From: Glenn Morris <rgm@gnu.org>
To: Mark Diekhans <markd@soe.ucsc.edu>
Cc: 6953@debbugs.gnu.org
Subject: bug#6953: 24.0.50; serious security bug in create backup files
Date: Tue, 07 Sep 2010 20:03:13 -0400 [thread overview]
Message-ID: <moy6bdm79a.fsf@fencepost.gnu.org> (raw)
In-Reply-To: <19583.53728.357608.629758@bugle.cse.ucsc.edu> (Mark Diekhans's message of "Thu\, 2 Sep 2010 09\:33\:36 -0700")
An attempt at a proper fix (the manual would also need updating):
*** lisp/files.el 2010-09-05 22:03:56 +0000
--- lisp/files.el 2010-09-07 23:58:21 +0000
***************
*** 3561,3566 ****
--- 3561,3610 ----
(set-auto-mode t))
(error nil)))
+ (defcustom backup-fallback-directory
+ (expand-file-name "backups" user-emacs-directory)
+ "In case of error writing a backup file, write it here instead.
+ Formerly such backups were written to a file \"~/%backup%~\"."
+ :type 'directory
+ :initialize 'custom-initialize-delay
+ :version "23.3")
+
+ (defun backup-buffer-fallback (from-name dir)
+ "Backup FROM-NAME in private directory DIR."
+ ;; Copied from doc-view-make-safe-dir.
+ ;; FIXME should be a general function make-directory-secure?
+ ;; See http://lists.gnu.org/archive/html/emacs-devel/2007-10/msg02087.html
+ (condition-case nil
+ (let ((umask (default-file-modes)))
+ (unwind-protect
+ (progn
+ ;; Create temp files with strict access rights. It's easy to
+ ;; loosen them later, whereas it's impossible to close the
+ ;; time-window of loose permissions otherwise.
+ (set-default-file-modes #o0700)
+ (make-directory dir))
+ ;; Reset the umask.
+ (set-default-file-modes umask)))
+ (file-already-exists
+ (if (file-symlink-p dir)
+ (error "Danger: %s points to a symbolic link" dir))
+ ;; In case it was created earlier with looser rights.
+ ;; We could check the mode info returned by file-attributes, but it's
+ ;; a pain to parse and it may not tell you what we want under
+ ;; non-standard file-systems. So let's just say what we want and let
+ ;; the underlying C code and file-system figure it out.
+ ;; This also ends up checking a bunch of useful conditions: it makes
+ ;; sure we have write-access to the directory and that we own it, thus
+ ;; closing a bunch of security holes.
+ (set-file-modes dir #o0700)))
+ (backup-buffer-copy from-name
+ (expand-file-name
+ ;; cf make-backup-file-name-1.
+ (subst-char-in-string
+ ?/ ?!
+ (replace-regexp-in-string "!" "!!" from-name))
+ dir) nil))
+
(defun write-file (filename &optional confirm)
"Write current buffer into file FILENAME.
This makes the buffer visit that file, and marks it as not modified.
***************
*** 3674,3687 ****
(rename-file real-file-name backupname t)
(setq setmodes (cons modes backupname)))
(file-error
! ;; If trouble writing the backup, write it in ~.
! (setq backupname (expand-file-name
! (convert-standard-filename
! "~/%backup%~")))
(message "Cannot write backup file; backing up in %s"
! backupname)
(sleep-for 1)
! (backup-buffer-copy real-file-name backupname modes)))
(setq buffer-backed-up t)
;; Now delete the old versions, if desired.
(if delete-old-versions
--- 3718,3729 ----
(rename-file real-file-name backupname t)
(setq setmodes (cons modes backupname)))
(file-error
! ;; Trouble writing the backup.
(message "Cannot write backup file; backing up in %s"
! backup-fallback-directory)
(sleep-for 1)
! (backup-buffer-fallback real-file-name
! backup-fallback-directory)))
(setq buffer-backed-up t)
;; Now delete the old versions, if desired.
(if delete-old-versions
next prev parent reply other threads:[~2010-09-08 0:03 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-31 6:13 bug#6953: 24.0.50; serious security bug in create backup files Mark Diekhans
2010-09-02 5:38 ` Glenn Morris
2010-09-02 6:54 ` Eli Zaretskii
2010-09-02 7:05 ` markd
2010-09-02 7:58 ` Glenn Morris
2010-09-02 16:33 ` Mark Diekhans
2010-09-08 0:03 ` Glenn Morris [this message]
2010-09-08 8:52 ` Stefan Monnier
2010-09-08 15:48 ` Glenn Morris
2010-09-08 22:48 ` Stefan Monnier
2010-09-09 5:28 ` Glenn Morris
2010-09-09 17:09 ` Stefan Monnier
2010-09-10 3:06 ` Glenn Morris
2010-09-13 11:44 ` Eli Zaretskii
2010-09-13 15:32 ` Lennart Borgman
2010-09-22 1:34 ` Glenn Morris
2010-09-25 20:21 ` Chong Yidong
2010-09-26 10:37 ` Richard Stallman
2010-09-28 17:26 ` Chong Yidong
2010-09-29 13:36 ` Richard Stallman
2010-09-29 13:43 ` Eli Zaretskii
2010-09-29 14:25 ` markd
2011-01-12 4:38 ` Glenn Morris
2011-01-12 15:25 ` Stefan Monnier
2011-01-12 17:56 ` Mark Diekhans
2011-01-12 19:29 ` Glenn Morris
2011-01-12 21:56 ` Mark Diekhans
2011-01-15 2:33 ` Chong Yidong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=moy6bdm79a.fsf@fencepost.gnu.org \
--to=rgm@gnu.org \
--cc=6953@debbugs.gnu.org \
--cc=markd@soe.ucsc.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.