|
| From: | Paul Eggert |
| Subject: | Re: master 739593d 3/5: Make gnus-copy-file act like copy-file etc. |
| Date: | Wed, 13 Sep 2017 16:32:15 -0700 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 |
On 09/13/2017 02:10 PM, Lars Ingebrigtsen wrote:
The attack surface you're trying to cover is when the user is writing a file to a world-writable directory that contains a symlink that has exactly the same name as the file you're trying to write?
More generally, it's when the attacker can write the destination's parent directory. The parent need not be world-writable, and there doesn't need to be a symlink there already.
(barf-if-you're-writing-a-file-with-the-same-name-to-a-symlink-in-a-world-writable-directory FILE) function that we can slap into the affected functions and leave the interactive parts working as they have always.
I'm not following. The attack works against both interactive and non-interactive use. If we try to support the old behavior then any code that Emacs executes will be vulnerable to the attack, because the underlying system calls do not let Emacs test for safety and then rename the file before the attacker can act.
Eli is most concerned about interactive use, as am I. I reviewed noninteractive calls and fixed the few glitches that I found, so they should be OK (though of course I could have made mistakes in my review). It's the interactive use that is more of the question mark: it's what started this thread.
Another possibility would be to add a variable 'trust-other-users' that the user can set to indicate that other users on the computer are trusted, and to support the old interactive behavior if this variable is set. This approach is easier to document and implement than my previous suggestion; the downside is that the user must hassle with the new variable, and there will likely be configuration errors when users copy .emacs files from nonshared to shared computers. I thought of this long ago and rejected it for that reason and still don't like the idea much, but if the consensus is to go this direction then I'll volunteer to implement it.
These days nobody lives on shared computers, anyway
I regularly use Emacs on computers shared with users I don't fully trust. I've done so every day this week so far. Although I use Emacs more often on standalone machines, the shared-machine use case is still alive and kicking.
| [Prev in Thread] | Current Thread | [Next in Thread] |