Re: Dangerous: delete-file deletes current directory as root!!

[Stefan Monnier]

> > Now, I'm not sure what `delete-file' should do.  Should it mimic `unlink'
> > or should it first check that it is not called on a directory ?
> Definitely the second one.

Do you mean it for all cases, or only for interactive use ?

> > Since the check would only be needed for `root' and since I don't
> > think that people should be running Emacs under root unless they really
> > mean it, I think the current code is fine.
> 
> I really mean it, but that's not a reason why I should ruin my file
> system by simply making a trivial mistake, that is:
> 
> M-x delete-file RET
> 
> or worse, as it happened to me:
> 
> M-x <up> RET
> 
> > Maybe we should pop up a warning message when Emacs is started
> > as root, reminding them that it can be dangerous ?
> 
> It should be no more dangerous than running a shell as root.

You say "I really mean it" but obviously you're not aware of the dangers
since you think it's no more dangerous than running a shell.  You don't
realize the amount of code Emacs uses for the simplest operations
and how many hooks and tricks it provides, all of them designed for
the user's convenience but with very little thought given to the
security implications ot to the case when the user is root (and
can thus do things that would normally fail, as in your case).

Most of Emacs' elisp code is written along the lines of "let's
take care of the expected case and we'll fix the other cases
when we bump into them".

All the shells I know have been written by people who do have
security and "user might be root" in mind at least some of the
time.  So it really cannot be compared.


        Stefan