From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.bugs Subject: bug#27986: 26.0.50; 'rename-file' can rename files without confirmation Date: Mon, 14 Aug 2017 16:31:38 -0700 Organization: UCLA Computer Science Department Message-ID: References: <61980dde-3d68-7200-e7f4-98f62e410060@cs.ucla.edu> <1002ee73-0ab5-409b-831f-0c283c322264@cs.ucla.edu> <83o9rignt6.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Trace: blaine.gmane.org 1502753538 25812 195.159.176.226 (14 Aug 2017 23:32:18 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 14 Aug 2017 23:32:18 +0000 (UTC) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 Cc: p.stephani2@gmail.com, 27986@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Aug 15 01:32:13 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dhOqB-0006JP-KK for geb-bug-gnu-emacs@m.gmane.org; Tue, 15 Aug 2017 01:32:11 +0200 Original-Received: from localhost ([::1]:38237 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dhOqH-0003ob-Pe for geb-bug-gnu-emacs@m.gmane.org; Mon, 14 Aug 2017 19:32:17 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:60989) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dhOq7-0003nh-MZ for bug-gnu-emacs@gnu.org; Mon, 14 Aug 2017 19:32:08 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dhOq2-0002Bz-P9 for bug-gnu-emacs@gnu.org; Mon, 14 Aug 2017 19:32:07 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:57047) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dhOq2-0002Bv-Lx for bug-gnu-emacs@gnu.org; Mon, 14 Aug 2017 19:32:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dhOq2-0001nH-Ej for bug-gnu-emacs@gnu.org; Mon, 14 Aug 2017 19:32:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 14 Aug 2017 23:32:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27986 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 27986-submit@debbugs.gnu.org id=B27986.15027535066887 (code B ref 27986); Mon, 14 Aug 2017 23:32:02 +0000 Original-Received: (at 27986) by debbugs.gnu.org; 14 Aug 2017 23:31:46 +0000 Original-Received: from localhost ([127.0.0.1]:37495 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dhOpm-0001n0-Ad for submit@debbugs.gnu.org; Mon, 14 Aug 2017 19:31:46 -0400 Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:58536) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dhOpk-0001mu-Og for 27986@debbugs.gnu.org; Mon, 14 Aug 2017 19:31:45 -0400 Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 3667B160753; Mon, 14 Aug 2017 16:31:39 -0700 (PDT) Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id MLSGsf1gNY0K; Mon, 14 Aug 2017 16:31:38 -0700 (PDT) Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 643F716074C; Mon, 14 Aug 2017 16:31:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id cED6RrLXQwgn; Mon, 14 Aug 2017 16:31:38 -0700 (PDT) Original-Received: from [192.168.1.9] (unknown [47.153.184.153]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 412831600B5; Mon, 14 Aug 2017 16:31:38 -0700 (PDT) In-Reply-To: <83o9rignt6.fsf@gnu.org> Content-Language: en-US X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:135760 Archived-At: Eli Zaretskii wrote: > Could you please take a step back and elaborate on the > races and the security problems related to this, and why the change in > the semantics you propose is the solution? Currently (rename-file A B) requires at least two system calls to work: o= ne to=20 test whether B is a directory, and the other to actually do the rename. T= his=20 leads to race conditions if other actors change the file system between t= he two=20 calls. For example, suppose a victim is about to execute (rename-file "/tmp/foo"= =20 "/tmp/bar" t), and suppose an attacker wants to destroy the victim's file= =20 /home/victim/secret/foo. The attacker can do (make-symbolic-link=20 "/home/victim/secret" "/tmp/bar"), and this will cause the victim to lose= all=20 the data in /home/victim/secret/bar even though the attacker is supposed = to lack=20 access to anything under /home/victim/secret. I doubt whether this is the= only=20 such scenario; it's just the first one that popped into my mind. As icing on the cake, the current behavior of (rename-file A B) disagrees= with=20 its documentation when B is an existing directory. There is no good solution to this problem. All solutions are bad, in that= either=20 they are not 100% backward compatible with existing behavior, or they con= tinue=20 to encourage insecure Elisp code. The proposed patch attempts to choose t= he=20 least bad way forward, by making the default behavior more secure, at a=20 relatively minor cost in compatibility. Most uses of rename-file etc. won= 't care=20 about the change, and the ones that do care are likely to have security p= roblems=20 anyway. The proposed solution improves security, because a common pattern in Lisp= code=20 when creating a file BAR "atomically" is to create and write a temporary = file=20 FOO and then execute (rename-file FOO BAR). Currently, this approach can = be=20 attacked in the way described when BAR's parent directory is /tmp or any = similar=20 directory. With the proposed patch, this approach cannot be hijacked in t= his=20 way, because BAR will be a file name and not a directory name. That is, t= he call=20 to rename-file will specify whether the destination-directory semantics a= re=20 desired, rather than relying on the state of the filesystem to specify it= . This=20 is more secure because the state of the filesystem is partially under con= trol of=20 attackers.