GNU bug report logs - #45245
28.0.50; Feature request: tramp sudo autosaves/backups shouldn't be exposed without right config

Previous Next

Package: emacs;

Reported by: Vandrus Zoltán <vandrus.zoltan <at> gmail.com>

Date: Mon, 14 Dec 2020 20:15:01 UTC

Severity: wishlist

Found in version 28.0.50

Fixed in version 28.1

Done: Michael Albinus <michael.albinus <at> gmx.de>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 45245 in the body.
You can then email your comments to 45245 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#45245; Package emacs. (Mon, 14 Dec 2020 20:15:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vandrus Zoltán <vandrus.zoltan <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Mon, 14 Dec 2020 20:15:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Vandrus Zoltán <vandrus.zoltan <at> gmail.com>
To: bug-gnu-emacs <at> gnu.org
Subject: 28.0.50; Feature request: tramp sudo autosaves/backups shouldn't be
 exposed without right config
Date: Mon, 14 Dec 2020 21:13:56 +0100
It's mentioned in (tramp)Auto-save and Backup that root owned file could 
be exposed, but it would be more newbie friendly if emacs did the right 
thing without configuration. The defaults for backups are fine, but for 
autosaves are not. In emacs -Q after:

C-x C-f /sudo::/tmp/secretfile
M-x do-auto-save

There is a file '/tmp/#!sudo:root <at> hostname:!tmp!secretfile#' owned by 
the user.

Even if the defaults are fixed, there are problems. Protecting root 
owned files is somewhat complicated. For example the user might not use 
tramp from the beginning, but littering directories with backups and 
autosaves files are easily seen and can be annoying enough to look for a 
solution. Looking on the net the suggested code is some variant of

    (setq auto-save-file-name-transforms
          '((".*" ,auto-save-dir t)))

    (setq backup-directory-alist
         '("." ,backup-dir))

And then they are fine, until they start to use tramp, because the 
autosaves/backups will be owned by the normal user even for sudo and su 
methods.
For backups following the tramp manual is easy:

     (customize-set-variable
      'tramp-backup-directory-alist backup-directory-alist)

But the user could have forgotten already about the problem and never 
look there. For autosaves there is not even info on how to achieve 
something sensible.

I suggest, that tramp could refuse exposing root-owned files or there 
could be an easier switch to put all autosaves/backup in the same 
directory which also deals with tramp.

There is also a comparably minor problem of exposing the file name in 
the autosave files.

-------------

In GNU Emacs 28.0.50 (build 2, x86_64-pc-linux-gnu, GTK+ Version 
3.24.24, cairo version 1.17.4)
of 2020-12-14
Repository revision: b857ea24f7bc5288faa920e6c3174cf1ee958b70
Repository branch: master
Windowing system distributor 'The X.Org Foundation', version 11.0.12010000
System Description: Arch Linux

Configured features:
XPM JPEG TIFF GIF PNG RSVG CAIRO SOUND GPM DBUS GSETTINGS GLIB NOTIFY
INOTIFY ACL GNUTLS LIBXML2 FREETYPE HARFBUZZ M17N_FLT LIBOTF ZLIB
TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS LIBSYSTEMD JSON
PDUMPER LCMS2

Important settings:
value of $LC_TIME: C
value of $LANG: hu_HU.utf8
locale-coding-system: utf-8-unix

Major mode: Fundamental

Minor modes in effect:
shell-dirtrack-mode: t
tooltip-mode: t
global-eldoc-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs
rfc822 mml mml-sec epa derived epg epg-config gnus-util rmail
rmail-loaddefs text-property-search mm-decode mm-bodies mm-encode
mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047
rfc2045 ietf-drums mm-util mail-prsvr mail-utils warnings misearch
multi-isearch tramp-cmds bug-reference noutline outline mule-util info
vc-hg vc-git diff-mode easy-mmode vc-bzr tramp-cache tramp-sh tramp
tramp-loaddefs trampver tramp-integration files-x tramp-compat shell
pcomplete comint ansi-color ring parse-time iso8601 ls-lisp format-spec
auth-source cl-seq eieio eieio-core cl-macs eieio-loaddefs
password-cache json map time-date subr-x cl-extra seq byte-opt gv
bytecomp byte-compile cconv cl-print thingatpt help-fns radix-tree
help-mode easymenu cl-loaddefs cl-lib iso-transl tooltip eldoc electric
uniquify ediff-hook vc-hooks lisp-float-type mwheel term/x-win x-win
term/common-win x-dnd tool-bar dnd fontset image regexp-opt fringe
tabulated-list replace newcomment text-mode elisp-mode lisp-mode
prog-mode register page tab-bar menu-bar rfn-eshadow isearch timer
select scroll-bar mouse jit-lock font-lock syntax facemenu font-core
term/tty-colors frame minibuffer cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese composite charscript charprop case-table epa-hook
jka-cmpr-hook help simple abbrev obarray cl-preloaded nadvice button
loaddefs faces cus-face macroexp files window text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote threads dbusbind inotify lcms2
dynamic-setting system-font-setting font-render-setting cairo
move-toolbar gtk x-toolkit x multi-tty make-network-process emacs)

Memory information:
((conses 16 94008 11777)
(symbols 48 9769 1)
(strings 32 35507 2034)
(string-bytes 1 1116270)
(vectors 16 16704)
(vector-slots 8 222506 9788)
(floats 8 52 269)
(intervals 56 737 240)
(buffers 984 16))





Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#45245; Package emacs. (Mon, 14 Jun 2021 09:40:01 GMT) Full text and rfc822 format available.

Message #8 received at 45245 <at> debbugs.gnu.org (full text, mbox):

From: Michael Albinus <michael.albinus <at> gmx.de>
To: Vandrus Zoltán <vandrus.zoltan <at> gmail.com>
Cc: 45245 <at> debbugs.gnu.org
Subject: Re: bug#45245: 28.0.50; Feature request: tramp sudo
 autosaves/backups shouldn't be exposed without right config
Date: Mon, 14 Jun 2021 11:39:42 +0200
Vandrus Zoltán <vandrus.zoltan <at> gmail.com> writes:

Hi Zoltán,

> It's mentioned in (tramp)Auto-save and Backup that root owned file
> could be exposed, but it would be more newbie friendly if emacs did
> the right thing without configuration. The defaults for backups are
> fine, but for autosaves are not. In emacs -Q after:
>
> C-x C-f /sudo::/tmp/secretfile
> M-x do-auto-save
>
> There is a file '/tmp/#!sudo:root <at> hostname:!tmp!secretfile#' owned by
> the user.
>
> Even if the defaults are fixed, there are problems. Protecting root
> owned files is somewhat complicated. For example the user might not
> use tramp from the beginning, but littering directories with backups
> and autosaves files are easily seen and can be annoying enough to look
> for a solution. Looking on the net the suggested code is some variant
> of
>
>     (setq auto-save-file-name-transforms
>           '((".*" ,auto-save-dir t)))
>
>     (setq backup-directory-alist
>          '("." ,backup-dir))
>
> And then they are fine, until they start to use tramp, because the
> autosaves/backups will be owned by the normal user even for sudo and
> su methods.
> For backups following the tramp manual is easy:
>
>      (customize-set-variable
>       'tramp-backup-directory-alist backup-directory-alist)
>
> But the user could have forgotten already about the problem and never
> look there. For autosaves there is not even info on how to achieve
> something sensible.
>
> I suggest, that tramp could refuse exposing root-owned files or there
> could be an easier switch to put all autosaves/backup in the same
> directory which also deals with tramp.
>
> There is also a comparably minor problem of exposing the file name in
> the autosave files.

Finally, I've found the time to work on the problem. I've pushed a patch
to master, that Tramp asks for confirmation for the first time a
root-owned auto-save or backup file name is to be written to the local
temporary directory. This is the most common case to handle.

See also the Tramp manual patch about.

Best regards, Michael.




Reply sent to Michael Albinus <michael.albinus <at> gmx.de>:
You have taken responsibility. (Fri, 25 Jun 2021 12:30:02 GMT) Full text and rfc822 format available.

Notification sent to Vandrus Zoltán <vandrus.zoltan <at> gmail.com>:
bug acknowledged by developer. (Fri, 25 Jun 2021 12:30:02 GMT) Full text and rfc822 format available.

Message #13 received at 45245-done <at> debbugs.gnu.org (full text, mbox):

From: Michael Albinus <michael.albinus <at> gmx.de>
To: Vandrus Zoltán <vandrus.zoltan <at> gmail.com>
Cc: 45245-done <at> debbugs.gnu.org
Subject: Re: bug#45245: 28.0.50; Feature request: tramp sudo
 autosaves/backups shouldn't be exposed without right config
Date: Fri, 25 Jun 2021 14:29:22 +0200
Version:28.1

Hi Zoltán,

> Finally, I've found the time to work on the problem. I've pushed a patch
> to master, that Tramp asks for confirmation for the first time a
> root-owned auto-save or backup file name is to be written to the local
> temporary directory. This is the most common case to handle.
>
> See also the Tramp manual about.

No further information, so I'm closing the bug.

Best regards, Michael.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 24 Jul 2021 11:24:06 GMT) Full text and rfc822 format available.

This bug report was last modified 2 years and 247 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.