From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Sven Joachim Newsgroups: gmane.emacs.devel,gmane.emacs.pretest.bugs Subject: Symlink attack vulnerability in auto-saving Date: Mon, 10 Sep 2007 20:07:19 +0200 Message-ID: <877imyz960.fsf@gmx.de> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Trace: sea.gmane.org 1189452784 15410 80.91.229.12 (10 Sep 2007 19:33:04 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Mon, 10 Sep 2007 19:33:04 +0000 (UTC) To: emacs-pretest-bug@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Sep 11 05:32:51 2007 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1IUv9T-0002Oj-Ml for ged-emacs-devel@m.gmane.org; Tue, 11 Sep 2007 04:06:55 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1IUnf6-0007cp-Vj for ged-emacs-devel@m.gmane.org; Mon, 10 Sep 2007 14:07:05 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1IUnf2-0007bw-RW for emacs-devel@gnu.org; Mon, 10 Sep 2007 14:07:00 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1IUnf2-0007bS-4r for emacs-devel@gnu.org; Mon, 10 Sep 2007 14:07:00 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1IUnf1-0007bJ-W8 for emacs-devel@gnu.org; Mon, 10 Sep 2007 14:07:00 -0400 Original-Received: from fencepost.gnu.org ([140.186.70.10]) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1IUnf1-0002vl-Ib for emacs-devel@gnu.org; Mon, 10 Sep 2007 14:06:59 -0400 Original-Received: from monty-python.gnu.org ([199.232.76.173]) by fencepost.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1IUnee-0007wz-F7 for emacs-pretest-bug@gnu.org; Mon, 10 Sep 2007 14:06:36 -0400 Original-Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim 4.60) (envelope-from ) id 1IUnex-0002uw-Co for emacs-pretest-bug@gnu.org; Mon, 10 Sep 2007 14:06:59 -0400 Original-Received: from mail.gmx.net ([213.165.64.20]) by monty-python.gnu.org with smtp (Exim 4.60) (envelope-from ) id 1IUnew-0002ue-R2 for emacs-pretest-bug@gnu.org; Mon, 10 Sep 2007 14:06:55 -0400 Original-Received: (qmail invoked by alias); 10 Sep 2007 18:06:52 -0000 Original-Received: from p5486593C.dip.t-dialin.net (EHLO debian) [84.134.89.60] by mail.gmx.net (mp043) with SMTP; 10 Sep 2007 20:06:52 +0200 X-Authenticated: #28250155 X-Provags-ID: V01U2FsdGVkX1/HfeJnyy/HnVR9e61SOBhxmsuOR54FODphoLffpe ysb4b1EeKAjO6E User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1.50 (gnu/linux) X-Y-GMX-Trusted: 0 X-Detected-Kernel: Linux 2.6, seldom 2.4 (older, 4) X-Detected-Kernel: Linux 2.6, seldom 2.4 (older, 4) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:78482 gmane.emacs.pretest.bugs:19822 Archived-At: Following the recent discussion about symlinks and race-conditions in the thread "creating backups in temporary directories", I may have discovered a more severe vulnerability in auto-saving of files. If a file foobar exists, Emacs will write auto-save data to #foobar# and follow symlinks. That's rather bad if foobar is in a world-writable directory. :-( In GNU Emacs 22.1.50.1 (i486-pc-linux-gnu, GTK+ Version 2.10.13) of 2007-09-07 on debian, modified by Debian (Debian emacs-snapshot package, version 1:20070907-1) Windowing system distributor `The X.Org Foundation', version 11.0.10300000 configured using `configure '--build' 'i486-linux-gnu' '--host' 'i486-linux-gnu' '--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib' '--localstatedir=/var' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--with-pop=yes' '--enable-locallisppath=/etc/emacs-snapshot:/etc/emacs:/usr/local/share/emacs/22.1.50/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/22.1.50/site-lisp:/usr/share/emacs/site-lisp:/usr/share/emacs/22.1.50/leim' '--with-x=yes' '--with-x-toolkit=gtk' 'build_alias=i486-linux-gnu' 'host_alias=i486-linux-gnu' 'CFLAGS=-DDEBIAN -DSITELOAD_PURESIZE_EXTRA=5000 -g -O2'' Important settings: value of $LC_ALL: nil value of $LC_COLLATE: C value of $LC_CTYPE: nil value of $LC_MESSAGES: nil value of $LC_MONETARY: nil value of $LC_NUMERIC: nil value of $LC_TIME: nil value of $LANG: de_DE.UTF-8 locale-coding-system: utf-8 default-enable-multibyte-characters: t Major mode: Help Minor modes in effect: shell-dirtrack-mode: t display-time-mode: t auto-image-file-mode: t show-paren-mode: t tooltip-mode: t mouse-wheel-mode: t menu-bar-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t unify-8859-on-encoding-mode: t utf-translate-cjk-mode: t auto-compression-mode: t temp-buffer-resize-mode: t column-number-mode: t line-number-mode: t transient-mark-mode: t view-mode: t Recent input: e SPC M-x C-x d g C-x k SPC a d f r e p ü ü ü ö ö ö ö l l l k k k g C-x k C-x 1 C-h C-g C-u h C-z C-u a C-z C-u C-h a a u t o - s a c v e C-x o C-x o M-x r e p o r t - e m a c s - b u g Recent messages: Commands: d, s, x, u; f, o, 1, 2, m, v; ~, %; q to quit; ? for help. [2 times] Undo! [2 times] Loading apropos...done Type C-x 1 to remove help window. Type C-x 4 o RET to restore the other window. Loading emacsbug...done mouse-2, RET: find function's definition uncompressing files.el.gz...done Note: file is write protected "/usr/share/emacs/22.1.50/lisp/#files.el.gz#" [2 times]