GNU bug report logs - #27986
26.0.50; `rename-file' can rename files without confirmation

Previous Next

Package: emacs;

Reported by: Philipp <p.stephani2 <at> gmail.com>

Date: Sun, 6 Aug 2017 15:41:02 UTC

Severity: important

Tags: security

Found in version 26.0.50

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: p.stephani2 <at> gmail.com, 27986 <at> debbugs.gnu.org
Subject: bug#27986: 26.0.50; 'rename-file' can rename files without confirmation
Date: Wed, 16 Aug 2017 08:15:34 -0700

Eli Zaretskii wrote:
> You are describing a situation where the attacker somehow knows what
> file/directory will be accessed_ahead_  of Emacs actually accessing
> it.

Sure, and this happens all the time. Emacs prepares a copy of a file with the 
intent to rename the copy to the original atomically. The attacker will know 
that this is what Emacs will do, by looking at the file system or the syscalls 
Emacs issues before its code calls rename-file (e.g., Emacs will read the old 
file). So I am not supposing any kind of superhuman attack.

I do take your point that interactive use is different. So, here is a proposed 
change to the patch: if the ok-is-already-exists flag is an integer (which 
suggests interactive use), and if the destination is not a directory name 
(trailing "/") but happens to be an existing directory, then Emacs asks the user 
if it is OK to rename to a subfile of the destination. This would allay most the 
security concerns that I have, and I hope it would address most of the 
backward-compatibility concerns that you have.

> I thought you were proposing to redirect the interactive commands to
> the new functions.

I was not proposing to redirect 'M-x rename-file' etc. They would continue to 
use the old insecure behavior, for compatibility reasons.

> we cannot obsolete user commands.

Not immediately, no. But we can mark them as obsolescent and warn users about 
their use, and remove them eventually.

This issue of obsolescence is moot, though, if you agree with the above 
suggestion about ok-if-already-exists.

> if people want secure code,
> they _will_ use the more secure variants

Emacs is a relatively large and complex system, and we cannot expect users to be 
familiar with every detail. Emacs should have safe defaults, not unsafe ones.

The situation with "mv" was different, as POSIX and longstanding documentation 
required the unsafe behavior and many scripts relied on it. In contrast, the 
Emacs documentation is thoroughly muddled and contradictory in this area, and 
code using rename-file etc. would more likely benefit from the proposed change 
(because of improved security) than be hurt by it (by loss of backward 
compatibility with poorly-documented and insecure behavior).
This bug report was last modified 7 years and 257 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.