|
From: | Paul Eggert |
Subject: | Re: master 739593d 3/5: Make gnus-copy-file act like copy-file etc. |
Date: | Wed, 13 Sep 2017 13:41:25 -0700 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 |
On 09/13/2017 01:11 PM, Lars Ingebrigtsen wrote:
What are the security implications of writing the file to the directory if the user (interactively) types in that directory name?
If the attacker knows what the user is up to (and this can be guessed often enough by looking at what Emacs has done to the file system recently), the attacker can hijack the rename. For example, if you type 'M-x rename-file RET abc RET /tmp/def RET', the attacker can create a symlink /tmp/def to a victim directory D so that the file abc is moved to D/abc rather than to its intended location /tmp/def.
This attack can happen only when the destination's parent directory (/tmp in the above example) is writable to the attacker. So we could bring back support for interactive renames to destination directories whose parents are writable only by self or root. (Most likely the actual rule will be more complicated than this, but the basic idea will work.) This would lessen the scope of the change, albeit at the cost of complication of the documentation and implementation.
/home/larsi and /var/tmp should both be safe destinations in the above sense, as their parents aren't writable to others. So they would both work without the trailing slash, under the above proposal.The user can type anything, like "/home/larsi" and "/var/tmp" and the behaviour should be the same across directories.
I'd rather leave it alone as it's simpler and easier to describe the way it is, and I type the same keystrokes as before since I normally use tab completion which adds a trailing / which gives me visual feedback that it's a move into a directory which is a win. But I can be talked into something like the above if it'd be valuable for others' interactive use. (Do you type "/ h o m e / l a r s i" by hand a lot? :-)
[Prev in Thread] | Current Thread | [Next in Thread] |