From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Stefan Monnier <monnier@IRO.UMontreal.CA>
Newsgroups: gmane.emacs.devel
Subject: Re: Remote temporary directory
Date: Sun, 31 Jul 2016 10:19:03 -0400
Message-ID: <jwvd1ltvqvr.fsf-monnier+Inbox@gnu.org>
References: <acdfa136-1d37-a920-b572-fdd0f6e11257@gmail.com>
	<837fch1vmw.fsf@gnu.org>
	<8536522f-fa3f-9fe0-63c0-262b8191b4a3@gmail.com>
	<83h9bdttxi.fsf@gnu.org> <87lh0ons06.fsf@gmx.de>
	<83r3afst6v.fsf@gnu.org> <87k2g7pfmx.fsf_-_@gmx.de>
	<83lh0nrrjs.fsf@gnu.org> <87fuqvxbo8.fsf@gmx.de>
	<83a8h3rnib.fsf@gnu.org> <87a8h3x81p.fsf@gmx.de>
	<87oa5g42v5.fsf@gmx.de>
	<jwvk2g4jh5l.fsf-monnier+gmane.emacs.devel@gnu.org>
	<87mvky2gmi.fsf@gmx.de>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: blaine.gmane.org 1469974842 23476 80.91.229.8 (31 Jul 2016 14:20:42 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Sun, 31 Jul 2016 14:20:42 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux)
Cc: emacs-devel@gnu.org
To: Michael Albinus <michael.albinus@gmx.de>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jul 31 16:20:27 2016
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1bTrbO-000644-Si
	for ged-emacs-devel@m.gmane.org; Sun, 31 Jul 2016 16:20:27 +0200
Original-Received: from localhost ([::1]:39745 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1bTrbK-0005zj-V5
	for ged-emacs-devel@m.gmane.org; Sun, 31 Jul 2016 10:20:22 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:57031)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <monnier@iro.umontreal.ca>) id 1bTraR-0005xk-V2
	for emacs-devel@gnu.org; Sun, 31 Jul 2016 10:19:29 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <monnier@iro.umontreal.ca>) id 1bTraM-0000TJ-Ua
	for emacs-devel@gnu.org; Sun, 31 Jul 2016 10:19:26 -0400
Original-Received: from pruche.dit.umontreal.ca ([132.204.246.22]:39118)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <monnier@iro.umontreal.ca>) id 1bTraM-0000T7-Px
	for emacs-devel@gnu.org; Sun, 31 Jul 2016 10:19:22 -0400
Original-Received: from fmsmemgm.homelinux.net (lechon.iro.umontreal.ca
	[132.204.27.242])
	by pruche.dit.umontreal.ca (8.14.7/8.14.1) with ESMTP id u6VEJ8Kx020638;
	Sun, 31 Jul 2016 10:19:10 -0400
Original-Received: by fmsmemgm.homelinux.net (Postfix, from userid 20848)
	id 3C227AE0B3; Sun, 31 Jul 2016 10:19:03 -0400 (EDT)
In-Reply-To: <87mvky2gmi.fsf@gmx.de> (Michael Albinus's message of "Sun, 31
	Jul 2016 13:26:13 +0200")
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 5
X-NAI-Spam-Score: 0
X-NAI-Spam-Rules: 1 Rules triggered
	RV5752=0
X-NAI-Spam-Version: 2.3.0.9418 : core <5752> : inlines <5054> : streams
	<1676591> : uri <2258134>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 132.204.246.22
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:206266
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/206266>

>> This said, there are some non-trivial security issues at stake here:
>> make-temp-file should usually only be used in directories which are
>> either only writable by "trusted" users (i.e. only by the current user),
>> or which have the magical "sticky" bit set.  So using just any writable
>> "nearby" directory is generally unsafe.
> I agree. But `make-temp-file' does not check:
> (let ((temporary-file-directory "~/")) (make-temp-file "tmp"))
> => "/home/albinus/tmp17866D3i"

No, indeed, it's hard to check it reliably.  So instead make-temp-file
relies on temporary-file-directory having a sane value.

> It will be even harder to fulfill this in the remote case.

Exactly.  And for make-nearby-temp-file the intention to save "nearby"
(in the same mount point so that `rename' works "atomically".  On AFS
file-systems this basically mean it can only be in the *same* directory)
might be impossible to satisfy while still using a safe directory.

> Shall we add
> an optional argument SAVE-DIR-ONLY to `make-temp-file' /
                       ^^^^
You mean               safe   ?

> `make-nearby-temp-file'?  If non-nil, the checks above are performed.

I don't know how to implement those checks in a robust way.


        Stefan