all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* trusted-content seems to have effect only with sources specified.
@ 2024-12-27  7:04 Michelangelo Rodriguez
  2024-12-27  8:33 ` Eli Zaretskii
  0 siblings, 1 reply; 11+ messages in thread
From: Michelangelo Rodriguez @ 2024-12-27  7:04 UTC (permalink / raw)
  To: emacs-devel

If i set `trusted-content' to:
"~/.emacs.d/elpa/elfeed/
And i visit say "elfeed.el",
and i enable `flymake-mode'
I get the following:
"""Disabling elisp-flymake-byte-compile in elfeed.el (untrusted
content)"
If i add "~/.emacs.d/elpa/elfeed/elfeed.el"
it works as expected.



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: trusted-content seems to have effect only with sources specified.
  2024-12-27  7:04 trusted-content seems to have effect only with sources specified Michelangelo Rodriguez
@ 2024-12-27  8:33 ` Eli Zaretskii
  2024-12-27  9:24   ` Michelangelo Rodriguez
                     ` (3 more replies)
  0 siblings, 4 replies; 11+ messages in thread
From: Eli Zaretskii @ 2024-12-27  8:33 UTC (permalink / raw)
  To: Michelangelo Rodriguez; +Cc: emacs-devel

> From: Michelangelo Rodriguez <michelangelo.rodriguez@gmail.com>
> Date: Fri, 27 Dec 2024 08:04:17 +0100
> 
> If i set `trusted-content' to:
> "~/.emacs.d/elpa/elfeed/
> And i visit say "elfeed.el",
> and i enable `flymake-mode'
> I get the following:
> """Disabling elisp-flymake-byte-compile in elfeed.el (untrusted
> content)"

I cannot reproduce this.  I don't have elfeed installed, but I used a
different file and subdirectory of ~/.emacs.d/, and didn't get the
disabling message.

Can you show the precise steps to reproduce the problem, starting from
"emacs -Q"?  Because at least the way you set trusted-content is not
clear to me: the value should be a list, but you say you set it to
"~/.emacs.d/elpa/elfeed/", which is a string.  Or maybe elfeed.el
loads files outside of the directory you declared to be safe?



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: trusted-content seems to have effect only with sources specified.
  2024-12-27  8:33 ` Eli Zaretskii
@ 2024-12-27  9:24   ` Michelangelo Rodriguez
  2024-12-27  9:39   ` Michelangelo Rodriguez
                     ` (2 subsequent siblings)
  3 siblings, 0 replies; 11+ messages in thread
From: Michelangelo Rodriguez @ 2024-12-27  9:24 UTC (permalink / raw)
  To: emacs-devel

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Michelangelo Rodriguez <michelangelo.rodriguez@gmail.com>
>> Date: Fri, 27 Dec 2024 08:04:17 +0100
>> 
>> If i set `trusted-content' to:
>> "~/.emacs.d/elpa/elfeed/
>> And i visit say "elfeed.el",
>> and i enable `flymake-mode'
>> I get the following:
>> """Disabling elisp-flymake-byte-compile in elfeed.el (untrusted
>> content)"
>
> I cannot reproduce this.  I don't have elfeed installed, but I used a
> different file and subdirectory of ~/.emacs.d/, and didn't get the
> disabling message.
>
> Can you show the precise steps to reproduce the problem, starting from
> "emacs -Q"?  Because at least the way you set trusted-content is not
> clear to me: the value should be a list, but you say you set it to
> "~/.emacs.d/elpa/elfeed/", which is a string.  Or maybe elfeed.el
> loads files outside of the directory you declared to be safe?
Sorry, i copied the contents of the customization buffer, but it is a
list.
The value is:
("~/.emacs.d/elpa/greader/greader.el" "~/.emacs.d/elpa/elfeed/")
With this value, i can enable flymake-mode in greader.el but not in
elfeed.el.
If i set '("~/.emacs.d/elpa/greader/") either in greader.el i get the
message.



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: trusted-content seems to have effect only with sources specified.
  2024-12-27  8:33 ` Eli Zaretskii
  2024-12-27  9:24   ` Michelangelo Rodriguez
@ 2024-12-27  9:39   ` Michelangelo Rodriguez
  2024-12-27 12:31     ` Eli Zaretskii
  2024-12-27 10:07   ` Michelangelo Rodriguez
  2024-12-27 23:02   ` Michelangelo Rodriguez
  3 siblings, 1 reply; 11+ messages in thread
From: Michelangelo Rodriguez @ 2024-12-27  9:39 UTC (permalink / raw)
  To: emacs-devel

However, with a fresh session it works.
So it should depend from something i have in my configuration file, bug
what it could be?

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Michelangelo Rodriguez <michelangelo.rodriguez@gmail.com>
>> Date: Fri, 27 Dec 2024 08:04:17 +0100
>> 
>> If i set `trusted-content' to:
>> "~/.emacs.d/elpa/elfeed/
>> And i visit say "elfeed.el",
>> and i enable `flymake-mode'
>> I get the following:
>> """Disabling elisp-flymake-byte-compile in elfeed.el (untrusted
>> content)"
>
> I cannot reproduce this.  I don't have elfeed installed, but I used a
> different file and subdirectory of ~/.emacs.d/, and didn't get the
> disabling message.
>
> Can you show the precise steps to reproduce the problem, starting from
> "emacs -Q"?  Because at least the way you set trusted-content is not
> clear to me: the value should be a list, but you say you set it to
> "~/.emacs.d/elpa/elfeed/", which is a string.  Or maybe elfeed.el
> loads files outside of the directory you declared to be safe?



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: trusted-content seems to have effect only with sources specified.
  2024-12-27  8:33 ` Eli Zaretskii
  2024-12-27  9:24   ` Michelangelo Rodriguez
  2024-12-27  9:39   ` Michelangelo Rodriguez
@ 2024-12-27 10:07   ` Michelangelo Rodriguez
  2024-12-27 23:02   ` Michelangelo Rodriguez
  3 siblings, 0 replies; 11+ messages in thread
From: Michelangelo Rodriguez @ 2024-12-27 10:07 UTC (permalink / raw)
  To: emacs-devel

There is the backtrace i get:
"Debugger entered--Lisp error: (error "Disabling elisp-flymake-byte-compile in greader.el (untrusted content)")
  error("Disabling elisp-flymake-byte-compile in %s (untrusted content)" "greader.el")
  elisp-flymake-byte-compile(#f(compiled-function (&rest args) #<bytecode -0x15eb6515a3691f83>))
  apply(elisp-flymake-byte-compile #f(compiled-function (&rest args) #<bytecode -0x15eb6515a3691f83>) nil)
  flymake--run-backend(elisp-flymake-byte-compile nil)
  #f(compiled-function (backend) #<bytecode -0x7f65577e7e0159b>)(elisp-flymake-byte-compile)
  flymake-start((on-display) nil)
  #f(compiled-function () #<bytecode 0x883a798531d0c11>)()
".
Eli Zaretskii <eliz@gnu.org> writes:

>> From: Michelangelo Rodriguez <michelangelo.rodriguez@gmail.com>
>> Date: Fri, 27 Dec 2024 08:04:17 +0100
>> 
>> If i set `trusted-content' to:
>> "~/.emacs.d/elpa/elfeed/
>> And i visit say "elfeed.el",
>> and i enable `flymake-mode'
>> I get the following:
>> """Disabling elisp-flymake-byte-compile in elfeed.el (untrusted
>> content)"
>
> I cannot reproduce this.  I don't have elfeed installed, but I used a
> different file and subdirectory of ~/.emacs.d/, and didn't get the
> disabling message.
>
> Can you show the precise steps to reproduce the problem, starting from
> "emacs -Q"?  Because at least the way you set trusted-content is not
> clear to me: the value should be a list, but you say you set it to
> "~/.emacs.d/elpa/elfeed/", which is a string.  Or maybe elfeed.el
> loads files outside of the directory you declared to be safe?



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: trusted-content seems to have effect only with sources specified.
  2024-12-27  9:39   ` Michelangelo Rodriguez
@ 2024-12-27 12:31     ` Eli Zaretskii
  0 siblings, 0 replies; 11+ messages in thread
From: Eli Zaretskii @ 2024-12-27 12:31 UTC (permalink / raw)
  To: Michelangelo Rodriguez; +Cc: emacs-devel

> From: Michelangelo Rodriguez <michelangelo.rodriguez@gmail.com>
> Date: Fri, 27 Dec 2024 10:39:39 +0100
> 
> However, with a fresh session it works.

In a fresh session with -Q or in a fresh session with your usual
configuration?  If the latter, then your customizations are not the
culprit.

> So it should depend from something i have in my configuration file, bug
> what it could be?

Try bisecting your init file(s), perhaps.



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: trusted-content seems to have effect only with sources specified.
  2024-12-27  8:33 ` Eli Zaretskii
                     ` (2 preceding siblings ...)
  2024-12-27 10:07   ` Michelangelo Rodriguez
@ 2024-12-27 23:02   ` Michelangelo Rodriguez
  2024-12-28  9:38     ` Eli Zaretskii
  3 siblings, 1 reply; 11+ messages in thread
From: Michelangelo Rodriguez @ 2024-12-27 23:02 UTC (permalink / raw)
  To: emacs-devel

I discovered the issue, i think.
Incidentally the packages i refer in `trusted-content' are installed via
`package-vc-install-from-checkout', that generates a symlink in the
directory in which we install our packages.
If i specify in `trusted-content' the symlink, it generates the error.
So we should specify only real paths.

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Michelangelo Rodriguez <michelangelo.rodriguez@gmail.com>
>> Date: Fri, 27 Dec 2024 08:04:17 +0100
>> 
>> If i set `trusted-content' to:
>> "~/.emacs.d/elpa/elfeed/
>> And i visit say "elfeed.el",
>> and i enable `flymake-mode'
>> I get the following:
>> """Disabling elisp-flymake-byte-compile in elfeed.el (untrusted
>> content)"
>
> I cannot reproduce this.  I don't have elfeed installed, but I used a
> different file and subdirectory of ~/.emacs.d/, and didn't get the
> disabling message.
>
> Can you show the precise steps to reproduce the problem, starting from
> "emacs -Q"?  Because at least the way you set trusted-content is not
> clear to me: the value should be a list, but you say you set it to
> "~/.emacs.d/elpa/elfeed/", which is a string.  Or maybe elfeed.el
> loads files outside of the directory you declared to be safe?



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: trusted-content seems to have effect only with sources specified.
  2024-12-27 23:02   ` Michelangelo Rodriguez
@ 2024-12-28  9:38     ` Eli Zaretskii
  2024-12-28 14:48       ` Stefan Monnier
  0 siblings, 1 reply; 11+ messages in thread
From: Eli Zaretskii @ 2024-12-28  9:38 UTC (permalink / raw)
  To: Michelangelo Rodriguez, Stefan Monnier; +Cc: emacs-devel

> From: Michelangelo Rodriguez <michelangelo.rodriguez@gmail.com>
> Date: Sat, 28 Dec 2024 00:02:54 +0100
> 
> I discovered the issue, i think.
> Incidentally the packages i refer in `trusted-content' are installed via
> `package-vc-install-from-checkout', that generates a symlink in the
> directory in which we install our packages.
> If i specify in `trusted-content' the symlink, it generates the error.
> So we should specify only real paths.

I think it's a feature: it will catch the case of a malicious symlink
that redirects your trusted file/directory to a different place.

Stefan, do you agree?



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: trusted-content seems to have effect only with sources specified.
  2024-12-28  9:38     ` Eli Zaretskii
@ 2024-12-28 14:48       ` Stefan Monnier
  2024-12-28 19:12         ` Michelangelo Rodriguez
  0 siblings, 1 reply; 11+ messages in thread
From: Stefan Monnier @ 2024-12-28 14:48 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: Michelangelo Rodriguez, emacs-devel

>> I discovered the issue, i think.
>> Incidentally the packages i refer in `trusted-content' are installed via
>> `package-vc-install-from-checkout', that generates a symlink in the
>> directory in which we install our packages.
>> If i specify in `trusted-content' the symlink, it generates the error.
>> So we should specify only real paths.
>
> I think it's a feature:

It was done on purpose, yes:

    (defun trusted-content-p ()
      "Return non-nil if we trust the contents of the current buffer.
    Here, \"trust\" means that we are willing to run code found inside of it.
    See also `trusted-content'."
      ;; We compare with `buffer-file-truename' i.s.o `buffer-file-name'
      ;; to try and avoid marking as trusted a file that's merely accessed
      ;; via a symlink that happens to be inside a trusted dir.

> it will catch the case of a malicious symlink
> that redirects your trusted file/directory to a different place.

In his case, the symlink presumably can't be malicious since it's inside
a trusted directory.  But I didn't want this trust to be transitive:
just because the symlink is non-malicious doesn't mean the target can't
contain things we can't control.  You may setup a perfectly valid symlink
to an area where you download random crap.


        Stefan




^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: trusted-content seems to have effect only with sources specified.
  2024-12-28 14:48       ` Stefan Monnier
@ 2024-12-28 19:12         ` Michelangelo Rodriguez
  2024-12-28 19:26           ` Eli Zaretskii
  0 siblings, 1 reply; 11+ messages in thread
From: Michelangelo Rodriguez @ 2024-12-28 19:12 UTC (permalink / raw)
  To: emacs-devel

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>>> I discovered the issue, i think.
>>> Incidentally the packages i refer in `trusted-content' are installed via
>>> `package-vc-install-from-checkout', that generates a symlink in the
>>> directory in which we install our packages.
>>> If i specify in `trusted-content' the symlink, it generates the error.
>>> So we should specify only real paths.
>>
>> I think it's a feature:
>
> It was done on purpose, yes:
>
>     (defun trusted-content-p ()
>       "Return non-nil if we trust the contents of the current buffer.
>     Here, \"trust\" means that we are willing to run code found inside of it.
>     See also `trusted-content'."
>       ;; We compare with `buffer-file-truename' i.s.o `buffer-file-name'
>       ;; to try and avoid marking as trusted a file that's merely accessed
>       ;; via a symlink that happens to be inside a trusted dir.
>
>> it will catch the case of a malicious symlink
>> that redirects your trusted file/directory to a different place.
>
> In his case, the symlink presumably can't be malicious since it's inside
> a trusted directory.  But I didn't want this trust to be transitive:
> just because the symlink is non-malicious doesn't mean the target can't
> contain things we can't control.  You may setup a perfectly valid symlink
> to an area where you download random crap.
Maybe this feature should be documented?
`package-vc-install-from-checkout' is an api built-in emacs, that creates
symbolic links.
If an user tries to trust this "kind" of package, and it remains
untrusted, her/him will switch to trust all the content.
We should indicate that we have to use the true file name.
Regards,



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: trusted-content seems to have effect only with sources specified.
  2024-12-28 19:12         ` Michelangelo Rodriguez
@ 2024-12-28 19:26           ` Eli Zaretskii
  0 siblings, 0 replies; 11+ messages in thread
From: Eli Zaretskii @ 2024-12-28 19:26 UTC (permalink / raw)
  To: Michelangelo Rodriguez; +Cc: emacs-devel

> From: Michelangelo Rodriguez <michelangelo.rodriguez@gmail.com>
> Date: Sat, 28 Dec 2024 20:12:27 +0100
> 
> Stefan Monnier <monnier@iro.umontreal.ca> writes:
> 
> > It was done on purpose, yes:
> >
> >     (defun trusted-content-p ()
> >       "Return non-nil if we trust the contents of the current buffer.
> >     Here, \"trust\" means that we are willing to run code found inside of it.
> >     See also `trusted-content'."
> >       ;; We compare with `buffer-file-truename' i.s.o `buffer-file-name'
> >       ;; to try and avoid marking as trusted a file that's merely accessed
> >       ;; via a symlink that happens to be inside a trusted dir.
> >
> >> it will catch the case of a malicious symlink
> >> that redirects your trusted file/directory to a different place.
> >
> > In his case, the symlink presumably can't be malicious since it's inside
> > a trusted directory.  But I didn't want this trust to be transitive:
> > just because the symlink is non-malicious doesn't mean the target can't
> > contain things we can't control.  You may setup a perfectly valid symlink
> > to an area where you download random crap.
> Maybe this feature should be documented?
> `package-vc-install-from-checkout' is an api built-in emacs, that creates
> symbolic links.
> If an user tries to trust this "kind" of package, and it remains
> untrusted, her/him will switch to trust all the content.
> We should indicate that we have to use the true file name.

Isn't it obvious that trust should be given to actual files and
directories, not links to them?



^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2024-12-28 19:26 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-27  7:04 trusted-content seems to have effect only with sources specified Michelangelo Rodriguez
2024-12-27  8:33 ` Eli Zaretskii
2024-12-27  9:24   ` Michelangelo Rodriguez
2024-12-27  9:39   ` Michelangelo Rodriguez
2024-12-27 12:31     ` Eli Zaretskii
2024-12-27 10:07   ` Michelangelo Rodriguez
2024-12-27 23:02   ` Michelangelo Rodriguez
2024-12-28  9:38     ` Eli Zaretskii
2024-12-28 14:48       ` Stefan Monnier
2024-12-28 19:12         ` Michelangelo Rodriguez
2024-12-28 19:26           ` Eli Zaretskii

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.