* bug#6953: 24.0.50; serious security bug in create backup files
@ 2010-08-31 6:13 Mark Diekhans
2010-09-02 5:38 ` Glenn Morris
2011-01-12 15:25 ` Stefan Monnier
0 siblings, 2 replies; 28+ messages in thread
From: Mark Diekhans @ 2010-08-31 6:13 UTC (permalink / raw)
To: 6953
When emacs is forced into writing "~/%backup%~", it may expose protected
data to being read by others. For instance, a file that is protect by
directory permissions rather than file permissions could end up being
written in a world readable home directory. For instance I just
discovered that ~/%backup%~ was a world readable copy of my mail box on
a shared file system.
Emacs, should create the last ditch backup file as access only by the
user (no group or other access) before any data is written to the file
Also, ~/%backup%~ should be configurable in a variable rather than hard
coded in lisp files.el.
In GNU Emacs 24.0.50.1 (x86_64-unknown-linux-gnu)
of 2010-08-30 on hgwdev
configured using `configure '--prefix=/cluster/home/markd/compbio/work/emacs/local' 'CFLAGS=-g -O2' 'LDFLAGS=-L/cluster/home/markd/opt/centos5.2/x86_64/lib' 'CPPFLAGS=-I/cluster/home/markd/opt/centos5.2/x86_64/include''
Important settings:
value of $LC_ALL: nil
value of $LC_COLLATE: nil
value of $LC_CTYPE: nil
value of $LC_MESSAGES: nil
value of $LC_MONETARY: nil
value of $LC_NUMERIC: nil
value of $LC_TIME: nil
value of $LANG: C
value of $XMODIFIERS: nil
locale-coding-system: nil
default enable-multibyte-characters: t
Major mode: Emacs-Lisp
Minor modes in effect:
display-time-mode: t
shell-dirtrack-mode: t
tooltip-mode: t
mouse-wheel-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
abbrev-mode: t
Recent input:
x s h e TAB RET c d SPC ~ / c o TAB b r e TAB DEL DEL
DEL g e TAB b TAB k e TAB DEL DEL C-a C-k c d SPC ~
/ c o TAB b SPC r TAB DEL DEL DEL TAB g e TAB b TAB
ESC b ESC b C-e ESC b C-k c c TAB c c TAB 2 TAB / g
e TAB RET c d SPC . . / m o TAB g e TAB c TAB RET l
s RET . / b C-a C-k C-x C-f d o TAB TAB C-g C-x C-f
~ / c o TAB w o TAB e m TAB t TAB ESC b C-k l o TAB
s TAB TAB l TAB DEL TAB TAB e TAB TAB 2 TAB RET ESC
x g r e p - f i n d RET ' % b a c k u p ESC b ESC b
i C-e % ' RET ESC O B C-x o ESC O B ESC O B ESC O B
ESC O B C-e C-a C-c C-c C-x o C-v ESC v C-x C-f l i
TAB f i TAB l TAB s TAB e TAB DEL TAB DEL DEL DEL DEL
DEL DEL DEL DEL DEL DEL DEL TAB . e TAB TAB C-e RET
C-x C-v C-e ESC b ESC b ESC f C-k TAB TAB C-k C-g C-x
C-f C-g C-x C-v C-e ESC b ESC b ESC b ESC f C-k s TAB
. TAB RET C-s b a c k u p C-s C-a C-s % b a c k C-a
C-x 1 ESC v ESC v C-v C-v C-s C-s ESC x r e p TAB o
TAB r TAB RET
Recent messages:
scroll-up-command: End of buffer
Making completion list... [3 times]
uncompressing file.el.gz...
(New file)
Making completion list...
Quit [2 times]
Making completion list...
uncompressing files.el.gz...done
Mark saved where search started [3 times]
Making completion list... [2 times]
Load-path shadows:
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-install hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-install
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-wl hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-wl
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-w3m hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-w3m
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-vm hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-vm
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-timer hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-timer
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-table hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-table
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-rmail hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-rmail
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-remember hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-remember
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-plot hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-plot
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-publish hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-publish
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mouse hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-mouse
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mhe hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-mhe
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mew hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-mew
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-macs hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-macs
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mac-message hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-mac-message
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-list hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-list
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-irc hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-irc
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-jsinfo hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-jsinfo
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-info hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-info
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-id hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-id
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-gnus hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-gnus
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-footnote hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-footnote
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-faces hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-faces
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-exp hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-exp
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-compat hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-compat
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-colview-xemacs hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-colview-xemacs
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-colview hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-colview
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-clock hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-clock
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-bibtex hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-bibtex
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-bbdb hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-bbdb
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-archive hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-archive
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-attach hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-attach
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-agenda hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-agenda
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-publish hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-publish
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-indent hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-indent
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-jsinfo hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-jsinfo
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-install hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-install
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-entities hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-entities
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-attach hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-attach
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-wl hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-wl
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-xoxo hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-xoxo
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-table hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-table
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-w3m hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-w3m
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-timer hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-timer
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-vm hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-vm
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-rmail hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-rmail
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-remember hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-remember
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-plot hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-plot
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-src hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-src
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-mobile hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-mobile
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-protocol hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-protocol
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mouse hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-mouse
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mew hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-mew
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mhe hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-mhe
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mac-message hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-mac-message
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-latex hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-latex
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-info hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-info
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-macs hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-macs
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-irc hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-irc
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-id hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-id
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-list hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-list
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-html hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-html
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-inlinetask hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-inlinetask
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-icalendar hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-icalendar
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-habit hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-habit
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-freemind hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-freemind
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-gnus hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-gnus
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-exp hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-exp
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-feed hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-feed
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-docbook hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-docbook
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-docview hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-docview
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-crypt hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-crypt
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-ctags hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-ctags
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-datetree hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-datetree
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-footnote hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-footnote
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-colview hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-colview
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-exp-blocks hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-exp-blocks
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-faces hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-faces
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-agenda hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-agenda
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-ascii hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-ascii
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-beamer hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-beamer
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-compat hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-compat
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-bibtex hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-bibtex
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-bbdb hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-bbdb
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-archive hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-archive
/cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-clock hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-clock
Features:
(shadow sort gnus-util mail-extr message sendmail rfc822 mml mml-sec
mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047 rfc2045
ietf-drums mm-util mail-prsvr mailabbrev mail-utils gmm-utils mailheader
warnings emacsbug multi-isearch flyspell ispell grep compile dired
help-mode easymenu view ansi-color finder-inf package jka-compr time
server preview-latex tex-site auto-loads edmacro kmacro org-install
bbdb-autoloads bbdb timezone cc-styles cc-align cc-engine cc-vars
cc-defs vm-autoload vm-autoloads vm-vars vm-version medutil background
shell comint regexp-opt ring tooltip ediff-hook vc-hooks lisp-float-type
mwheel x-win x-dnd tool-bar dnd fontset image fringe lisp-mode register
page menu-bar rfn-eshadow timer select scroll-bar mldrag mouse jit-lock
font-lock syntax facemenu font-core frame cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew
greek romanian slovak czech european ethiopic indian cyrillic chinese
case-table epa-hook jka-cmpr-hook help simple abbrev loaddefs button
minibuffer faces cus-face files text-properties overlay md5 base64
format env code-pages mule custom widget hashtable-print-readable
backquote make-network-process dbusbind dynamic-setting
font-render-setting x multi-tty emacs)
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-08-31 6:13 bug#6953: 24.0.50; serious security bug in create backup files Mark Diekhans
@ 2010-09-02 5:38 ` Glenn Morris
2010-09-02 6:54 ` Eli Zaretskii
2010-09-02 7:05 ` markd
2011-01-12 15:25 ` Stefan Monnier
1 sibling, 2 replies; 28+ messages in thread
From: Glenn Morris @ 2010-09-02 5:38 UTC (permalink / raw)
To: Mark Diekhans; +Cc: 6953
Mark Diekhans wrote:
> Emacs, should create the last ditch backup file as access only by the
> user (no group or other access) before any data is written to the file
>
> Also, ~/%backup%~ should be configurable in a variable rather than hard
> coded in lisp files.el.
I don't think it is necessary for this to be configurable because it
is just a fallback in case of error. Eg you can customize
backup-directory-alist to control where backups normally go.
A partial solution for the first problem is simple (below).
Perhaps it would be better to use a private directory inside
user-emacs-directory. But that is less visible, and maybe these files
are supposed to be noticed?
*** lisp/files.el 2010-08-18 08:07:58 +0000
--- lisp/files.el 2010-08-31 18:33:34 +0000
***************
*** 3681,3687 ****
(message "Cannot write backup file; backing up in %s"
backupname)
(sleep-for 1)
! (backup-buffer-copy real-file-name backupname modes)))
(setq buffer-backed-up t)
;; Now delete the old versions, if desired.
(if delete-old-versions
--- 3681,3691 ----
(message "Cannot write backup file; backing up in %s"
backupname)
(sleep-for 1)
! ;; The original file may have been in a private
! ;; directory, home might not be private. (Bug#6953)
! ;; Not a perfect solution since the file is only
! ;; made private after being written.
! (backup-buffer-copy real-file-name backupname #o0600)))
(setq buffer-backed-up t)
;; Now delete the old versions, if desired.
(if delete-old-versions
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-02 5:38 ` Glenn Morris
@ 2010-09-02 6:54 ` Eli Zaretskii
2010-09-02 7:05 ` markd
1 sibling, 0 replies; 28+ messages in thread
From: Eli Zaretskii @ 2010-09-02 6:54 UTC (permalink / raw)
To: Glenn Morris; +Cc: 6953, markd
> From: Glenn Morris <rgm@gnu.org>
> Date: Thu, 02 Sep 2010 01:38:42 -0400
> Cc: 6953@debbugs.gnu.org
>
> A partial solution for the first problem is simple (below).
Note that this partial solution will do nothing on MS-Windows.
(There's currently no infrastructure in Emacs to create _really_
private files and directories on MS-Windows, even on filesystems that
support file security.)
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-02 5:38 ` Glenn Morris
2010-09-02 6:54 ` Eli Zaretskii
@ 2010-09-02 7:05 ` markd
2010-09-02 7:58 ` Glenn Morris
1 sibling, 1 reply; 28+ messages in thread
From: markd @ 2010-09-02 7:05 UTC (permalink / raw)
To: Glenn Morris; +Cc: 6953
Hi Glenn
Glenn Morris <rgm@gnu.org> writes:
> I don't think it is necessary for this to be configurable because it
> is just a fallback in case of error. Eg you can customize
> backup-directory-alist to control where backups normally go.
Not necessary, but useful if you have something like a very
small amount of space on the home file system or to put it in a
protected directory. Also, it's just emacs-like to have all of
this stuff in variable.
I am still concerned about the window you mention in this fix.
IMHO, it's much worse to reveal sensitive data that to just lose
changes to it. There should at least be an option to completely
disable the ~/%backup%~ functionality.
Oh, wait, it doesn't look like there is a problem with your patch,
only the comment ;-) backup-buffer-copy says:
;; Create temp files with strict access rights. It's easy to
;; loosen them later, whereas it's impossible to close the
;; time-window of loose permissions otherwise.
thanks
Mark
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-02 7:05 ` markd
@ 2010-09-02 7:58 ` Glenn Morris
2010-09-02 16:33 ` Mark Diekhans
0 siblings, 1 reply; 28+ messages in thread
From: Glenn Morris @ 2010-09-02 7:58 UTC (permalink / raw)
To: markd; +Cc: 6953
markd@soe.ucsc.edu wrote:
> Oh, wait, it doesn't look like there is a problem with your patch,
> only the comment ;-) backup-buffer-copy says:
>
> ;; Create temp files with strict access rights. It's easy to
> ;; loosen them later, whereas it's impossible to close the
> ;; time-window of loose permissions otherwise.
I don't know what this comment means. There are no "temp files" AFAICS
(unless copy-file creates some internally). I think this comment may
be a leftover from when this code used write-region rather than
copy-file. Indeed the whole mode-changing bit may be as well. C-h f
copy-file says: "This function always sets the file modes of the
output file to match the input file."
Eg:
touch ~/1
chmod 644 ~/1
(set-default-file-modes ?\700)
(copy-file "~/1" "~/2" t t t)
ls -l ~/2 # -> world readable
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-02 7:58 ` Glenn Morris
@ 2010-09-02 16:33 ` Mark Diekhans
2010-09-08 0:03 ` Glenn Morris
0 siblings, 1 reply; 28+ messages in thread
From: Mark Diekhans @ 2010-09-02 16:33 UTC (permalink / raw)
To: Glenn Morris; +Cc: 6953
Ah, this is because copy-file (in fileio.c) does
fchmod (ofd, st.st_mode & 07777);
It seems like copy-file needs an option to disable this.
The behavior of backup-buffer-copy where it keeps the existing
file would also be a hole.
mark <sigh>
Glenn Morris <rgm@gnu.org> writes:
> markd@soe.ucsc.edu wrote:
>
> > Oh, wait, it doesn't look like there is a problem with your patch,
> > only the comment ;-) backup-buffer-copy says:
> >
> > ;; Create temp files with strict access rights. It's easy to
> > ;; loosen them later, whereas it's impossible to close the
> > ;; time-window of loose permissions otherwise.
>
> I don't know what this comment means. There are no "temp files" AFAICS
> (unless copy-file creates some internally). I think this comment may
> be a leftover from when this code used write-region rather than
> copy-file. Indeed the whole mode-changing bit may be as well. C-h f
> copy-file says: "This function always sets the file modes of the
> output file to match the input file."
>
> Eg:
>
> touch ~/1
> chmod 644 ~/1
> (set-default-file-modes ?\700)
> (copy-file "~/1" "~/2" t t t)
> ls -l ~/2 # -> world readable
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-02 16:33 ` Mark Diekhans
@ 2010-09-08 0:03 ` Glenn Morris
2010-09-08 8:52 ` Stefan Monnier
0 siblings, 1 reply; 28+ messages in thread
From: Glenn Morris @ 2010-09-08 0:03 UTC (permalink / raw)
To: Mark Diekhans; +Cc: 6953
An attempt at a proper fix (the manual would also need updating):
*** lisp/files.el 2010-09-05 22:03:56 +0000
--- lisp/files.el 2010-09-07 23:58:21 +0000
***************
*** 3561,3566 ****
--- 3561,3610 ----
(set-auto-mode t))
(error nil)))
+ (defcustom backup-fallback-directory
+ (expand-file-name "backups" user-emacs-directory)
+ "In case of error writing a backup file, write it here instead.
+ Formerly such backups were written to a file \"~/%backup%~\"."
+ :type 'directory
+ :initialize 'custom-initialize-delay
+ :version "23.3")
+
+ (defun backup-buffer-fallback (from-name dir)
+ "Backup FROM-NAME in private directory DIR."
+ ;; Copied from doc-view-make-safe-dir.
+ ;; FIXME should be a general function make-directory-secure?
+ ;; See http://lists.gnu.org/archive/html/emacs-devel/2007-10/msg02087.html
+ (condition-case nil
+ (let ((umask (default-file-modes)))
+ (unwind-protect
+ (progn
+ ;; Create temp files with strict access rights. It's easy to
+ ;; loosen them later, whereas it's impossible to close the
+ ;; time-window of loose permissions otherwise.
+ (set-default-file-modes #o0700)
+ (make-directory dir))
+ ;; Reset the umask.
+ (set-default-file-modes umask)))
+ (file-already-exists
+ (if (file-symlink-p dir)
+ (error "Danger: %s points to a symbolic link" dir))
+ ;; In case it was created earlier with looser rights.
+ ;; We could check the mode info returned by file-attributes, but it's
+ ;; a pain to parse and it may not tell you what we want under
+ ;; non-standard file-systems. So let's just say what we want and let
+ ;; the underlying C code and file-system figure it out.
+ ;; This also ends up checking a bunch of useful conditions: it makes
+ ;; sure we have write-access to the directory and that we own it, thus
+ ;; closing a bunch of security holes.
+ (set-file-modes dir #o0700)))
+ (backup-buffer-copy from-name
+ (expand-file-name
+ ;; cf make-backup-file-name-1.
+ (subst-char-in-string
+ ?/ ?!
+ (replace-regexp-in-string "!" "!!" from-name))
+ dir) nil))
+
(defun write-file (filename &optional confirm)
"Write current buffer into file FILENAME.
This makes the buffer visit that file, and marks it as not modified.
***************
*** 3674,3687 ****
(rename-file real-file-name backupname t)
(setq setmodes (cons modes backupname)))
(file-error
! ;; If trouble writing the backup, write it in ~.
! (setq backupname (expand-file-name
! (convert-standard-filename
! "~/%backup%~")))
(message "Cannot write backup file; backing up in %s"
! backupname)
(sleep-for 1)
! (backup-buffer-copy real-file-name backupname modes)))
(setq buffer-backed-up t)
;; Now delete the old versions, if desired.
(if delete-old-versions
--- 3718,3729 ----
(rename-file real-file-name backupname t)
(setq setmodes (cons modes backupname)))
(file-error
! ;; Trouble writing the backup.
(message "Cannot write backup file; backing up in %s"
! backup-fallback-directory)
(sleep-for 1)
! (backup-buffer-fallback real-file-name
! backup-fallback-directory)))
(setq buffer-backed-up t)
;; Now delete the old versions, if desired.
(if delete-old-versions
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-08 0:03 ` Glenn Morris
@ 2010-09-08 8:52 ` Stefan Monnier
2010-09-08 15:48 ` Glenn Morris
0 siblings, 1 reply; 28+ messages in thread
From: Stefan Monnier @ 2010-09-08 8:52 UTC (permalink / raw)
To: Glenn Morris; +Cc: 6953, Mark Diekhans
> An attempt at a proper fix (the manual would also need updating):
Wouldn't it be better to close the window in backup-buffer-copy?
Stefan
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-08 8:52 ` Stefan Monnier
@ 2010-09-08 15:48 ` Glenn Morris
2010-09-08 22:48 ` Stefan Monnier
0 siblings, 1 reply; 28+ messages in thread
From: Glenn Morris @ 2010-09-08 15:48 UTC (permalink / raw)
To: Stefan Monnier; +Cc: 6953, Mark Diekhans
Stefan Monnier wrote:
>> An attempt at a proper fix (the manual would also need updating):
>
> Wouldn't it be better to close the window in backup-buffer-copy?
Sorry, what window in backup-buffer-copy?
You mean in the case where to-name is in a different directory to
from-name, eg due to backup-directory-alist?
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-08 15:48 ` Glenn Morris
@ 2010-09-08 22:48 ` Stefan Monnier
2010-09-09 5:28 ` Glenn Morris
0 siblings, 1 reply; 28+ messages in thread
From: Stefan Monnier @ 2010-09-08 22:48 UTC (permalink / raw)
To: Glenn Morris; +Cc: 6953, Mark Diekhans
>>> An attempt at a proper fix (the manual would also need updating):
>> Wouldn't it be better to close the window in backup-buffer-copy?
> Sorry, what window in backup-buffer-copy?
The time window during which the access rights are too loose.
Stefan
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-08 22:48 ` Stefan Monnier
@ 2010-09-09 5:28 ` Glenn Morris
2010-09-09 17:09 ` Stefan Monnier
0 siblings, 1 reply; 28+ messages in thread
From: Glenn Morris @ 2010-09-09 5:28 UTC (permalink / raw)
To: Stefan Monnier; +Cc: 6953, Mark Diekhans
Stefan Monnier wrote:
> The time window during which the access rights are too loose.
Do you mean changing Fcopy_file to optionally not copy the source file
permission bits to the output file? Maybe that's better, but it would
need yet another optional argument for copy-file, which would probably
not see much use outside of this context.
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-09 5:28 ` Glenn Morris
@ 2010-09-09 17:09 ` Stefan Monnier
2010-09-10 3:06 ` Glenn Morris
0 siblings, 1 reply; 28+ messages in thread
From: Stefan Monnier @ 2010-09-09 17:09 UTC (permalink / raw)
To: Glenn Morris; +Cc: 6953, Mark Diekhans
>> The time window during which the access rights are too loose.
> Do you mean changing Fcopy_file to optionally not copy the source file
> permission bits to the output file?
Something like that.
> Maybe that's better, but it would need yet another optional argument
> for copy-file, which would probably not see much use outside of
> this context.
Adding yet-another-arg doesn't sound very appealing, indeed.
Maybe a better solution is to split copy-file into 2 functions: one that
copies the file data (into a file that's only readable by the current
process, or user) and another that copies various parts of its metadata
like timestamp, uid-gid, ... (this last function might be itself split
into various parts). So copy-file can be implemented on top of those
functions and backup can use them as well.
Stefan
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-09 17:09 ` Stefan Monnier
@ 2010-09-10 3:06 ` Glenn Morris
2010-09-13 11:44 ` Eli Zaretskii
0 siblings, 1 reply; 28+ messages in thread
From: Glenn Morris @ 2010-09-10 3:06 UTC (permalink / raw)
To: Stefan Monnier; +Cc: 6953, Mark Diekhans
Stefan Monnier wrote:
>> Do you mean changing Fcopy_file to optionally not copy the source file
>> permission bits to the output file?
>
> Something like that.
Just had a thought that this kind of approach is not going to work for
securing ~/%backup%~ files for people who have AFS home directories.
Which probably is not many in % terms, but is more than zero. In AFS,
the _only_ way to make files private to the owner is to put them in a
private directory.
On the other hand, simply creating a mode 700 directory does not
necessarily make it private, you have to use AFS commands to set ACLs.
But the approach of having backup files in a special directory would
be closer to how AFS normally works.
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-10 3:06 ` Glenn Morris
@ 2010-09-13 11:44 ` Eli Zaretskii
2010-09-13 15:32 ` Lennart Borgman
2010-09-22 1:34 ` Glenn Morris
0 siblings, 2 replies; 28+ messages in thread
From: Eli Zaretskii @ 2010-09-13 11:44 UTC (permalink / raw)
To: Glenn Morris; +Cc: 6953, markd
> From: Glenn Morris <rgm@gnu.org>
> Date: Thu, 09 Sep 2010 23:06:46 -0400
> Cc: 6953@debbugs.gnu.org, Mark Diekhans <markd@soe.ucsc.edu>
>
> Just had a thought that this kind of approach is not going to work for
> securing ~/%backup%~ files for people who have AFS home directories.
> Which probably is not many in % terms, but is more than zero. In AFS,
> the _only_ way to make files private to the owner is to put them in a
> private directory.
>
> On the other hand, simply creating a mode 700 directory does not
> necessarily make it private, you have to use AFS commands to set ACLs.
> But the approach of having backup files in a special directory would
> be closer to how AFS normally works.
The situation on MS-Windows is almost exactly the same. Files put in
private directories are private by default, but creating a new private
directory requires using Windows-specific ACL APIs.
Maybe it's time to have this functionality in Emacs.
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-13 11:44 ` Eli Zaretskii
@ 2010-09-13 15:32 ` Lennart Borgman
2010-09-22 1:34 ` Glenn Morris
1 sibling, 0 replies; 28+ messages in thread
From: Lennart Borgman @ 2010-09-13 15:32 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: markd, 6953
On Mon, Sep 13, 2010 at 1:44 PM, Eli Zaretskii <eliz@gnu.org> wrote:
>>
>> On the other hand, simply creating a mode 700 directory does not
>> necessarily make it private, you have to use AFS commands to set ACLs.
>> But the approach of having backup files in a special directory would
>> be closer to how AFS normally works.
>
> The situation on MS-Windows is almost exactly the same. Files put in
> private directories are private by default, but creating a new private
> directory requires using Windows-specific ACL APIs.
>
> Maybe it's time to have this functionality in Emacs.
Yes, please.
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-13 11:44 ` Eli Zaretskii
2010-09-13 15:32 ` Lennart Borgman
@ 2010-09-22 1:34 ` Glenn Morris
2010-09-25 20:21 ` Chong Yidong
2011-01-12 4:38 ` Glenn Morris
1 sibling, 2 replies; 28+ messages in thread
From: Glenn Morris @ 2010-09-22 1:34 UTC (permalink / raw)
To: monnier; +Cc: 6953, markd
So, is there a consensus for what approach to take with this?
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-22 1:34 ` Glenn Morris
@ 2010-09-25 20:21 ` Chong Yidong
2010-09-26 10:37 ` Richard Stallman
2011-01-12 4:38 ` Glenn Morris
1 sibling, 1 reply; 28+ messages in thread
From: Chong Yidong @ 2010-09-25 20:21 UTC (permalink / raw)
To: Glenn Morris; +Cc: 6953, markd
Glenn Morris <rgm@gnu.org> writes:
> So, is there a consensus for what approach to take with this?
How about simply not making a "~/%backup%~" file?
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-25 20:21 ` Chong Yidong
@ 2010-09-26 10:37 ` Richard Stallman
2010-09-28 17:26 ` Chong Yidong
0 siblings, 1 reply; 28+ messages in thread
From: Richard Stallman @ 2010-09-26 10:37 UTC (permalink / raw)
To: Chong Yidong; +Cc: markd, 6953
How about simply not making a "~/%backup%~" file?
Do you mean, make no backup file at all.
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-26 10:37 ` Richard Stallman
@ 2010-09-28 17:26 ` Chong Yidong
2010-09-29 13:36 ` Richard Stallman
0 siblings, 1 reply; 28+ messages in thread
From: Chong Yidong @ 2010-09-28 17:26 UTC (permalink / raw)
To: rms; +Cc: markd, 6953
Richard Stallman <rms@gnu.org> writes:
> How about simply not making a "~/%backup%~" file?
>
> Do you mean, make no backup file at all.
Yeah.
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-28 17:26 ` Chong Yidong
@ 2010-09-29 13:36 ` Richard Stallman
2010-09-29 13:43 ` Eli Zaretskii
2010-09-29 14:25 ` markd
0 siblings, 2 replies; 28+ messages in thread
From: Richard Stallman @ 2010-09-29 13:36 UTC (permalink / raw)
To: Chong Yidong; +Cc: markd, 6953
> Do you mean, make no backup file at all.
Yeah.
To make no backup file seems like a gross insecurity to me.
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-29 13:36 ` Richard Stallman
@ 2010-09-29 13:43 ` Eli Zaretskii
2010-09-29 14:25 ` markd
1 sibling, 0 replies; 28+ messages in thread
From: Eli Zaretskii @ 2010-09-29 13:43 UTC (permalink / raw)
To: rms; +Cc: 6953, cyd, markd
> From: Richard Stallman <rms@gnu.org>
> Date: Wed, 29 Sep 2010 09:36:26 -0400
> Cc: markd@soe.ucsc.edu, 6953@debbugs.gnu.org
>
> > Do you mean, make no backup file at all.
>
> Yeah.
>
> To make no backup file seems like a gross insecurity to me.
Agreed.
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-29 13:36 ` Richard Stallman
2010-09-29 13:43 ` Eli Zaretskii
@ 2010-09-29 14:25 ` markd
1 sibling, 0 replies; 28+ messages in thread
From: markd @ 2010-09-29 14:25 UTC (permalink / raw)
To: rms; +Cc: 6953, Chong Yidong
Just to clarify, this is the fallback backup file, ~/%backup%~,
not backup files in general.
The current approach provides an very limited and arbitrary approach to
preventing data lose:
- there only one ~/%backup%~ so it's arbitrary from the users prospective
which buffer actually gets a fallback backup.
- these is no control over where this is saved, it may very well be
the file system were the primary backup file could not be created
due to lack of disk space.
My experience in over 20 years of using emacs, this has never
been of any value.
The down side of the current implementation is extremely
serious, potentially exposing private or sensitive data to all
users of the file system. In my case, exposing a mail box to
hundreds of users. I would argue that this is far more serious
a problem than the very limited data lose prevent provided
by the current implementation.
thanks much for how seriously this is being taken,
mark
Richard Stallman <rms@gnu.org> writes:
> > Do you mean, make no backup file at all.
>
> Yeah.
>
> To make no backup file seems like a gross insecurity to me.
,
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-09-22 1:34 ` Glenn Morris
2010-09-25 20:21 ` Chong Yidong
@ 2011-01-12 4:38 ` Glenn Morris
1 sibling, 0 replies; 28+ messages in thread
From: Glenn Morris @ 2011-01-12 4:38 UTC (permalink / raw)
To: 6953
Glenn Morris wrote:
> So, is there a consensus for what approach to take with this?
It seems the answer is "no", there isn't.
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2010-08-31 6:13 bug#6953: 24.0.50; serious security bug in create backup files Mark Diekhans
2010-09-02 5:38 ` Glenn Morris
@ 2011-01-12 15:25 ` Stefan Monnier
2011-01-12 17:56 ` Mark Diekhans
1 sibling, 1 reply; 28+ messages in thread
From: Stefan Monnier @ 2011-01-12 15:25 UTC (permalink / raw)
To: Mark Diekhans; +Cc: 6953
> When Emacs is forced into writing "~/%backup%~", it may expose protected
> data to being read by others.
Regardless of what other problems there might be, such backups should
probably go somewhere under ~/.emacs.d.
Stefan
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2011-01-12 15:25 ` Stefan Monnier
@ 2011-01-12 17:56 ` Mark Diekhans
2011-01-12 19:29 ` Glenn Morris
0 siblings, 1 reply; 28+ messages in thread
From: Mark Diekhans @ 2011-01-12 17:56 UTC (permalink / raw)
To: Stefan Monnier; +Cc: 6953
Stefan Monnier <monnier@iro.umontreal.ca> writes:
> > When Emacs is forced into writing "~/%backup%~", it may expose protected
> > data to being read by others.
>
> Regardless of what other problems there might be, such backups should
> probably go somewhere under ~/.emacs.d.
This makes a lot of sense, and makes it possible to redirect to
a different file system by setting user-emacs-directory.
However emacs doesn't protect ~/.emacs.d/ either if it when it
creates it. This is also a security bug. Even the names of
files being edit should not be made public, even if the
files are private.
Is there anything I can do to help?
Mark
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2011-01-12 17:56 ` Mark Diekhans
@ 2011-01-12 19:29 ` Glenn Morris
2011-01-12 21:56 ` Mark Diekhans
0 siblings, 1 reply; 28+ messages in thread
From: Glenn Morris @ 2011-01-12 19:29 UTC (permalink / raw)
To: Mark Diekhans; +Cc: 6953
Mark Diekhans wrote:
>> Regardless of what other problems there might be, such backups should
>> probably go somewhere under ~/.emacs.d.
>
> This makes a lot of sense, and makes it possible to redirect to
> a different file system by setting user-emacs-directory.
We seem to have gone in a circle.
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=6953#23
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2011-01-12 19:29 ` Glenn Morris
@ 2011-01-12 21:56 ` Mark Diekhans
2011-01-15 2:33 ` Chong Yidong
0 siblings, 1 reply; 28+ messages in thread
From: Mark Diekhans @ 2011-01-12 21:56 UTC (permalink / raw)
To: 6953
[-- Attachment #1: message body text --]
[-- Type: text/plain, Size: 137 bytes --]
Attached is a patch that I believe address both the ~/%backup%~ and
~/.emacs.d/ security issues. It works well for me on Linux.
Mark
[-- Attachment #2: backup-security.patch --]
[-- Type: text/plain, Size: 1867 bytes --]
=== modified file 'doc/emacs/files.texi'
--- doc/emacs/files.texi 2010-07-31 17:13:03 +0000
+++ doc/emacs/files.texi 2011-01-12 21:43:13 +0000
@@ -569,8 +569,8 @@
file for @file{eval.c} would be @file{eval.c~}.
If access control stops Emacs from writing backup files under the usual
-names, it writes the backup file as @file{%backup%~} in your home
-directory. Only one such file can exist, so only the most recently
+names, it writes the backup file as @file{~/.emacs.d/%backup%~}.
+Only one such file can exist, so only the most recently
made such backup is available.
Emacs can also make @dfn{numbered backup files}. Numbered backup
=== modified file 'lisp/files.el'
--- lisp/files.el 2011-01-08 21:22:19 +0000
+++ lisp/files.el 2011-01-12 20:55:55 +0000
@@ -3776,9 +3776,7 @@
(setq setmodes (list modes context backupname)))
(file-error
;; If trouble writing the backup, write it in ~.
- (setq backupname (expand-file-name
- (convert-standard-filename
- "~/%backup%~")))
+ (setq backupname (locate-user-emacs-file "%backup%~"))
(message "Cannot write backup file; backing up in %s"
backupname)
(sleep-for 1)
=== modified file 'lisp/subr.el'
--- lisp/subr.el 2011-01-11 03:23:04 +0000
+++ lisp/subr.el 2011-01-12 20:53:20 +0000
@@ -2365,7 +2365,12 @@
(or noninteractive
purify-flag
(file-accessible-directory-p (directory-file-name user-emacs-directory))
- (make-directory user-emacs-directory))
+ (let ((umask (default-file-modes)))
+ (unwind-protect
+ (progn
+ (set-default-file-modes ?\700)
+ (make-directory user-emacs-directory))
+ (set-default-file-modes umask))))
(abbreviate-file-name
(expand-file-name new-name user-emacs-directory))))))
^ permalink raw reply [flat|nested] 28+ messages in thread
* bug#6953: 24.0.50; serious security bug in create backup files
2011-01-12 21:56 ` Mark Diekhans
@ 2011-01-15 2:33 ` Chong Yidong
0 siblings, 0 replies; 28+ messages in thread
From: Chong Yidong @ 2011-01-15 2:33 UTC (permalink / raw)
To: Mark Diekhans; +Cc: 6953
Mark Diekhans <markd@soe.ucsc.edu> writes:
> Attached is a patch that I believe address both the ~/%backup%~ and
> ~/.emacs.d/ security issues.
Looks reasonable; committed, thanks.
^ permalink raw reply [flat|nested] 28+ messages in thread
end of thread, other threads:[~2011-01-15 2:33 UTC | newest]
Thread overview: 28+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-08-31 6:13 bug#6953: 24.0.50; serious security bug in create backup files Mark Diekhans
2010-09-02 5:38 ` Glenn Morris
2010-09-02 6:54 ` Eli Zaretskii
2010-09-02 7:05 ` markd
2010-09-02 7:58 ` Glenn Morris
2010-09-02 16:33 ` Mark Diekhans
2010-09-08 0:03 ` Glenn Morris
2010-09-08 8:52 ` Stefan Monnier
2010-09-08 15:48 ` Glenn Morris
2010-09-08 22:48 ` Stefan Monnier
2010-09-09 5:28 ` Glenn Morris
2010-09-09 17:09 ` Stefan Monnier
2010-09-10 3:06 ` Glenn Morris
2010-09-13 11:44 ` Eli Zaretskii
2010-09-13 15:32 ` Lennart Borgman
2010-09-22 1:34 ` Glenn Morris
2010-09-25 20:21 ` Chong Yidong
2010-09-26 10:37 ` Richard Stallman
2010-09-28 17:26 ` Chong Yidong
2010-09-29 13:36 ` Richard Stallman
2010-09-29 13:43 ` Eli Zaretskii
2010-09-29 14:25 ` markd
2011-01-12 4:38 ` Glenn Morris
2011-01-12 15:25 ` Stefan Monnier
2011-01-12 17:56 ` Mark Diekhans
2011-01-12 19:29 ` Glenn Morris
2011-01-12 21:56 ` Mark Diekhans
2011-01-15 2:33 ` Chong Yidong
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.