windows but we should be able to fix them > > on a GNUish host. For the record: 'rename' is atomic on Windows when the target doesn't exist. It's the case when the target exists that cannot be guaranteed to be handled atomically, AFAIU, because deleting the old target and renaming are not necessarily an atomic operation on Windows. I don't know if this is an issue, since the current code in rename-file uses 2 separate system calls in this case anyway, even on Posix platforms. > Attached is a proposed patch to fix this security problem. If I understand > things correctly, the fix should work on MS-Windows and on case-insensitive file > systems. Since this patch entails an incompatible change to the (undocumented) > behavior of (rename-file A B) when B is a directory but is not a directory name, > I'll mention the proposed change on emacs-devel. I'm uneasy, to say the least, to change the semantic of such a veteran behavior. Could you please take a step back and elaborate on the races and the security problems related to this, and why the change in the semantics you propose is the solution? I'd like to understand the problem better before we decide on the solution. Thanks.