From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.devel Subject: Re: master 739593d 3/5: Make gnus-copy-file act like copy-file etc. Date: Wed, 13 Sep 2017 16:32:15 -0700 Organization: UCLA Computer Science Department Message-ID: References: <20170911053128.28763.28434@vcs0.savannah.gnu.org> <20170911053130.C5F002068F@vcs0.savannah.gnu.org> <87o9qecs1t.fsf@mouse.gnus.org> <87a81ycqau.fsf@mouse.gnus.org> <122fe4a2-2e96-9167-c815-42aa962c3da0@cs.ucla.edu> <87tw06b8yr.fsf@mouse.gnus.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Trace: blaine.gmane.org 1505345548 18253 195.159.176.226 (13 Sep 2017 23:32:28 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 13 Sep 2017 23:32:28 +0000 (UTC) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 Cc: Katsumi Yamaoka , emacs-devel@gnu.org To: Lars Ingebrigtsen Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Sep 14 01:32:24 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsH8p-0004eU-KE for ged-emacs-devel@m.gmane.org; Thu, 14 Sep 2017 01:32:24 +0200 Original-Received: from localhost ([::1]:45029 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsH8w-0008NE-Ru for ged-emacs-devel@m.gmane.org; Wed, 13 Sep 2017 19:32:30 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:36306) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsH8p-0008MT-R5 for emacs-devel@gnu.org; Wed, 13 Sep 2017 19:32:24 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dsH8k-0001Wx-Ui for emacs-devel@gnu.org; Wed, 13 Sep 2017 19:32:23 -0400 Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:41438) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dsH8k-0001T7-MX for emacs-devel@gnu.org; Wed, 13 Sep 2017 19:32:18 -0400 Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 185B9160D0C; Wed, 13 Sep 2017 16:32:16 -0700 (PDT) Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 1Nto-EfjMrBB; Wed, 13 Sep 2017 16:32:15 -0700 (PDT) Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 49571160D05; Wed, 13 Sep 2017 16:32:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id nqoj-ddrBpES; Wed, 13 Sep 2017 16:32:15 -0700 (PDT) Original-Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 267BF160968; Wed, 13 Sep 2017 16:32:15 -0700 (PDT) In-Reply-To: <87tw06b8yr.fsf@mouse.gnus.org> Content-Language: en-US X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 131.179.128.68 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:218244 Archived-At: On 09/13/2017 02:10 PM, Lars Ingebrigtsen wrote: > The attack surface you're trying to cover is when the user is writing a > file to a world-writable directory that contains a symlink that has > exactly the same name as the file you're trying to write? More generally, it's when the attacker can write the destination's parent directory. The parent need not be world-writable, and there doesn't need to be a symlink there already. > (barf-if-you're-writing-a-file-with-the-same-name-to-a-symlink-in-a-world-writable-directory FILE) > > function that we can slap into the affected functions and leave the > interactive parts working as they have always. I'm not following. The attack works against both interactive and non-interactive use. If we try to support the old behavior then any code that Emacs executes will be vulnerable to the attack, because the underlying system calls do not let Emacs test for safety and then rename the file before the attacker can act. Eli is most concerned about interactive use, as am I. I reviewed noninteractive calls and fixed the few glitches that I found, so they should be OK (though of course I could have made mistakes in my review). It's the interactive use that is more of the question mark: it's what started this thread. Another possibility would be to add a variable 'trust-other-users' that the user can set to indicate that other users on the computer are trusted, and to support the old interactive behavior if this variable is set. This approach is easier to document and implement than my previous suggestion; the downside is that the user must hassle with the new variable, and there will likely be configuration errors when users copy .emacs files from nonshared to shared computers. I thought of this long ago and rejected it for that reason and still don't like the idea much, but if the consensus is to go this direction then I'll volunteer to implement it. > These days nobody lives on shared computers, anyway I regularly use Emacs on computers shared with users I don't fully trust. I've done so every day this week so far. Although I use Emacs more often on standalone machines, the shared-machine use case is still alive and kicking.