GNU bug report logs - #6953
24.0.50; serious security bug in create backup files

Previous Next

Package: emacs;

Reported by: Mark Diekhans <markd <at> soe.ucsc.edu>

Date: Tue, 31 Aug 2010 06:13:02 UTC

Severity: important

Found in version 24.0.50

Done: Chong Yidong <cyd <at> stupidchicken.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: markd <at> soe.ucsc.edu
To: Glenn Morris <rgm <at> gnu.org>
Cc: 6953 <at> debbugs.gnu.org
Subject: bug#6953: 24.0.50; serious security bug in create backup files
Date: Thu, 2 Sep 2010 00:05:30 -0700

Hi Glenn

Glenn Morris <rgm <at> gnu.org> writes:
> I don't think it is necessary for this to be configurable because it
> is just a fallback in case of error. Eg you can customize
> backup-directory-alist to control where backups normally go.

Not necessary, but useful if you have something like a very
small amount of space on the home file system or to put it in a
protected directory.  Also, it's just emacs-like to have all of
this stuff in variable.

I am still concerned about the window you mention in this fix.
IMHO, it's much worse to reveal sensitive data that to just lose
changes to it.  There should at least be an option to completely
disable the ~/%backup%~ functionality.

Oh, wait, it doesn't look like there is a problem with your patch,
only the comment ;-)   backup-buffer-copy says:

	  ;; Create temp files with strict access rights.  It's easy to
	  ;; loosen them later, whereas it's impossible to close the
	  ;; time-window of loose permissions otherwise.

thanks
Mark
This bug report was last modified 14 years and 204 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.