From unknown Tue Sep 09 18:22:01 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#6953 <6953@debbugs.gnu.org> To: bug#6953 <6953@debbugs.gnu.org> Subject: Status: 24.0.50; serious security bug in create backup files Reply-To: bug#6953 <6953@debbugs.gnu.org> Date: Wed, 10 Sep 2025 01:22:01 +0000 retitle 6953 24.0.50; serious security bug in create backup files reassign 6953 emacs submitter 6953 Mark Diekhans severity 6953 important thanks From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 31 02:12:04 2010 Received: (at submit) by debbugs.gnu.org; 31 Aug 2010 06:12:04 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OqK4h-00042p-CY for submit@debbugs.gnu.org; Tue, 31 Aug 2010 02:12:04 -0400 Received: from mail.gnu.org ([199.232.76.166] helo=mx10.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OqK4e-00042T-1y for submit@debbugs.gnu.org; Tue, 31 Aug 2010 02:12:02 -0400 Received: from lists.gnu.org ([199.232.76.165]:40619) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1OqK6D-0001Ka-8g for submit@debbugs.gnu.org; Tue, 31 Aug 2010 02:13:37 -0400 Received: from [140.186.70.92] (port=40046 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OqK6A-000765-Je for bug-gnu-emacs@gnu.org; Tue, 31 Aug 2010 02:13:36 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=unavailable version=3.3.1 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1OqK68-0001rO-CB for bug-gnu-emacs@gnu.org; Tue, 31 Aug 2010 02:13:34 -0400 Received: from services.cse.ucsc.edu ([128.114.48.10]:45012) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OqK68-0001rC-2d for bug-gnu-emacs@gnu.org; Tue, 31 Aug 2010 02:13:32 -0400 Received: from hgwdev.cse.ucsc.edu (hgwdev.cse.ucsc.edu [128.114.50.189]) by services.cse.ucsc.edu (8.13.6/8.13.6) with ESMTP id o7V6DT5o015486 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 30 Aug 2010 23:13:29 -0700 (PDT) Received: (from markd@localhost) by hgwdev.cse.ucsc.edu (8.13.8/8.12.10) id o7V6DTHe028136; Mon, 30 Aug 2010 23:13:29 -0700 X-Authentication-Warning: hgwdev.cse.ucsc.edu: markd set sender to markd@soe.ucsc.edu using -f From: Mark Diekhans To: bug-gnu-emacs@gnu.org Subject: 24.0.50; serious security bug in create backup files Date: Mon, 30 Aug 2010 23:13:29 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: Solaris 9 X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) X-Spam-Score: -5.2 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -5.3 (-----) When emacs is forced into writing "~/%backup%~", it may expose protected data to being read by others. For instance, a file that is protect by directory permissions rather than file permissions could end up being written in a world readable home directory. For instance I just discovered that ~/%backup%~ was a world readable copy of my mail box on a shared file system. Emacs, should create the last ditch backup file as access only by the user (no group or other access) before any data is written to the file Also, ~/%backup%~ should be configurable in a variable rather than hard coded in lisp files.el. In GNU Emacs 24.0.50.1 (x86_64-unknown-linux-gnu) of 2010-08-30 on hgwdev configured using `configure '--prefix=/cluster/home/markd/compbio/work/emacs/local' 'CFLAGS=-g -O2' 'LDFLAGS=-L/cluster/home/markd/opt/centos5.2/x86_64/lib' 'CPPFLAGS=-I/cluster/home/markd/opt/centos5.2/x86_64/include'' Important settings: value of $LC_ALL: nil value of $LC_COLLATE: nil value of $LC_CTYPE: nil value of $LC_MESSAGES: nil value of $LC_MONETARY: nil value of $LC_NUMERIC: nil value of $LC_TIME: nil value of $LANG: C value of $XMODIFIERS: nil locale-coding-system: nil default enable-multibyte-characters: t Major mode: Emacs-Lisp Minor modes in effect: display-time-mode: t shell-dirtrack-mode: t tooltip-mode: t mouse-wheel-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t transient-mark-mode: t abbrev-mode: t Recent input: x s h e TAB RET c d SPC ~ / c o TAB b r e TAB DEL DEL DEL g e TAB b TAB k e TAB DEL DEL C-a C-k c d SPC ~ / c o TAB b SPC r TAB DEL DEL DEL TAB g e TAB b TAB ESC b ESC b C-e ESC b C-k c c TAB c c TAB 2 TAB / g e TAB RET c d SPC . . / m o TAB g e TAB c TAB RET l s RET . / b C-a C-k C-x C-f d o TAB TAB C-g C-x C-f ~ / c o TAB w o TAB e m TAB t TAB ESC b C-k l o TAB s TAB TAB l TAB DEL TAB TAB e TAB TAB 2 TAB RET ESC x g r e p - f i n d RET ' % b a c k u p ESC b ESC b i C-e % ' RET ESC O B C-x o ESC O B ESC O B ESC O B ESC O B C-e C-a C-c C-c C-x o C-v ESC v C-x C-f l i TAB f i TAB l TAB s TAB e TAB DEL TAB DEL DEL DEL DEL DEL DEL DEL DEL DEL DEL DEL TAB . e TAB TAB C-e RET C-x C-v C-e ESC b ESC b ESC f C-k TAB TAB C-k C-g C-x C-f C-g C-x C-v C-e ESC b ESC b ESC b ESC f C-k s TAB . TAB RET C-s b a c k u p C-s C-a C-s % b a c k C-a C-x 1 ESC v ESC v C-v C-v C-s C-s ESC x r e p TAB o TAB r TAB RET Recent messages: scroll-up-command: End of buffer Making completion list... [3 times] uncompressing file.el.gz... (New file) Making completion list... Quit [2 times] Making completion list... uncompressing files.el.gz...done Mark saved where search started [3 times] Making completion list... [2 times] Load-path shadows: /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-install hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-install /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-wl hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-wl /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-w3m hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-w3m /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-vm hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-vm /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-timer hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-timer /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-table hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-table /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-rmail hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-rmail /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-remember hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-remember /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-plot hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-plot /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-publish hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-publish /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mouse hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-mouse /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mhe hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-mhe /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mew hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-mew /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-macs hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-macs /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mac-message hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-mac-message /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-list hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-list /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-irc hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-irc /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-jsinfo hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-jsinfo /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-info hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-info /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-id hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-id /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-gnus hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-gnus /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-footnote hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-footnote /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-faces hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-faces /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-exp hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-exp /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-compat hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-compat /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-colview-xemacs hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-colview-xemacs /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-colview hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-colview /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-clock hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-clock /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-bibtex hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-bibtex /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-bbdb hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-bbdb /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-archive hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-archive /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-attach hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-attach /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-agenda hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-agenda /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org hides /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-publish hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-publish /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-indent hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-indent /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-jsinfo hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-jsinfo /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-install hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-install /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-entities hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-entities /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-attach hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-attach /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-wl hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-wl /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-xoxo hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-xoxo /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-table hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-table /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-w3m hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-w3m /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-timer hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-timer /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-vm hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-vm /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-rmail hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-rmail /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-remember hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-remember /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-plot hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-plot /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-src hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-src /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-mobile hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-mobile /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-protocol hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-protocol /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mouse hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-mouse /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mew hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-mew /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mhe hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-mhe /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-mac-message hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-mac-message /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-latex hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-latex /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-info hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-info /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-macs hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-macs /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-irc hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-irc /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-id hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-id /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-list hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-list /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-html hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-html /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-inlinetask hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-inlinetask /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-icalendar hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-icalendar /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-habit hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-habit /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-freemind hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-freemind /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-gnus hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-gnus /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-exp hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-exp /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-feed hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-feed /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-docbook hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-docbook /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-docview hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-docview /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-crypt hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-crypt /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-ctags hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-ctags /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-datetree hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-datetree /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-footnote hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-footnote /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-colview hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-colview /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-exp-blocks hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-exp-blocks /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-faces hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-faces /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-agenda hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-agenda /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-ascii hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-ascii /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org-beamer hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-beamer /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-compat hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-compat /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-bibtex hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-bibtex /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-bbdb hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-bbdb /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-archive hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-archive /cluster/home/markd/opt/centos5.2/x86_64/share/emacs/site-lisp/org/org-clock hides /cluster/home/markd/compbio/work/emacs/local/share/emacs/24.0.50/lisp/org/org-clock Features: (shadow sort gnus-util mail-extr message sendmail rfc822 mml mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mailabbrev mail-utils gmm-utils mailheader warnings emacsbug multi-isearch flyspell ispell grep compile dired help-mode easymenu view ansi-color finder-inf package jka-compr time server preview-latex tex-site auto-loads edmacro kmacro org-install bbdb-autoloads bbdb timezone cc-styles cc-align cc-engine cc-vars cc-defs vm-autoload vm-autoloads vm-vars vm-version medutil background shell comint regexp-opt ring tooltip ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar dnd fontset image fringe lisp-mode register page menu-bar rfn-eshadow timer select scroll-bar mldrag mouse jit-lock font-lock syntax facemenu font-core frame cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev loaddefs button minibuffer faces cus-face files text-properties overlay md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote make-network-process dbusbind dynamic-setting font-render-setting x multi-tty emacs) From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 02 01:37:04 2010 Received: (at 6953) by debbugs.gnu.org; 2 Sep 2010 05:37:04 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Or2Tw-0008BD-JJ for submit@debbugs.gnu.org; Thu, 02 Sep 2010 01:37:04 -0400 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Or2Tu-0008Ar-D4 for 6953@debbugs.gnu.org; Thu, 02 Sep 2010 01:37:02 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.69) (envelope-from ) id 1Or2VW-00068x-VE; Thu, 02 Sep 2010 01:38:42 -0400 To: Mark Diekhans Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: From: Glenn Morris X-Spook: Albania arrangements SDI BLU-114/B ASIO UMTS Honduras X-Ran: IP&tm/uyjx%O$^]-K:9 User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -6.2 (------) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.2 (------) Mark Diekhans wrote: > Emacs, should create the last ditch backup file as access only by the > user (no group or other access) before any data is written to the file > > Also, ~/%backup%~ should be configurable in a variable rather than hard > coded in lisp files.el. I don't think it is necessary for this to be configurable because it is just a fallback in case of error. Eg you can customize backup-directory-alist to control where backups normally go. A partial solution for the first problem is simple (below). Perhaps it would be better to use a private directory inside user-emacs-directory. But that is less visible, and maybe these files are supposed to be noticed? *** lisp/files.el 2010-08-18 08:07:58 +0000 --- lisp/files.el 2010-08-31 18:33:34 +0000 *************** *** 3681,3687 **** (message "Cannot write backup file; backing up in %s" backupname) (sleep-for 1) ! (backup-buffer-copy real-file-name backupname modes))) (setq buffer-backed-up t) ;; Now delete the old versions, if desired. (if delete-old-versions --- 3681,3691 ---- (message "Cannot write backup file; backing up in %s" backupname) (sleep-for 1) ! ;; The original file may have been in a private ! ;; directory, home might not be private. (Bug#6953) ! ;; Not a perfect solution since the file is only ! ;; made private after being written. ! (backup-buffer-copy real-file-name backupname #o0600))) (setq buffer-backed-up t) ;; Now delete the old versions, if desired. (if delete-old-versions From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 02 02:52:40 2010 Received: (at 6953) by debbugs.gnu.org; 2 Sep 2010 06:52:40 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Or3f5-0000D9-Kc for submit@debbugs.gnu.org; Thu, 02 Sep 2010 02:52:39 -0400 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Or3f3-0000D3-Mf for 6953@debbugs.gnu.org; Thu, 02 Sep 2010 02:52:38 -0400 Received: from eliz by fencepost.gnu.org with local (Exim 4.69) (envelope-from ) id 1Or3gf-0008W5-TU; Thu, 02 Sep 2010 02:54:18 -0400 From: Eli Zaretskii To: Glenn Morris In-reply-to: (message from Glenn Morris on Thu, 02 Sep 2010 01:38:42 -0400) Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: Message-Id: Date: Thu, 02 Sep 2010 02:54:17 -0400 X-Spam-Score: -6.5 (------) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org, markd@soe.ucsc.edu X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: Eli Zaretskii List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.5 (------) > From: Glenn Morris > Date: Thu, 02 Sep 2010 01:38:42 -0400 > Cc: 6953@debbugs.gnu.org > > A partial solution for the first problem is simple (below). Note that this partial solution will do nothing on MS-Windows. (There's currently no infrastructure in Emacs to create _really_ private files and directories on MS-Windows, even on filesystems that support file security.) From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 02 03:03:51 2010 Received: (at 6953) by debbugs.gnu.org; 2 Sep 2010 07:03:51 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Or3pv-0000Hx-75 for submit@debbugs.gnu.org; Thu, 02 Sep 2010 03:03:51 -0400 Received: from services.cse.ucsc.edu ([128.114.48.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Or3pt-0000Hs-F0 for 6953@debbugs.gnu.org; Thu, 02 Sep 2010 03:03:50 -0400 Received: from bugle.cse.ucsc.edu (bugle.cse.ucsc.edu [128.114.56.11]) by services.cse.ucsc.edu (8.13.6/8.13.6) with ESMTP id o8275Vl2006810 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Sep 2010 00:05:31 -0700 (PDT) Received: (from markd@localhost) by bugle.cse.ucsc.edu (8.13.8/8.12.10) id o8275Use016446; Thu, 2 Sep 2010 00:05:30 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19583.19642.954872.847808@bugle.cse.ucsc.edu> Date: Thu, 2 Sep 2010 00:05:30 -0700 From: markd@soe.ucsc.edu To: Glenn Morris In-Reply-To: References: Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files X-Spam-Score: -3.0 (---) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -3.5 (---) Hi Glenn Glenn Morris writes: > I don't think it is necessary for this to be configurable because it > is just a fallback in case of error. Eg you can customize > backup-directory-alist to control where backups normally go. Not necessary, but useful if you have something like a very small amount of space on the home file system or to put it in a protected directory. Also, it's just emacs-like to have all of this stuff in variable. I am still concerned about the window you mention in this fix. IMHO, it's much worse to reveal sensitive data that to just lose changes to it. There should at least be an option to completely disable the ~/%backup%~ functionality. Oh, wait, it doesn't look like there is a problem with your patch, only the comment ;-) backup-buffer-copy says: ;; Create temp files with strict access rights. It's easy to ;; loosen them later, whereas it's impossible to close the ;; time-window of loose permissions otherwise. thanks Mark From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 02 03:56:46 2010 Received: (at 6953) by debbugs.gnu.org; 2 Sep 2010 07:56:46 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Or4f8-0000ca-DK for submit@debbugs.gnu.org; Thu, 02 Sep 2010 03:56:46 -0400 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Or4f6-0000cT-M3 for 6953@debbugs.gnu.org; Thu, 02 Sep 2010 03:56:45 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.69) (envelope-from ) id 1Or4gk-0001ob-3F; Thu, 02 Sep 2010 03:58:26 -0400 To: markd@soe.ucsc.edu Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> From: Glenn Morris X-Spook: War on Terrorism Rumsfeld Dick Cheney Albania spy X-Ran: |b#,y]1!%jSwMnwJ~4<>rEY`6@FtEJs4"vfT2\?Ih>$$vfB`Calb0j]$~VTL(8/mP[f=]E X-Hue: green X-Debbugs-No-Ack: yes X-Attribution: GM Date: Thu, 02 Sep 2010 03:58:26 -0400 In-Reply-To: <19583.19642.954872.847808@bugle.cse.ucsc.edu> (markd@soe.ucsc.edu's message of "Thu\, 2 Sep 2010 00\:05\:30 -0700") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -6.2 (------) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.2 (------) markd@soe.ucsc.edu wrote: > Oh, wait, it doesn't look like there is a problem with your patch, > only the comment ;-) backup-buffer-copy says: > > ;; Create temp files with strict access rights. It's easy to > ;; loosen them later, whereas it's impossible to close the > ;; time-window of loose permissions otherwise. I don't know what this comment means. There are no "temp files" AFAICS (unless copy-file creates some internally). I think this comment may be a leftover from when this code used write-region rather than copy-file. Indeed the whole mode-changing bit may be as well. C-h f copy-file says: "This function always sets the file modes of the output file to match the input file." Eg: touch ~/1 chmod 644 ~/1 (set-default-file-modes ?\700) (copy-file "~/1" "~/2" t t t) ls -l ~/2 # -> world readable From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 02 12:31:56 2010 Received: (at 6953) by debbugs.gnu.org; 2 Sep 2010 16:31:56 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OrChg-0005MB-DW for submit@debbugs.gnu.org; Thu, 02 Sep 2010 12:31:56 -0400 Received: from services.cse.ucsc.edu ([128.114.48.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OrChd-0005M6-Uc for 6953@debbugs.gnu.org; Thu, 02 Sep 2010 12:31:54 -0400 Received: from bugle.cse.ucsc.edu (bugle.cse.ucsc.edu [128.114.56.11]) by services.cse.ucsc.edu (8.13.6/8.13.6) with ESMTP id o82GXaPQ014095 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Sep 2010 09:33:36 -0700 (PDT) Received: (from markd@localhost) by bugle.cse.ucsc.edu (8.13.8/8.12.10) id o82GXaib025945; Thu, 2 Sep 2010 09:33:36 -0700 From: Mark Diekhans MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19583.53728.357608.629758@bugle.cse.ucsc.edu> Date: Thu, 2 Sep 2010 09:33:36 -0700 To: Glenn Morris Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files In-Reply-To: References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> X-Mailer: VM 8.1.1 under 24.0.50.1 (x86_64-unknown-linux-gnu) X-Spam-Score: -3.4 (---) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -3.3 (---) Ah, this is because copy-file (in fileio.c) does fchmod (ofd, st.st_mode & 07777); It seems like copy-file needs an option to disable this. The behavior of backup-buffer-copy where it keeps the existing file would also be a hole. mark Glenn Morris writes: > markd@soe.ucsc.edu wrote: > > > Oh, wait, it doesn't look like there is a problem with your patch, > > only the comment ;-) backup-buffer-copy says: > > > > ;; Create temp files with strict access rights. It's easy to > > ;; loosen them later, whereas it's impossible to close the > > ;; time-window of loose permissions otherwise. > > I don't know what this comment means. There are no "temp files" AFAICS > (unless copy-file creates some internally). I think this comment may > be a leftover from when this code used write-region rather than > copy-file. Indeed the whole mode-changing bit may be as well. C-h f > copy-file says: "This function always sets the file modes of the > output file to match the input file." > > Eg: > > touch ~/1 > chmod 644 ~/1 > (set-default-file-modes ?\700) > (copy-file "~/1" "~/2" t t t) > ls -l ~/2 # -> world readable From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 07 20:01:21 2010 Received: (at 6953) by debbugs.gnu.org; 8 Sep 2010 00:01:21 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Ot86L-0004y7-3D for submit@debbugs.gnu.org; Tue, 07 Sep 2010 20:01:21 -0400 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Ot86I-0004y0-8e for 6953@debbugs.gnu.org; Tue, 07 Sep 2010 20:01:19 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.69) (envelope-from ) id 1Ot88A-0006w4-3n; Tue, 07 Sep 2010 20:03:14 -0400 To: Mark Diekhans Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> From: Glenn Morris X-Spook: Cocaine White Water Defcon AMEMB espionage USCOI 64 X-Ran: m}%Yx^xfb+[RSsBzGi[jq%[hk:n>EaPwVC'fWdWRBlYS>frfC[9C0%U,D)$|p1D."1.+[& X-Hue: yellow X-Debbugs-No-Ack: yes X-Attribution: GM Date: Tue, 07 Sep 2010 20:03:13 -0400 In-Reply-To: <19583.53728.357608.629758@bugle.cse.ucsc.edu> (Mark Diekhans's message of "Thu\, 2 Sep 2010 09\:33\:36 -0700") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -6.2 (------) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.2 (------) An attempt at a proper fix (the manual would also need updating): *** lisp/files.el 2010-09-05 22:03:56 +0000 --- lisp/files.el 2010-09-07 23:58:21 +0000 *************** *** 3561,3566 **** --- 3561,3610 ---- (set-auto-mode t)) (error nil))) + (defcustom backup-fallback-directory + (expand-file-name "backups" user-emacs-directory) + "In case of error writing a backup file, write it here instead. + Formerly such backups were written to a file \"~/%backup%~\"." + :type 'directory + :initialize 'custom-initialize-delay + :version "23.3") + + (defun backup-buffer-fallback (from-name dir) + "Backup FROM-NAME in private directory DIR." + ;; Copied from doc-view-make-safe-dir. + ;; FIXME should be a general function make-directory-secure? + ;; See http://lists.gnu.org/archive/html/emacs-devel/2007-10/msg02087.html + (condition-case nil + (let ((umask (default-file-modes))) + (unwind-protect + (progn + ;; Create temp files with strict access rights. It's easy to + ;; loosen them later, whereas it's impossible to close the + ;; time-window of loose permissions otherwise. + (set-default-file-modes #o0700) + (make-directory dir)) + ;; Reset the umask. + (set-default-file-modes umask))) + (file-already-exists + (if (file-symlink-p dir) + (error "Danger: %s points to a symbolic link" dir)) + ;; In case it was created earlier with looser rights. + ;; We could check the mode info returned by file-attributes, but it's + ;; a pain to parse and it may not tell you what we want under + ;; non-standard file-systems. So let's just say what we want and let + ;; the underlying C code and file-system figure it out. + ;; This also ends up checking a bunch of useful conditions: it makes + ;; sure we have write-access to the directory and that we own it, thus + ;; closing a bunch of security holes. + (set-file-modes dir #o0700))) + (backup-buffer-copy from-name + (expand-file-name + ;; cf make-backup-file-name-1. + (subst-char-in-string + ?/ ?! + (replace-regexp-in-string "!" "!!" from-name)) + dir) nil)) + (defun write-file (filename &optional confirm) "Write current buffer into file FILENAME. This makes the buffer visit that file, and marks it as not modified. *************** *** 3674,3687 **** (rename-file real-file-name backupname t) (setq setmodes (cons modes backupname))) (file-error ! ;; If trouble writing the backup, write it in ~. ! (setq backupname (expand-file-name ! (convert-standard-filename ! "~/%backup%~"))) (message "Cannot write backup file; backing up in %s" ! backupname) (sleep-for 1) ! (backup-buffer-copy real-file-name backupname modes))) (setq buffer-backed-up t) ;; Now delete the old versions, if desired. (if delete-old-versions --- 3718,3729 ---- (rename-file real-file-name backupname t) (setq setmodes (cons modes backupname))) (file-error ! ;; Trouble writing the backup. (message "Cannot write backup file; backing up in %s" ! backup-fallback-directory) (sleep-for 1) ! (backup-buffer-fallback real-file-name ! backup-fallback-directory))) (setq buffer-backed-up t) ;; Now delete the old versions, if desired. (if delete-old-versions From debbugs-submit-bounces@debbugs.gnu.org Wed Sep 08 04:50:43 2010 Received: (at 6953) by debbugs.gnu.org; 8 Sep 2010 08:50:43 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OtGMc-0008WV-QY for submit@debbugs.gnu.org; Wed, 08 Sep 2010 04:50:42 -0400 Received: from impaqm4.telefonica.net ([213.4.138.4]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OtGMa-0008WN-Dc for 6953@debbugs.gnu.org; Wed, 08 Sep 2010 04:50:41 -0400 Received: from IMPmailhost6.adm.correo ([10.20.102.127]) by IMPaqm4.telefonica.net with bizsmtp id 470h1f01M2kvMAa3Q8sGUC; Wed, 08 Sep 2010 10:52:16 +0200 Received: from ceviche.home ([83.61.36.43]) by IMPmailhost6.adm.correo with BIZ IMP id 48sF1f0080vquEj1m8sFvu; Wed, 08 Sep 2010 10:52:16 +0200 X-Brightmail-Tracker: AAAAAA== X-TE-authinfo: authemail="monnier$movistar.es" |auth_email="monnier@movistar.es" X-TE-AcuTerraCos: auth_cuTerraCos="cosuitnetc01" Received: by ceviche.home (Postfix, from userid 20848) id 2EB24660D2; Wed, 8 Sep 2010 10:52:15 +0200 (CEST) From: Stefan Monnier To: Glenn Morris Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files Message-ID: References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> Date: Wed, 08 Sep 2010 10:52:15 +0200 In-Reply-To: (Glenn Morris's message of "Tue, 07 Sep 2010 20:03:13 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org, Mark Diekhans X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) > An attempt at a proper fix (the manual would also need updating): Wouldn't it be better to close the window in backup-buffer-copy? Stefan From debbugs-submit-bounces@debbugs.gnu.org Wed Sep 08 11:47:04 2010 Received: (at 6953) by debbugs.gnu.org; 8 Sep 2010 15:47:04 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OtMrX-0003YY-Vl for submit@debbugs.gnu.org; Wed, 08 Sep 2010 11:47:04 -0400 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OtMrV-0003YC-Jn for 6953@debbugs.gnu.org; Wed, 08 Sep 2010 11:47:01 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.69) (envelope-from ) id 1OtMtP-0002IV-3w; Wed, 08 Sep 2010 11:48:59 -0400 To: Stefan Monnier Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> From: Glenn Morris X-Spook: Maple Chobetsu Audiotel Albania csystems Medco passwd X-Ran: 79A`yrhB)[{Y8qI&6%g%eEPZ{&C&^S"q^HfV;Fh X-Hue: blue X-Debbugs-No-Ack: yes X-Attribution: GM Date: Wed, 08 Sep 2010 11:48:59 -0400 In-Reply-To: (Stefan Monnier's message of "Wed\, 08 Sep 2010 10\:52\:15 +0200") Message-ID: <4mzkvs44no.fsf@fencepost.gnu.org> User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -6.2 (------) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org, Mark Diekhans X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.2 (------) Stefan Monnier wrote: >> An attempt at a proper fix (the manual would also need updating): > > Wouldn't it be better to close the window in backup-buffer-copy? Sorry, what window in backup-buffer-copy? You mean in the case where to-name is in a different directory to from-name, eg due to backup-directory-alist? From debbugs-submit-bounces@debbugs.gnu.org Wed Sep 08 18:46:43 2010 Received: (at 6953) by debbugs.gnu.org; 8 Sep 2010 22:46:43 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OtTPe-0007xL-Ov for submit@debbugs.gnu.org; Wed, 08 Sep 2010 18:46:42 -0400 Received: from impaqm4.telefonica.net ([213.4.138.4]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OtTPc-0007xG-Js for 6953@debbugs.gnu.org; Wed, 08 Sep 2010 18:46:41 -0400 Received: from IMPmailhost1.adm.correo ([10.20.102.38]) by IMPaqm4.telefonica.net with bizsmtp id 4L0e1f00Y0piX6q3QNofeu; Thu, 09 Sep 2010 00:48:39 +0200 Received: from ceviche.home ([83.61.36.43]) by IMPmailhost1.adm.correo with BIZ IMP id 4Noe1f0080vquEj1hNof8c; Thu, 09 Sep 2010 00:48:39 +0200 X-Brightmail-Tracker: AAAAAA== X-TE-authinfo: authemail="monnier$movistar.es" |auth_email="monnier@movistar.es" X-TE-AcuTerraCos: auth_cuTerraCos="cosuitnetc01" Received: by ceviche.home (Postfix, from userid 20848) id 5BF31660D2; Thu, 9 Sep 2010 00:48:38 +0200 (CEST) From: Stefan Monnier To: Glenn Morris Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files Message-ID: References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> Date: Thu, 09 Sep 2010 00:48:38 +0200 In-Reply-To: <4mzkvs44no.fsf@fencepost.gnu.org> (Glenn Morris's message of "Wed, 08 Sep 2010 11:48:59 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.0 (--) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org, Mark Diekhans X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.0 (--) >>> An attempt at a proper fix (the manual would also need updating): >> Wouldn't it be better to close the window in backup-buffer-copy? > Sorry, what window in backup-buffer-copy? The time window during which the access rights are too loose. Stefan From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 09 01:26:21 2010 Received: (at 6953) by debbugs.gnu.org; 9 Sep 2010 05:26:21 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OtZeP-00028g-8A for submit@debbugs.gnu.org; Thu, 09 Sep 2010 01:26:21 -0400 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OtZeN-00028Z-15 for 6953@debbugs.gnu.org; Thu, 09 Sep 2010 01:26:19 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.69) (envelope-from ) id 1OtZgJ-0005dk-13; Thu, 09 Sep 2010 01:28:19 -0400 To: Stefan Monnier Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> From: Glenn Morris X-Spook: event security Kennedy import Security Council Jiang X-Ran: Z$CJ.NHW%-sqW"GE6'&7x@](f%3E'ccOQR'kNA#l\DgZ1=GmBP)HGb33B_AxWE#vRlb3~S X-Hue: green X-Debbugs-No-Ack: yes X-Attribution: GM Date: Thu, 09 Sep 2010 01:28:18 -0400 Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -6.2 (------) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org, Mark Diekhans X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.2 (------) Stefan Monnier wrote: > The time window during which the access rights are too loose. Do you mean changing Fcopy_file to optionally not copy the source file permission bits to the output file? Maybe that's better, but it would need yet another optional argument for copy-file, which would probably not see much use outside of this context. From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 09 13:08:11 2010 Received: (at 6953) by debbugs.gnu.org; 9 Sep 2010 17:08:11 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Otkba-0007VP-Va for submit@debbugs.gnu.org; Thu, 09 Sep 2010 13:08:11 -0400 Received: from impaqm2.telefonica.net ([213.4.138.2]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OtkbY-0007VG-QN for 6953@debbugs.gnu.org; Thu, 09 Sep 2010 13:08:09 -0400 Received: from IMPmailhost5.adm.correo ([10.20.102.126]) by IMPaqm2.telefonica.net with bizsmtp id 4gFM1f01j2jdgqJ3Mh9opG; Thu, 09 Sep 2010 19:09:48 +0200 Received: from ceviche.home ([83.61.36.43]) by IMPmailhost5.adm.correo with BIZ IMP id 4h9n1f00Q0vquEj1lh9o5R; Thu, 09 Sep 2010 19:09:48 +0200 X-Brightmail-Tracker: AAAAAA== X-TE-authinfo: authemail="monnier$movistar.es" |auth_email="monnier@movistar.es" X-TE-AcuTerraCos: auth_cuTerraCos="cosuitnetc01" Received: by ceviche.home (Postfix, from userid 20848) id 9244B660D2; Thu, 9 Sep 2010 19:09:47 +0200 (CEST) From: Stefan Monnier To: Glenn Morris Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files Message-ID: References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> Date: Thu, 09 Sep 2010 19:09:47 +0200 In-Reply-To: (Glenn Morris's message of "Thu, 09 Sep 2010 01:28:18 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.0 (--) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org, Mark Diekhans X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.0 (--) >> The time window during which the access rights are too loose. > Do you mean changing Fcopy_file to optionally not copy the source file > permission bits to the output file? Something like that. > Maybe that's better, but it would need yet another optional argument > for copy-file, which would probably not see much use outside of > this context. Adding yet-another-arg doesn't sound very appealing, indeed. Maybe a better solution is to split copy-file into 2 functions: one that copies the file data (into a file that's only readable by the current process, or user) and another that copies various parts of its metadata like timestamp, uid-gid, ... (this last function might be itself split into various parts). So copy-file can be implemented on top of those functions and backup can use them as well. Stefan From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 09 23:04:43 2010 Received: (at 6953) by debbugs.gnu.org; 10 Sep 2010 03:04:43 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Ottus-0002wb-Ji for submit@debbugs.gnu.org; Thu, 09 Sep 2010 23:04:43 -0400 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Ottur-0002wW-E5 for 6953@debbugs.gnu.org; Thu, 09 Sep 2010 23:04:41 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.69) (envelope-from ) id 1Ottwt-0006i2-0I; Thu, 09 Sep 2010 23:06:47 -0400 To: Stefan Monnier Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> From: Glenn Morris X-Spook: subversive AK-47 NATO Maple bluebird S Box MIT-LL Mossad X-Ran: L\XmWA[g_1GUSF`T5FIgVO"q(-2RQ49@wBZ53oj User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -6.2 (------) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org, Mark Diekhans X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.2 (------) Stefan Monnier wrote: >> Do you mean changing Fcopy_file to optionally not copy the source file >> permission bits to the output file? > > Something like that. Just had a thought that this kind of approach is not going to work for securing ~/%backup%~ files for people who have AFS home directories. Which probably is not many in % terms, but is more than zero. In AFS, the _only_ way to make files private to the owner is to put them in a private directory. On the other hand, simply creating a mode 700 directory does not necessarily make it private, you have to use AFS commands to set ACLs. But the approach of having backup files in a special directory would be closer to how AFS normally works. From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 13 07:42:33 2010 Received: (at 6953) by debbugs.gnu.org; 13 Sep 2010 11:42:33 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Ov7Qf-0003DT-25 for submit@debbugs.gnu.org; Mon, 13 Sep 2010 07:42:33 -0400 Received: from mtaout21.012.net.il ([80.179.55.169]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Ov7Qd-0003DK-0f for 6953@debbugs.gnu.org; Mon, 13 Sep 2010 07:42:32 -0400 Received: from conversion-daemon.a-mtaout21.012.net.il by a-mtaout21.012.net.il (HyperSendmail v2007.08) id <0L8O00F00OL62B00@a-mtaout21.012.net.il> for 6953@debbugs.gnu.org; Mon, 13 Sep 2010 13:44:42 +0200 (IST) Received: from HOME-C4E4A596F7 ([77.127.81.53]) by a-mtaout21.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0L8O00ETIOMGSO30@a-mtaout21.012.net.il>; Mon, 13 Sep 2010 13:44:42 +0200 (IST) Date: Mon, 13 Sep 2010 13:44:41 +0200 From: Eli Zaretskii Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files In-reply-to: X-012-Sender: halo1@inter.net.il To: Glenn Morris Message-id: <83zkvl50ly.fsf@gnu.org> References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> X-Spam-Score: -1.0 (-) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org, markd@soe.ucsc.edu, monnier@iro.umontreal.ca X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: Eli Zaretskii List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.0 (--) > From: Glenn Morris > Date: Thu, 09 Sep 2010 23:06:46 -0400 > Cc: 6953@debbugs.gnu.org, Mark Diekhans > > Just had a thought that this kind of approach is not going to work for > securing ~/%backup%~ files for people who have AFS home directories. > Which probably is not many in % terms, but is more than zero. In AFS, > the _only_ way to make files private to the owner is to put them in a > private directory. > > On the other hand, simply creating a mode 700 directory does not > necessarily make it private, you have to use AFS commands to set ACLs. > But the approach of having backup files in a special directory would > be closer to how AFS normally works. The situation on MS-Windows is almost exactly the same. Files put in private directories are private by default, but creating a new private directory requires using Windows-specific ACL APIs. Maybe it's time to have this functionality in Emacs. From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 13 11:31:05 2010 Received: (at 6953) by debbugs.gnu.org; 13 Sep 2010 15:31:05 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OvAzo-0004wo-Sa for submit@debbugs.gnu.org; Mon, 13 Sep 2010 11:31:05 -0400 Received: from mail-qw0-f44.google.com ([209.85.216.44]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OvAzm-0004wR-Gi for 6953@debbugs.gnu.org; Mon, 13 Sep 2010 11:31:03 -0400 Received: by qwc9 with SMTP id 9so3535026qwc.3 for <6953@debbugs.gnu.org>; Mon, 13 Sep 2010 08:33:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=q3Ap3Pl8n9LUyE+z0fG3yyLRtyLFYVfH5Z3XQrw1dCA=; b=cFWHDBdBsYYhF3Znvj+9aaENLd8b+PDaKlGZ+Ja1SloZdRTg6USmCr4/4CysgUZ5T+ 0zTKuu1x9go+fH5XnIpCZPClVcsJ7PfgFG4cXaa5Ijucc+5ODRebexXQvpRFhlOGI52z W6A3z8QTy3IAizUaIlmV7cz+C/qMSZQfWQHMo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=sv4ejDKgRzjoKohWOm/pom7WDLyu5khY1Gj7Oc91chwvvWPwUyHoawRU6ieQaqdBHw wpxB3nluS04za9P1q0O+TeH59i1/Q8fjX8O9wwR3HZZLtELJrzpshuGOC+dRKO4+GTPr 58DztKobZVae8+cpOhshAyblkerPjnhqfnYyw= Received: by 10.229.247.3 with SMTP id ma3mr3478158qcb.1.1284391994231; Mon, 13 Sep 2010 08:33:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.20.68 with HTTP; Mon, 13 Sep 2010 08:32:54 -0700 (PDT) In-Reply-To: <83zkvl50ly.fsf@gnu.org> References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> <83zkvl50ly.fsf@gnu.org> From: Lennart Borgman Date: Mon, 13 Sep 2010 17:32:54 +0200 Message-ID: Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files To: Eli Zaretskii Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.9 (--) X-Debbugs-Envelope-To: 6953 Cc: Glenn Morris , markd@soe.ucsc.edu, 6953@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.9 (--) On Mon, Sep 13, 2010 at 1:44 PM, Eli Zaretskii wrote: >> >> On the other hand, simply creating a mode 700 directory does not >> necessarily make it private, you have to use AFS commands to set ACLs. >> But the approach of having backup files in a special directory would >> be closer to how AFS normally works. > > The situation on MS-Windows is almost exactly the same. =C2=A0Files put i= n > private directories are private by default, but creating a new private > directory requires using Windows-specific ACL APIs. > > Maybe it's time to have this functionality in Emacs. Yes, please. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 21 21:32:22 2010 Received: (at 6953) by debbugs.gnu.org; 22 Sep 2010 01:32:22 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OyEC6-0004Lo-6X for submit@debbugs.gnu.org; Tue, 21 Sep 2010 21:32:22 -0400 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OyEC4-0004Lj-J8 for 6953@debbugs.gnu.org; Tue, 21 Sep 2010 21:32:21 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.69) (envelope-from ) id 1OyEEX-0001UX-I7; Tue, 21 Sep 2010 21:34:53 -0400 To: monnier@iro.umontreal.ca Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> <83zkvl50ly.fsf@gnu.org> From: Glenn Morris X-Spook: constitution Blowfish counter intelligence kibo Qaddafi X-Ran: }jx/*/&OQ5b;IOB$b^L%wv-<(0RGQv!5h@akWX*BFz{t9Bg|Lfag6}5PpUm<8A6Q\ojXw? X-Hue: blue X-Debbugs-No-Ack: yes X-Attribution: GM Date: Tue, 21 Sep 2010 21:34:53 -0400 In-Reply-To: <83zkvl50ly.fsf@gnu.org> (Eli Zaretskii's message of "Mon\, 13 Sep 2010 13\:44\:41 +0200") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -6.2 (------) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org, eliz@gnu.org, markd@soe.ucsc.edu X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.2 (------) So, is there a consensus for what approach to take with this? From debbugs-submit-bounces@debbugs.gnu.org Sat Sep 25 16:19:01 2010 Received: (at 6953) by debbugs.gnu.org; 25 Sep 2010 20:19:01 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OzbD2-0003Uh-Vu for submit@debbugs.gnu.org; Sat, 25 Sep 2010 16:19:01 -0400 Received: from pantheon-po26.its.yale.edu ([130.132.50.121]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OzbD2-0003Uc-34 for 6953@debbugs.gnu.org; Sat, 25 Sep 2010 16:19:00 -0400 Received: from furry (173-14-147-246-NewEngland.hfc.comcastbusiness.net [173.14.147.246]) (authenticated bits=0) by pantheon-po26.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP id o8PKLhEj000524 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 25 Sep 2010 16:21:43 -0400 Received: by furry (Postfix, from userid 1000) id 04C7216D402; Sat, 25 Sep 2010 16:21:42 -0400 (EDT) From: Chong Yidong To: Glenn Morris Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> <83zkvl50ly.fsf@gnu.org> Date: Sat, 25 Sep 2010 16:21:42 -0400 In-Reply-To: (Glenn Morris's message of "Tue, 21 Sep 2010 21:34:53 -0400") Message-ID: <8762xt1smh.fsf@stupidchicken.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-YaleITSMailFilter: Version 1.2c (attachment(s) not renamed) X-Spam-Score: -2.8 (--) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org, eliz@gnu.org, markd@soe.ucsc.edu, monnier@iro.umontreal.ca X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.8 (--) Glenn Morris writes: > So, is there a consensus for what approach to take with this? How about simply not making a "~/%backup%~" file? From debbugs-submit-bounces@debbugs.gnu.org Sun Sep 26 06:35:16 2010 Received: (at 6953) by debbugs.gnu.org; 26 Sep 2010 10:35:16 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OzoZg-0001Bz-Dy for submit@debbugs.gnu.org; Sun, 26 Sep 2010 06:35:16 -0400 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OzoZd-0001Bu-6E for 6953@debbugs.gnu.org; Sun, 26 Sep 2010 06:35:13 -0400 Received: from rms by fencepost.gnu.org with local (Exim 4.69) (envelope-from ) id 1OzocH-00059e-KW; Sun, 26 Sep 2010 06:37:57 -0400 Content-Type: text/plain; charset=ISO-8859-15 From: Richard Stallman To: Chong Yidong In-reply-to: <8762xt1smh.fsf@stupidchicken.com> (message from Chong Yidong on Sat, 25 Sep 2010 16:21:42 -0400) Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> <83zkvl50ly.fsf@gnu.org> <8762xt1smh.fsf@stupidchicken.com> Message-Id: Date: Sun, 26 Sep 2010 06:37:57 -0400 X-Spam-Score: -6.5 (------) X-Debbugs-Envelope-To: 6953 Cc: rgm@gnu.org, markd@soe.ucsc.edu, 6953@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: rms@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.5 (------) How about simply not making a "~/%backup%~" file? Do you mean, make no backup file at all. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 28 13:23:55 2010 Received: (at 6953) by debbugs.gnu.org; 28 Sep 2010 17:23:56 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1P0duF-00028u-Ns for submit@debbugs.gnu.org; Tue, 28 Sep 2010 13:23:55 -0400 Received: from pantheon-po42.its.yale.edu ([130.132.50.101]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1P0duD-00028m-TH for 6953@debbugs.gnu.org; Tue, 28 Sep 2010 13:23:54 -0400 Received: from furry (dhcp128036014154.central.yale.edu [128.36.14.154]) (authenticated bits=0) by pantheon-po42.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP id o8SHQiQx028405 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 28 Sep 2010 13:26:44 -0400 Received: by furry (Postfix, from userid 1000) id 47814C018; Tue, 28 Sep 2010 13:26:44 -0400 (EDT) From: Chong Yidong To: rms@gnu.org Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> <83zkvl50ly.fsf@gnu.org> <8762xt1smh.fsf@stupidchicken.com> Date: Tue, 28 Sep 2010 13:26:44 -0400 In-Reply-To: (Richard Stallman's message of "Sun, 26 Sep 2010 06:37:57 -0400") Message-ID: <87aan1ye23.fsf@stupidchicken.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-YaleITSMailFilter: Version 1.2c (attachment(s) not renamed) X-Spam-Score: -2.7 (--) X-Debbugs-Envelope-To: 6953 Cc: rgm@gnu.org, markd@soe.ucsc.edu, 6953@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.7 (--) Richard Stallman writes: > How about simply not making a "~/%backup%~" file? > > Do you mean, make no backup file at all. Yeah. From debbugs-submit-bounces@debbugs.gnu.org Wed Sep 29 09:33:37 2010 Received: (at 6953) by debbugs.gnu.org; 29 Sep 2010 13:33:37 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1P0wmv-0004mT-1t for submit@debbugs.gnu.org; Wed, 29 Sep 2010 09:33:37 -0400 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1P0wms-0004mO-EJ for 6953@debbugs.gnu.org; Wed, 29 Sep 2010 09:33:34 -0400 Received: from rms by fencepost.gnu.org with local (Exim 4.69) (envelope-from ) id 1P0wpe-0003lC-Ca; Wed, 29 Sep 2010 09:36:26 -0400 Content-Type: text/plain; charset=ISO-8859-15 From: Richard Stallman To: Chong Yidong In-reply-to: <87aan1ye23.fsf@stupidchicken.com> (message from Chong Yidong on Tue, 28 Sep 2010 13:26:44 -0400) Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> <83zkvl50ly.fsf@gnu.org> <8762xt1smh.fsf@stupidchicken.com> <87aan1ye23.fsf@stupidchicken.com> Message-Id: Date: Wed, 29 Sep 2010 09:36:26 -0400 X-Spam-Score: -6.5 (------) X-Debbugs-Envelope-To: 6953 Cc: rgm@gnu.org, markd@soe.ucsc.edu, 6953@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: rms@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.5 (------) > Do you mean, make no backup file at all. Yeah. To make no backup file seems like a gross insecurity to me. From debbugs-submit-bounces@debbugs.gnu.org Wed Sep 29 09:40:46 2010 Received: (at 6953) by debbugs.gnu.org; 29 Sep 2010 13:40:46 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1P0wtq-0004pa-DE for submit@debbugs.gnu.org; Wed, 29 Sep 2010 09:40:46 -0400 Received: from mtaout20.012.net.il ([80.179.55.166]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1P0wto-0004pU-J8 for 6953@debbugs.gnu.org; Wed, 29 Sep 2010 09:40:45 -0400 Received: from conversion-daemon.a-mtaout20.012.net.il by a-mtaout20.012.net.il (HyperSendmail v2007.08) id <0L9I00000GQ03400@a-mtaout20.012.net.il> for 6953@debbugs.gnu.org; Wed, 29 Sep 2010 15:43:02 +0200 (IST) Received: from HOME-C4E4A596F7 ([77.126.229.215]) by a-mtaout20.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0L9I00MBDGROR850@a-mtaout20.012.net.il>; Wed, 29 Sep 2010 15:43:02 +0200 (IST) Date: Wed, 29 Sep 2010 15:43:03 +0200 From: Eli Zaretskii Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files In-reply-to: X-012-Sender: halo1@inter.net.il To: rms@gnu.org Message-id: <83zkv0pswo.fsf@gnu.org> References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> <83zkvl50ly.fsf@gnu.org> <8762xt1smh.fsf@stupidchicken.com> <87aan1ye23.fsf@stupidchicken.com> X-Spam-Score: -2.1 (--) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org, cyd@stupidchicken.com, markd@soe.ucsc.edu X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: Eli Zaretskii List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.1 (--) > From: Richard Stallman > Date: Wed, 29 Sep 2010 09:36:26 -0400 > Cc: markd@soe.ucsc.edu, 6953@debbugs.gnu.org > > > Do you mean, make no backup file at all. > > Yeah. > > To make no backup file seems like a gross insecurity to me. Agreed. From debbugs-submit-bounces@debbugs.gnu.org Wed Sep 29 10:22:42 2010 Received: (at 6953) by debbugs.gnu.org; 29 Sep 2010 14:22:42 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1P0xYP-00057e-AI for submit@debbugs.gnu.org; Wed, 29 Sep 2010 10:22:41 -0400 Received: from services.cse.ucsc.edu ([128.114.48.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1P0xYM-00057V-PB for 6953@debbugs.gnu.org; Wed, 29 Sep 2010 10:22:39 -0400 Received: from bugle.cse.ucsc.edu (bugle.cse.ucsc.edu [128.114.56.11]) by services.cse.ucsc.edu (8.13.6/8.13.6) with ESMTP id o8TEPVYA004381 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Sep 2010 07:25:31 -0700 (PDT) Received: (from markd@localhost) by bugle.cse.ucsc.edu (8.13.8/8.12.10) id o8TEPVKS021425; Wed, 29 Sep 2010 07:25:31 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19619.19547.22642.802345@bugle.cse.ucsc.edu> Date: Wed, 29 Sep 2010 07:25:31 -0700 From: markd@soe.ucsc.edu To: rms@gnu.org In-Reply-To: References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> <83zkvl50ly.fsf@gnu.org> <8762xt1smh.fsf@stupidchicken.com> <87aan1ye23.fsf@stupidchicken.com> Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org, Chong Yidong X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -3.1 (---) Just to clarify, this is the fallback backup file, ~/%backup%~, not backup files in general. The current approach provides an very limited and arbitrary approach to preventing data lose: - there only one ~/%backup%~ so it's arbitrary from the users prospective which buffer actually gets a fallback backup. - these is no control over where this is saved, it may very well be the file system were the primary backup file could not be created due to lack of disk space. My experience in over 20 years of using emacs, this has never been of any value. The down side of the current implementation is extremely serious, potentially exposing private or sensitive data to all users of the file system. In my case, exposing a mail box to hundreds of users. I would argue that this is far more serious a problem than the very limited data lose prevent provided by the current implementation. thanks much for how seriously this is being taken, mark Richard Stallman writes: > > Do you mean, make no backup file at all. > > Yeah. > > To make no backup file seems like a gross insecurity to me. , From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 11 23:31:11 2011 Received: (at 6953) by debbugs.gnu.org; 12 Jan 2011 04:31:11 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PcsMZ-0008LH-Iq for submit@debbugs.gnu.org; Tue, 11 Jan 2011 23:31:11 -0500 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PcsMX-0008L4-D1 for 6953@debbugs.gnu.org; Tue, 11 Jan 2011 23:31:09 -0500 Received: from localhost ([127.0.0.1]:43140) by fencepost.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PcsTj-00064J-28; Tue, 11 Jan 2011 23:38:35 -0500 To: 6953@debbugs.gnu.org Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: <19583.19642.954872.847808@bugle.cse.ucsc.edu> <19583.53728.357608.629758@bugle.cse.ucsc.edu> <4mzkvs44no.fsf@fencepost.gnu.org> <83zkvl50ly.fsf@gnu.org> From: Glenn Morris X-Spook: bomb top secret Afghanistan terrorist BRLO pre-emptive X-Ran: rMA<#E+>64R[g0P.`%'%E*@#B1%,aAnT*Ry9#nix)"uyHijgw$q3_8sV;+ei@Fr~J^@1sI X-Hue: yellow X-Debbugs-No-Ack: yes X-Attribution: GM Date: Tue, 11 Jan 2011 23:38:34 -0500 In-Reply-To: (Glenn Morris's message of "Tue\, 21 Sep 2010 21\:34\:53 -0400") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -6.2 (------) X-Debbugs-Envelope-To: 6953 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.2 (------) Glenn Morris wrote: > So, is there a consensus for what approach to take with this? It seems the answer is "no", there isn't. From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 12 10:17:50 2011 Received: (at 6953) by debbugs.gnu.org; 12 Jan 2011 15:17:50 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pd2SL-0007FR-OV for submit@debbugs.gnu.org; Wed, 12 Jan 2011 10:17:49 -0500 Received: from ironport2-out.teksavvy.com ([206.248.154.183] helo=ironport2-out.pppoe.ca) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pd2SK-0007FH-IG for 6953@debbugs.gnu.org; Wed, 12 Jan 2011 10:17:48 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEANdWLU1FxIbi/2dsb2JhbACkPnS8G4VMBIRojiiDMQ X-IronPort-AV: E=Sophos;i="4.60,313,1291611600"; d="scan'208";a="87740606" Received: from 69-196-134-226.dsl.teksavvy.com (HELO ceviche.home) ([69.196.134.226]) by ironport2-out.pppoe.ca with ESMTP/TLS/ADH-AES256-SHA; 12 Jan 2011 10:25:18 -0500 Received: by ceviche.home (Postfix, from userid 20848) id C48CC660BB; Wed, 12 Jan 2011 10:25:17 -0500 (EST) From: Stefan Monnier To: Mark Diekhans Subject: Re: 24.0.50; serious security bug in create backup files Message-ID: References: Date: Wed, 12 Jan 2011 10:25:17 -0500 In-Reply-To: (Mark Diekhans's message of "Mon, 30 Aug 2010 23:13:29 -0700") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.1 (--) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.1 (--) > When Emacs is forced into writing "~/%backup%~", it may expose protected > data to being read by others. Regardless of what other problems there might be, such backups should probably go somewhere under ~/.emacs.d. Stefan From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 12 12:48:35 2011 Received: (at 6953) by debbugs.gnu.org; 12 Jan 2011 17:48:35 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pd4oE-00027M-Ri for submit@debbugs.gnu.org; Wed, 12 Jan 2011 12:48:35 -0500 Received: from services.cse.ucsc.edu ([128.114.48.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pd4oC-000278-0a for 6953@debbugs.gnu.org; Wed, 12 Jan 2011 12:48:32 -0500 Received: from bugle.cse.ucsc.edu (bugle.cse.ucsc.edu [128.114.56.11]) by services.cse.ucsc.edu (8.13.6/8.13.6) with ESMTP id p0CHu1e9013981 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 12 Jan 2011 09:56:01 -0800 (PST) Received: (from markd@localhost) by bugle.cse.ucsc.edu (8.13.8/8.12.10) id p0CHu1q6029207; Wed, 12 Jan 2011 09:56:01 -0800 From: Mark Diekhans MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19757.60209.376657.941833@bugle.cse.ucsc.edu> Date: Wed, 12 Jan 2011 09:56:01 -0800 To: Stefan Monnier Subject: Re: 24.0.50; serious security bug in create backup files In-Reply-To: References: X-Mailer: VM 8.1.1 under 23.2.1 (x86_64-unknown-linux-gnu) X-Spam-Score: -3.0 (---) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -3.0 (---) Stefan Monnier writes: > > When Emacs is forced into writing "~/%backup%~", it may expose protected > > data to being read by others. > > Regardless of what other problems there might be, such backups should > probably go somewhere under ~/.emacs.d. This makes a lot of sense, and makes it possible to redirect to a different file system by setting user-emacs-directory. However emacs doesn't protect ~/.emacs.d/ either if it when it creates it. This is also a security bug. Even the names of files being edit should not be made public, even if the files are private. Is there anything I can do to help? Mark From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 12 14:22:04 2011 Received: (at 6953) by debbugs.gnu.org; 12 Jan 2011 19:22:04 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pd6Gi-0004PT-Cm for submit@debbugs.gnu.org; Wed, 12 Jan 2011 14:22:04 -0500 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pd6Gf-0004P0-KQ for 6953@debbugs.gnu.org; Wed, 12 Jan 2011 14:22:02 -0500 Received: from localhost ([127.0.0.1]:38458) by fencepost.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pd6Ns-00020E-8t; Wed, 12 Jan 2011 14:29:28 -0500 To: Mark Diekhans Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: <19757.60209.376657.941833@bugle.cse.ucsc.edu> From: Glenn Morris X-Spook: Sears Tower csystems CIA virus condor Saudi Arabia X-Ran: FV0d"h`.HNW*EJhrGyU2kXjbObBO0Z&(w$a%1zD0oy_yDg#urG0$*=\A@^eo.TH*Eo}uqU X-Hue: magenta X-Debbugs-No-Ack: yes X-Attribution: GM Date: Wed, 12 Jan 2011 14:29:27 -0500 In-Reply-To: <19757.60209.376657.941833@bugle.cse.ucsc.edu> (Mark Diekhans's message of "Wed\, 12 Jan 2011 09\:56\:01 -0800") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -6.2 (------) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org, Stefan Monnier X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.2 (------) Mark Diekhans wrote: >> Regardless of what other problems there might be, such backups should >> probably go somewhere under ~/.emacs.d. > > This makes a lot of sense, and makes it possible to redirect to > a different file system by setting user-emacs-directory. We seem to have gone in a circle. http://debbugs.gnu.org/cgi/bugreport.cgi?bug=6953#23 From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 12 16:48:35 2011 Received: (at 6953) by debbugs.gnu.org; 12 Jan 2011 21:48:35 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pd8YV-0007bA-2J for submit@debbugs.gnu.org; Wed, 12 Jan 2011 16:48:35 -0500 Received: from services.cse.ucsc.edu ([128.114.48.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pd8YT-0007ax-0n for 6953@debbugs.gnu.org; Wed, 12 Jan 2011 16:48:33 -0500 Received: from bugle.cse.ucsc.edu (bugle.cse.ucsc.edu [128.114.56.11]) by services.cse.ucsc.edu (8.13.6/8.13.6) with ESMTP id p0CLu3wh004873 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <6953@debbugs.gnu.org>; Wed, 12 Jan 2011 13:56:03 -0800 (PST) Received: (from markd@localhost) by bugle.cse.ucsc.edu (8.13.8/8.12.10) id p0CLu3nJ004774; Wed, 12 Jan 2011 13:56:03 -0800 From: Mark Diekhans MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="4Nb593CLtx" Content-Transfer-Encoding: 7bit Message-ID: <19758.9075.249901.710257@bugle.cse.ucsc.edu> Date: Wed, 12 Jan 2011 13:56:03 -0800 To: 6953@debbugs.gnu.org Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files In-Reply-To: References: <19757.60209.376657.941833@bugle.cse.ucsc.edu> X-Mailer: VM 8.1.1 under 23.2.1 (x86_64-unknown-linux-gnu) X-Spam-Score: -3.0 (---) X-Debbugs-Envelope-To: 6953 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.9 (--) --4Nb593CLtx Content-Type: text/plain; charset=us-ascii Content-Description: message body text Content-Transfer-Encoding: 7bit Attached is a patch that I believe address both the ~/%backup%~ and ~/.emacs.d/ security issues. It works well for me on Linux. Mark --4Nb593CLtx Content-Type: text/plain; name="backup-security.patch" Content-Disposition: inline; filename="backup-security.patch" Content-Transfer-Encoding: 7bit === modified file 'doc/emacs/files.texi' --- doc/emacs/files.texi 2010-07-31 17:13:03 +0000 +++ doc/emacs/files.texi 2011-01-12 21:43:13 +0000 @@ -569,8 +569,8 @@ file for @file{eval.c} would be @file{eval.c~}. If access control stops Emacs from writing backup files under the usual -names, it writes the backup file as @file{%backup%~} in your home -directory. Only one such file can exist, so only the most recently +names, it writes the backup file as @file{~/.emacs.d/%backup%~}. +Only one such file can exist, so only the most recently made such backup is available. Emacs can also make @dfn{numbered backup files}. Numbered backup === modified file 'lisp/files.el' --- lisp/files.el 2011-01-08 21:22:19 +0000 +++ lisp/files.el 2011-01-12 20:55:55 +0000 @@ -3776,9 +3776,7 @@ (setq setmodes (list modes context backupname))) (file-error ;; If trouble writing the backup, write it in ~. - (setq backupname (expand-file-name - (convert-standard-filename - "~/%backup%~"))) + (setq backupname (locate-user-emacs-file "%backup%~")) (message "Cannot write backup file; backing up in %s" backupname) (sleep-for 1) === modified file 'lisp/subr.el' --- lisp/subr.el 2011-01-11 03:23:04 +0000 +++ lisp/subr.el 2011-01-12 20:53:20 +0000 @@ -2365,7 +2365,12 @@ (or noninteractive purify-flag (file-accessible-directory-p (directory-file-name user-emacs-directory)) - (make-directory user-emacs-directory)) + (let ((umask (default-file-modes))) + (unwind-protect + (progn + (set-default-file-modes ?\700) + (make-directory user-emacs-directory)) + (set-default-file-modes umask)))) (abbreviate-file-name (expand-file-name new-name user-emacs-directory)))))) --4Nb593CLtx-- From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 14 21:25:43 2011 Received: (at 6953) by debbugs.gnu.org; 15 Jan 2011 02:25:43 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pdvpn-0002z0-J0 for submit@debbugs.gnu.org; Fri, 14 Jan 2011 21:25:43 -0500 Received: from vm-emlprdomr-03.its.yale.edu ([130.132.50.144]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pdvpl-0002yo-0D for 6953@debbugs.gnu.org; Fri, 14 Jan 2011 21:25:41 -0500 Received: from furball (dhcp128036014009.central.yale.edu [128.36.14.9]) (authenticated bits=0) by vm-emlprdomr-03.its.yale.edu (8.14.4/8.14.4) with ESMTP id p0F2XHdK031943 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 14 Jan 2011 21:33:17 -0500 Received: by furball (Postfix, from userid 1000) id DCB9B1605CB; Fri, 14 Jan 2011 21:33:18 -0500 (EST) From: Chong Yidong To: Mark Diekhans Subject: Re: bug#6953: 24.0.50; serious security bug in create backup files References: <19757.60209.376657.941833@bugle.cse.ucsc.edu> <19758.9075.249901.710257@bugle.cse.ucsc.edu> Date: Fri, 14 Jan 2011 21:33:18 -0500 In-Reply-To: <19758.9075.249901.710257@bugle.cse.ucsc.edu> (Mark Diekhans's message of "Wed, 12 Jan 2011 13:56:03 -0800") Message-ID: <87zkr2gakx.fsf@stupidchicken.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.71 on 130.132.50.144 X-Spam-Score: -2.7 (--) X-Debbugs-Envelope-To: 6953 Cc: 6953@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.7 (--) Mark Diekhans writes: > Attached is a patch that I believe address both the ~/%backup%~ and > ~/.emacs.d/ security issues. Looks reasonable; committed, thanks. From debbugs-submit-bounces@debbugs.gnu.org Sun Jan 23 16:04:08 2011 Received: (at control) by debbugs.gnu.org; 23 Jan 2011 21:04:09 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Ph76W-0007rg-0q for submit@debbugs.gnu.org; Sun, 23 Jan 2011 16:04:08 -0500 Received: from vm-emlprdomr-06.its.yale.edu ([130.132.50.147]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Ph76T-0007rC-Rk for control@debbugs.gnu.org; Sun, 23 Jan 2011 16:04:06 -0500 Received: from furball (162.254.218.209.transedge.com [209.218.254.162]) (authenticated bits=0) by vm-emlprdomr-06.its.yale.edu (8.14.4/8.14.4) with ESMTP id p0NLC56L025990 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Sun, 23 Jan 2011 16:12:05 -0500 Received: by furball (Postfix, from userid 1000) id 19B1616075F; Sun, 23 Jan 2011 16:12:03 -0500 (EST) From: Chong Yidong To: control@debbugs.gnu.org Subject: close 6953 Date: Sun, 23 Jan 2011 16:12:02 -0500 Message-ID: <87pqrnnx3x.fsf@stupidchicken.com> MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.71 on 130.132.50.147 X-Spam-Score: -2.5 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.5 (--) close 6953 thanks From unknown Tue Sep 09 18:22:01 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 21 Feb 2011 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator