GNU bug report logs -
#17187
24.3.50.1 open-dribble-file stores pw
Previous Next
Reported by: Andreas Röhler <andreas.roehler <at> easy-emacs.de>
Date: Fri, 4 Apr 2014 17:32:02 UTC
Severity: important
Found in version 24.3.50.1
Fixed in version 24.4
Done: Glenn Morris <rgm <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 17187 in the body.
You can then email your comments to 17187 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Fri, 04 Apr 2014 17:32:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Andreas Röhler <andreas.roehler <at> easy-emacs.de>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Fri, 04 Apr 2014 17:32:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Emacs -Q from 2014-02-19
Passwort gets stored in plain text
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Fri, 04 Apr 2014 21:43:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 17187 <at> debbugs.gnu.org (full text, mbox):
As suggested a decade ago,
http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html
the dribble file should be created with file permission bits = 600.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Sat, 05 Apr 2014 07:51:02 GMT)
Full text and
rfc822 format available.
Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):
Am 04.04.2014 23:42, schrieb Glenn Morris:
>
> As suggested a decade ago,
>
> http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html
>
> the dribble file should be created with file permission bits = 600.
So why Emacs doesn't set permissions accordingly?
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Sat, 05 Apr 2014 07:54:02 GMT)
Full text and
rfc822 format available.
Message #14 received at submit <at> debbugs.gnu.org (full text, mbox):
Am 04.04.2014 23:42, schrieb Glenn Morris:
>
> As suggested a decade ago,
>
> http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html
>
> the dribble file should be created with file permission bits = 600.
>
BTW IMHO it's a serious security-hole, should be flagged accordingly.
There will be numerous users with these kind of stuff during session.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Sat, 05 Apr 2014 15:51:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 17187 <at> debbugs.gnu.org (full text, mbox):
severity 17187 important
thanks
> As suggested a decade ago,
> http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html
> the dribble file should be created with file permission bits = 600.
Very much agreed.
Stefan
Severity set to 'important' from 'normal'
Request was from
Stefan Monnier <monnier <at> IRO.UMontreal.CA>
to
control <at> debbugs.gnu.org.
(Sat, 05 Apr 2014 15:51:03 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Sat, 05 Apr 2014 16:33:01 GMT)
Full text and
rfc822 format available.
Message #22 received at submit <at> debbugs.gnu.org (full text, mbox):
Am 05.04.2014 17:50, schrieb Stefan Monnier:
> severity 17187 important
> thanks
>
>> As suggested a decade ago,
>> http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html
>> the dribble file should be created with file permission bits = 600.
>
> Very much agreed.
>
>
> Stefan
>
Will that solve the matter already? IMO a pw should never be stored as plain-text.
File-permissions are not considered save in that context.
Should be a way to replace the chars by "*" for example before writing it.
Andreas
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Sat, 05 Apr 2014 16:56:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 17187 <at> debbugs.gnu.org (full text, mbox):
Andreas Röhler <andreas.roehler <at> easy-emacs.de> writes:
> Will that solve the matter already? IMO a pw should never be stored as plain-text.
The dribble file does not know what a password is.
Andreas.
--
Andreas Schwab, schwab <at> linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Sat, 05 Apr 2014 17:24:02 GMT)
Full text and
rfc822 format available.
Message #28 received at 17187 <at> debbugs.gnu.org (full text, mbox):
Stefan Monnier wrote:
>> As suggested a decade ago,
>> http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html
>> the dribble file should be created with file permission bits = 600.
>
> Very much agreed.
PS maybe it should also abort with an error if the file already exists
(and is a symlink or is not owned by the current user?).
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Sat, 05 Apr 2014 18:03:01 GMT)
Full text and
rfc822 format available.
Message #31 received at 17187 <at> debbugs.gnu.org (full text, mbox):
Am 05.04.2014 18:55, schrieb Andreas Schwab:
> Andreas Röhler <andreas.roehler <at> easy-emacs.de> writes:
>
>> Will that solve the matter already? IMO a pw should never be stored as plain-text.
>
> The dribble file does not know what a password is.
>
> Andreas.
>
As Emacs shell sent as prompt for pw, at least Emacs knows.
All remains to do is to ship that info.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Sat, 05 Apr 2014 19:25:01 GMT)
Full text and
rfc822 format available.
Message #34 received at 17187 <at> debbugs.gnu.org (full text, mbox):
Andreas Röhler <andreas.roehler <at> easy-emacs.de> writes:
> Am 05.04.2014 18:55, schrieb Andreas Schwab:
>> Andreas Röhler <andreas.roehler <at> easy-emacs.de> writes:
>>
>>> Will that solve the matter already? IMO a pw should never be stored as plain-text.
>>
>> The dribble file does not know what a password is.
>>
>> Andreas.
>>
>
> As Emacs shell sent as prompt for pw, at least Emacs knows.
Not at this level.
Andreas.
--
Andreas Schwab, schwab <at> linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Sat, 05 Apr 2014 22:03:01 GMT)
Full text and
rfc822 format available.
Message #37 received at 17187 <at> debbugs.gnu.org (full text, mbox):
>>> As suggested a decade ago,
>>> http://lists.gnu.org/archive/html/emacs-pretest-bug/2003-10/msg00229.html
>>> the dribble file should be created with file permission bits = 600.
>> Very much agreed.
> PS maybe it should also abort with an error if the file already exists
> (and is a symlink or is not owned by the current user?).
You mean it should be created with EXCL?
Maybe. Then again, AFAIK this is only used for debugging purposes, so
I'm not sure it's that important and you could assume that the user will
normally specify a file in a directory she owns, where the attacker
shouldn't be able to place a surreptitious symlink.
Stefan
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Sat, 05 Apr 2014 23:02:01 GMT)
Full text and
rfc822 format available.
Message #40 received at 17187 <at> debbugs.gnu.org (full text, mbox):
Lightly tested:
*** src/keyboard.c 2014-04-05 18:33:55 +0000
--- src/keyboard.c 2014-04-05 22:59:00 +0000
***************
*** 20,25 ****
--- 20,26 ----
#include <config.h>
#include "sysstdio.h"
+ #include <sys/stat.h>
#include "lisp.h"
#include "termchar.h"
***************
*** 10085,10092 ****
}
if (!NILP (file))
{
file = Fexpand_file_name (file, Qnil);
! dribble = emacs_fopen (SSDATA (file), "w");
if (dribble == 0)
report_file_error ("Opening dribble", file);
}
--- 10086,10100 ----
}
if (!NILP (file))
{
+ int fd;
file = Fexpand_file_name (file, Qnil);
! if (! NILP (Ffile_exists_p (file)))
! {
! if (chmod (SSDATA (file), 0600) < 0)
! report_file_error ("Doing chmod", file);
! }
! fd = emacs_open (SSDATA (file), O_WRONLY | O_CREAT | O_TRUNC, 0600);
! dribble = fd < 0 ? 0 : fdopen (fd, "w");
if (dribble == 0)
report_file_error ("Opening dribble", file);
}
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Sat, 05 Apr 2014 23:15:02 GMT)
Full text and
rfc822 format available.
Message #43 received at 17187 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 04/05/2014 04:01 PM, Glenn Morris wrote:
> ***************
> *** 10085,10092 ****
> }
> if (!NILP (file))
> {
> file = Fexpand_file_name (file, Qnil);
> ! dribble = emacs_fopen (SSDATA (file), "w");
> if (dribble == 0)
> report_file_error ("Opening dribble", file);
> }
> --- 10086,10100 ----
> }
> if (!NILP (file))
> {
> + int fd;
> file = Fexpand_file_name (file, Qnil);
> ! if (! NILP (Ffile_exists_p (file)))
> ! {
> ! if (chmod (SSDATA (file), 0600) < 0)
> ! report_file_error ("Doing chmod", file);
> ! }
> ! fd = emacs_open (SSDATA (file), O_WRONLY | O_CREAT | O_TRUNC, 0600);
> ! dribble = fd < 0 ? 0 : fdopen (fd, "w");
> if (dribble == 0)
That's racy. What about using fchmod and falling back to post-open chmod
for systems that don't have fchmod?
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#17187; Package
emacs.
(Sun, 06 Apr 2014 02:06:01 GMT)
Full text and
rfc822 format available.
Message #46 received at 17187 <at> debbugs.gnu.org (full text, mbox):
Daniel Colascione wrote:
> That's racy. What about using fchmod and falling back to post-open chmod
> for systems that don't have fchmod?
I'm no C coder, please feel free to improve it.
But IIUC it's been argued that we don't need to guard against malicious
intent here, only user oversight.
Reply sent
to
Glenn Morris <rgm <at> gnu.org>:
You have taken responsibility.
(Fri, 11 Apr 2014 05:50:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Andreas Röhler <andreas.roehler <at> easy-emacs.de>:
bug acknowledged by developer.
(Fri, 11 Apr 2014 05:50:04 GMT)
Full text and
rfc822 format available.
Message #51 received at 17187-done <at> debbugs.gnu.org (full text, mbox):
Version: 24.4
File now created private.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 09 May 2014 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 9 years and 362 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.