GNU bug report logs - #57395
28.1; tramp-allow-unsafe-temporary-files assumes root:root rw-r--r-- files are secret and assumes temporary-directory is public

Previous Next

Package: emacs;

Reported by: "Trent W. Buck" <trentbuck <at> gmail.com>

Date: Thu, 25 Aug 2022 03:03:01 UTC

Severity: normal

Tags: patch

Merged with 62260

Found in versions 28.1, 30.0.50

Full log

View this message in rfc822 format

From: Manuel Giraud <manuel <at> ledu-giraud.fr>
To: "Trent W. Buck" <trentbuck <at> gmail.com>
Cc: 57395 <at> debbugs.gnu.org
Subject: bug#57395: 28.1; tramp-allow-unsafe-temporary-files assumes root:root rw-r--r-- files are secret and assumes temporary-directory is public
Date: Sun, 19 Mar 2023 22:03:36 +0100

"Trent W. Buck" <trentbuck <at> gmail.com> writes:

[...]

> It looks like Emacs 28's tramp is concerned about an attack like this:
>
>    1. I open /ssh:example.com:/etc/shadow
>    2. I make a change but don't hit C-x C-s right away
>    3. auto-save creates a WORLD-READABLE backup in local /tmp
>    4. oops, now attackers on the local system can read the passwords
>    from /tmp/shadow.XXXXXX!

FWIW, I tested this on the upcoming Emacs 29 and it is not the case
anymore.  If the remote file is owned by root and mode 0600, the
corresponding auto-save file will be owned by the user and also mode
0600 (not world-readable).  I think it makes sense since said user was
granted access to this file.

[...]

> There are several problems here.
>
>    1. if you say "no" to the security prompt,
>       the file buffer is actually open.
>       It just remains in fundamental mode, and
>       is not made the current buffer.
>
>       You can select it without another warning with C-x C-f or C-x b.

This is still true in Emacs 29 and a problem as a "no" should not open
the file.

>    2. tramp wrongly assumes every root-owned file is secret.
>       This is silly for files like

[...]

>    3. tramp assumes non-root-owned files are NOT secret, i.e.
>       lulls users into a false sense of protection.

[...]

>    4. tramp wrongly assumes temporary-file-directory is public.
>       This is true for /tmp but not for $XDG_RUNTIME_DIR.

[...]

Those three points are also still true in Emacs 29.  I think we need a
more fine grained method to tell if a file is "dangerous" and if
'temporary-file-directory' is safe enough.

> I think the current large number of false-positives (#2, #4) and
> mean that this security check is currently harmful.
>
> Quacking/googling suggests everyone else who runs into this prompt, simply turns it off.
> Rather than disabling it per-user, I'd rather we improve it.
> Or, decide it's too hard to improve, and remove it entirely (thereby
> reducing maintenance burden).

I think it is better to improve than to remove those checks.
-- 
Manuel Giraud
This bug report was last modified 2 years and 88 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.