From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: gaetan.leurent@ens.fr (=?iso-8859-1?Q?Ga=EBtan?= LEURENT) Newsgroups: gmane.emacs.devel Subject: Re: Race-condition ? Date: Sun, 26 Jun 2005 21:52:03 +0200 Message-ID: References: Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Trace: sea.gmane.org 1119815811 11201 80.91.229.2 (26 Jun 2005 19:56:51 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Sun, 26 Jun 2005 19:56:51 +0000 (UTC) Cc: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jun 26 21:56:49 2005 Return-path: Original-Received: from lists.gnu.org ([199.232.76.165]) by ciao.gmane.org with esmtp (Exim 4.43) id 1DmdEd-00082p-Sg for ged-emacs-devel@m.gmane.org; Sun, 26 Jun 2005 21:56:08 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1DmdM8-0003UQ-PP for ged-emacs-devel@m.gmane.org; Sun, 26 Jun 2005 16:03:52 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1DmdJB-00024B-Cu for emacs-devel@gnu.org; Sun, 26 Jun 2005 16:00:50 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1DmdIw-0001vN-2r for emacs-devel@gnu.org; Sun, 26 Jun 2005 16:00:36 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1DmdIu-0001rl-AH for emacs-devel@gnu.org; Sun, 26 Jun 2005 16:00:32 -0400 Original-Received: from [129.199.96.40] (helo=nef2.ens.fr) by monty-python.gnu.org with esmtp (Exim 4.34) id 1DmdEm-0000pq-5Q; Sun, 26 Jun 2005 15:56:16 -0400 Original-Received: from clipper.ens.fr (clipper-gw.ens.fr [129.199.1.22]) by nef2.ens.fr (8.13.2/1.01.28121999) with ESMTP id j5QJq3gC088877 ; Sun, 26 Jun 2005 21:52:04 +0200 (CEST) X-Envelope-To: rms@gnu.org Original-Received: from (leurent@localhost) by clipper.ens.fr (8.13.1/jb-1.1) X-Authentication-Warning: clipper.ens.fr: leurent set sender to gaetan.leurent@ens.fr using -f Original-To: rms@gnu.org X-Start-Date: Sun, 26 Jun 2005 19:04:02 +0200 X-Spook: [Hello to all my friends and fans in domestic surveillance] JSOFC3IP kilderkin nuclear DES benelux lock picking Exon Shell Mena Craig Livingstone Belknap S Key USCOI SDI eavesdropping In-Reply-To: (Richard M. Stallman's message of "Sun, 26 Jun 2005 00:46:13 -0400") User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (usg-unix-v) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.10 (nef2.ens.fr [129.199.96.32]); Sun, 26 Jun 2005 21:52:04 +0200 (CEST) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:39583 X-Report-Spam: http://spam.gmane.org/gmane.emacs.devel:39583 Richard M. Stallman wrote on 26 Jun 2005 06:46:13 +0200: > Would you like to check some of them? I'll look at it. > The crucial question is, does a call to set-file-modes introduce a > worse problem than what existed anyway. For instance, if someone > could put a hardlink where you will chmod it, could he also put a > hardlink where you will write the contents of the file? Yes, that needs to be checked in each case. In the case of copy_file, someone could put a hardlink when you write the file, but then emacs should warn you that the file already exist (you should never overwrite files in public writable directories because it is unsafe -- you must first delete the file). In fact, by looking again at the code of Fcopy_file, I see that the way emacs does it is also vulnerable to race-conditions attack: we first check if the file exist with barf_or_query_if_file_exists, and then we open the file (it is also done in a few other functions in fileio.c). If the file was created in-between, it will be overwritten without any warning. The correct way to do this is to open the file with O_CREAT|O_EXCL and ask the user what to do if it fails with EEXIST. As far as I know, it's the only way to check for the existence of a file and create it atomically. I don't know how we should fix this one, maybe by replacing barf_or_query_if_file_exists with some open_and_barf_or_query_if_file_exists ? --=20 Ga=EBtan LEURENT