|
From: | Paul Eggert |
Subject: | bug#27986: 26.0.50; 'rename-file' can rename files without confirmation |
Date: | Wed, 16 Aug 2017 08:15:34 -0700 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 |
Eli Zaretskii wrote:
You are describing a situation where the attacker somehow knows what file/directory will be accessed_ahead_ of Emacs actually accessing it.
Sure, and this happens all the time. Emacs prepares a copy of a file with the intent to rename the copy to the original atomically. The attacker will know that this is what Emacs will do, by looking at the file system or the syscalls Emacs issues before its code calls rename-file (e.g., Emacs will read the old file). So I am not supposing any kind of superhuman attack.
I do take your point that interactive use is different. So, here is a proposed change to the patch: if the ok-is-already-exists flag is an integer (which suggests interactive use), and if the destination is not a directory name (trailing "/") but happens to be an existing directory, then Emacs asks the user if it is OK to rename to a subfile of the destination. This would allay most the security concerns that I have, and I hope it would address most of the backward-compatibility concerns that you have.
I thought you were proposing to redirect the interactive commands to the new functions.
I was not proposing to redirect 'M-x rename-file' etc. They would continue to use the old insecure behavior, for compatibility reasons.
we cannot obsolete user commands.
Not immediately, no. But we can mark them as obsolescent and warn users about their use, and remove them eventually.
This issue of obsolescence is moot, though, if you agree with the above suggestion about ok-if-already-exists.
if people want secure code, they _will_ use the more secure variants
Emacs is a relatively large and complex system, and we cannot expect users to be familiar with every detail. Emacs should have safe defaults, not unsafe ones.
The situation with "mv" was different, as POSIX and longstanding documentation required the unsafe behavior and many scripts relied on it. In contrast, the Emacs documentation is thoroughly muddled and contradictory in this area, and code using rename-file etc. would more likely benefit from the proposed change (because of improved security) than be hurt by it (by loss of backward compatibility with poorly-documented and insecure behavior).
[Prev in Thread] | Current Thread | [Next in Thread] |