From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: David Kastrup Newsgroups: gmane.emacs.devel,gmane.emacs.pretest.bugs Subject: Re: creating backups in temporary directories Date: Mon, 10 Sep 2007 03:11:31 +0200 Message-ID: <85bqcbnx30.fsf@lola.goethe.zz> References: <85sl5q5vy6.fsf@lola.goethe.zz> <87y7fii7bz.fsf@gmx.de> <85odgbobf0.fsf@lola.goethe.zz> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1189389842 15303 80.91.229.12 (10 Sep 2007 02:04:02 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Mon, 10 Sep 2007 02:04:02 +0000 (UTC) Cc: emacs-pretest-bug@gnu.org, christopher.ian.moore@gmail.com, svenjoac@gmx.de, Stefan Monnier , rms@gnu.org To: Andreas Schwab Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Sep 10 12:03:48 2007 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1IUfZT-0004tK-2A for ged-emacs-devel@m.gmane.org; Mon, 10 Sep 2007 11:28:43 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1IUY56-0004w9-9q for ged-emacs-devel@m.gmane.org; Sun, 09 Sep 2007 21:28:52 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1IUY52-0004vP-GM for emacs-devel@gnu.org; Sun, 09 Sep 2007 21:28:48 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1IUY50-0004vD-Et for emacs-devel@gnu.org; Sun, 09 Sep 2007 21:28:47 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1IUY50-0004vA-Bd for emacs-devel@gnu.org; Sun, 09 Sep 2007 21:28:46 -0400 Original-Received: from fencepost.gnu.org ([140.186.70.10]) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1IUY50-0001NV-57 for emacs-devel@gnu.org; Sun, 09 Sep 2007 21:28:46 -0400 Original-Received: from localhost ([127.0.0.1] helo=lola.goethe.zz) by fencepost.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1IUY4X-00089C-Os; Sun, 09 Sep 2007 21:28:17 -0400 Original-Received: by lola.goethe.zz (Postfix, from userid 1002) id B30D21CAD717; Mon, 10 Sep 2007 03:11:31 +0200 (CEST) In-Reply-To: (Andreas Schwab's message of "Sun\, 09 Sep 2007 22\:27\:30 +0200") User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1.50 (gnu/linux) X-Detected-Kernel: Linux 2.6, seldom 2.4 (older, 4) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:78381 gmane.emacs.pretest.bugs:19802 Archived-At: Andreas Schwab writes: > David Kastrup writes: > >> Stefan Monnier writes: >> >>> In a directory with mode 777, that's true: everything is dangerous. >>> But in a directory with mode 1777 when you open a file that *you* own, >>> nobody else can remove it or rename it, so normally nobody can replace it >>> with a symlink. Emacs creates the problem when it moves /tmp/foo to >>> /tmp/foo~ at which point /tmp/foo is free for an attacker to take. >> >> Well, the alternative is to make a hard link of /tmp/foo to /tmp/foo~, >> then creat /tmp/foo over it and fill it with contents without >> reopening. >> >> That should close the time window for an attack. > > You have to unlink the file first, Well, seems I misread the manual page for open/creat. I thought that without O_EXCL, the file would get replaced. Well, then there still is the contorted way of hard linking /tmp/foo to /tmp/foo~, opening /tmp/randomfilename for write, renaming it to /tmp/foo and then finishing the write operation. -- David Kastrup, Kriemhildstr. 15, 44793 Bochum