bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#27986: 26.0.50; 'rename-file' can rename files without confirmation

From: Paul Eggert
Subject: bug#27986: 26.0.50; 'rename-file' can rename files without confirmation
Date: Wed, 16 Aug 2017 08:15:34 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 
Eli Zaretskii wrote:

You are describing a situation where the attacker somehow knows what
file/directory will be accessed_ahead_  of Emacs actually accessing
it.
Sure, and this happens all the time. Emacs prepares a copy of a file with the intent to rename the copy to the original atomically. The attacker will know that this is what Emacs will do, by looking at the file system or the syscalls Emacs issues before its code calls rename-file (e.g., Emacs will read the old file). So I am not supposing any kind of superhuman attack.
I do take your point that interactive use is different. So, here is a proposed change to the patch: if the ok-is-already-exists flag is an integer (which suggests interactive use), and if the destination is not a directory name (trailing "/") but happens to be an existing directory, then Emacs asks the user if it is OK to rename to a subfile of the destination. This would allay most the security concerns that I have, and I hope it would address most of the backward-compatibility concerns that you have. 


I thought you were proposing to redirect the interactive commands to
the new functions.
I was not proposing to redirect 'M-x rename-file' etc. They would continue to use the old insecure behavior, for compatibility reasons. 


we cannot obsolete user commands.
Not immediately, no. But we can mark them as obsolescent and warn users about their use, and remove them eventually.
This issue of obsolescence is moot, though, if you agree with the above suggestion about ok-if-already-exists. 


if people want secure code,
they _will_ use the more secure variants
Emacs is a relatively large and complex system, and we cannot expect users to be familiar with every detail. Emacs should have safe defaults, not unsafe ones.
The situation with "mv" was different, as POSIX and longstanding documentation required the unsafe behavior and many scripts relied on it. In contrast, the Emacs documentation is thoroughly muddled and contradictory in this area, and code using rename-file etc. would more likely benefit from the proposed change (because of improved security) than be hurt by it (by loss of backward compatibility with poorly-documented and insecure behavior).
reply via email to
[Prev in Thread] Current Thread [Next in Thread]