GNU bug report logs -
#6953
24.0.50; serious security bug in create backup files
Previous Next
Reported by: Mark Diekhans <markd <at> soe.ucsc.edu>
Date: Tue, 31 Aug 2010 06:13:02 UTC
Severity: important
Found in version 24.0.50
Done: Chong Yidong <cyd <at> stupidchicken.com>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Mark Diekhans wrote:
> Emacs, should create the last ditch backup file as access only by the
> user (no group or other access) before any data is written to the file
>
> Also, ~/%backup%~ should be configurable in a variable rather than hard
> coded in lisp files.el.
I don't think it is necessary for this to be configurable because it
is just a fallback in case of error. Eg you can customize
backup-directory-alist to control where backups normally go.
A partial solution for the first problem is simple (below).
Perhaps it would be better to use a private directory inside
user-emacs-directory. But that is less visible, and maybe these files
are supposed to be noticed?
*** lisp/files.el 2010-08-18 08:07:58 +0000
--- lisp/files.el 2010-08-31 18:33:34 +0000
***************
*** 3681,3687 ****
(message "Cannot write backup file; backing up in %s"
backupname)
(sleep-for 1)
! (backup-buffer-copy real-file-name backupname modes)))
(setq buffer-backed-up t)
;; Now delete the old versions, if desired.
(if delete-old-versions
--- 3681,3691 ----
(message "Cannot write backup file; backing up in %s"
backupname)
(sleep-for 1)
! ;; The original file may have been in a private
! ;; directory, home might not be private. (Bug#6953)
! ;; Not a perfect solution since the file is only
! ;; made private after being written.
! (backup-buffer-copy real-file-name backupname #o0600)))
(setq buffer-backed-up t)
;; Now delete the old versions, if desired.
(if delete-old-versions
This bug report was last modified 14 years and 204 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.