From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Lars Ingebrigtsen <larsi@gnus.org>
Newsgroups: gmane.emacs.devel
Subject: Re: master 739593d 3/5: Make gnus-copy-file act like copy-file etc.
Date: Thu, 14 Sep 2017 13:25:20 +0200
Message-ID: <878thh8qu7.fsf@mouse.gnus.org>
References: <20170911053128.28763.28434@vcs0.savannah.gnu.org>
	<20170911053130.C5F002068F@vcs0.savannah.gnu.org>
	<b4mr2vc3k1x.fsf@jpl.org> <87o9qecs1t.fsf@mouse.gnus.org>
	<ad829af5-65a1-9538-42bc-e34b900ebafc@cs.ucla.edu>
	<87a81ycqau.fsf@mouse.gnus.org>
	<122fe4a2-2e96-9167-c815-42aa962c3da0@cs.ucla.edu>
	<87tw06b8yr.fsf@mouse.gnus.org>
	<ee19116f-4ddb-d222-1aca-7179375d1d4a@cs.ucla.edu>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: blaine.gmane.org 1505388346 31519 195.159.176.226 (14 Sep 2017 11:25:46 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Thu, 14 Sep 2017 11:25:46 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
Cc: Katsumi Yamaoka <yamaoka@jpl.org>, emacs-devel@gnu.org
To: Paul Eggert <eggert@cs.ucla.edu>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Sep 14 13:25:39 2017
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dsSH4-0007zz-PQ
	for ged-emacs-devel@m.gmane.org; Thu, 14 Sep 2017 13:25:39 +0200
Original-Received: from localhost ([::1]:47011 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dsSH8-00009e-UL
	for ged-emacs-devel@m.gmane.org; Thu, 14 Sep 2017 07:25:42 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46407)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1dsSGw-00007w-Ni
	for emacs-devel@gnu.org; Thu, 14 Sep 2017 07:25:32 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1dsSGt-0004JO-KB
	for emacs-devel@gnu.org; Thu, 14 Sep 2017 07:25:30 -0400
Original-Received: from hermes.netfonds.no ([80.91.224.195]:36018)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <larsi@gnus.org>) id 1dsSGt-00046q-E1
	for emacs-devel@gnu.org; Thu, 14 Sep 2017 07:25:27 -0400
Original-Received: from cm-84.209.243.26.getinternet.no ([84.209.243.26] helo=mouse)
	by hermes.netfonds.no with esmtpsa
	(TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2)
	(envelope-from <larsi@gnus.org>)
	id 1dsSGm-0007Me-GJ; Thu, 14 Sep 2017 13:25:22 +0200
In-Reply-To: <ee19116f-4ddb-d222-1aca-7179375d1d4a@cs.ucla.edu> (Paul Eggert's
	message of "Wed, 13 Sep 2017 16:32:15 -0700")
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
	[fuzzy]
X-Received-From: 80.91.224.195
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:218258
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/218258>

Paul Eggert <eggert@cs.ucla.edu> writes:

> On 09/13/2017 02:10 PM, Lars Ingebrigtsen wrote:
>> The attack surface you're trying to cover is when the user is writing a
>> file to a world-writable directory that contains a symlink that has
>> exactly the same name as the file you're trying to write?
>
> More generally, it's when the attacker can write the destination's
> parent directory. The parent need not be world-writable, and there
> doesn't need to be a symlink there already.

Hm...  then I'm not sure I understand your first explanation.  Your
example was /tmp (word-writable) with a symlink "foo" in /tmp that
points to somewhere the attacker can't write.  So for instance /tmp/foo
symlinks to /home/victim/.ssh/authorized_keys and the victim says
`M-x copy-file RET something RET /tmp/foo RET' *bang*.

But was there a different scenario you were thinking about?

(Timing these attacks is always fun, though, but the barfing can be
postponed until the actual write, I would guess...)

> Eli is most concerned about interactive use, as am I.

Sounds like the opposite going by Eli's last email.  :-)

>> These days nobody lives on shared computers, anyway
>
> I regularly use Emacs on computers shared with users I don't fully
> trust. I've done so every day this week so far. Although I use Emacs
> more often on standalone machines, the shared-machine use case is
> still alive and kicking.

Yeah, "nobody" is an exaggeration, and we can't disregard people on
shared machines.  But the ratio of users we're servicing should also
inform our approach to the severity of how much we're crippling DWIM
functionality for (theoretical) safety reasons.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no