Re: master 739593d 3/5: Make gnus-copy-file act like copy-file etc.

[Lars Ingebrigtsen <larsi@gnus.org>]

Paul Eggert <eggert@cs.ucla.edu> writes:

> On 09/13/2017 02:10 PM, Lars Ingebrigtsen wrote:
>> The attack surface you're trying to cover is when the user is writing a
>> file to a world-writable directory that contains a symlink that has
>> exactly the same name as the file you're trying to write?
>
> More generally, it's when the attacker can write the destination's
> parent directory. The parent need not be world-writable, and there
> doesn't need to be a symlink there already.

Hm...  then I'm not sure I understand your first explanation.  Your
example was /tmp (word-writable) with a symlink "foo" in /tmp that
points to somewhere the attacker can't write.  So for instance /tmp/foo
symlinks to /home/victim/.ssh/authorized_keys and the victim says
`M-x copy-file RET something RET /tmp/foo RET' *bang*.

But was there a different scenario you were thinking about?

(Timing these attacks is always fun, though, but the barfing can be
postponed until the actual write, I would guess...)

> Eli is most concerned about interactive use, as am I.

Sounds like the opposite going by Eli's last email.  :-)

>> These days nobody lives on shared computers, anyway
>
> I regularly use Emacs on computers shared with users I don't fully
> trust. I've done so every day this week so far. Although I use Emacs
> more often on standalone machines, the shared-machine use case is
> still alive and kicking.

Yeah, "nobody" is an exaggeration, and we can't disregard people on
shared machines.  But the ratio of users we're servicing should also
inform our approach to the severity of how much we're crippling DWIM
functionality for (theoretical) safety reasons.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no