Richard M. Stallman wrote on 26 Jun 2005 06:46:13 +0200: > Would you like to check some of them?
I'll look at it. > The crucial question is, does a call to set-file-modes introduce a > worse problem than what existed anyway. For instance, if someone > could put a hardlink where you will chmod it, could he also put a > hardlink where you will write the contents of the file? Yes, that needs to be checked in each case. In the case of copy_file, someone could put a hardlink when you write the file, but then emacs should warn you that the file already exist (you should never overwrite files in public writable directories because it is unsafe -- you must first delete the file). In fact, by looking again at the code of Fcopy_file, I see that the way emacs does it is also vulnerable to race-conditions attack: we first check if the file exist with barf_or_query_if_file_exists, and then we open the file (it is also done in a few other functions in fileio.c). If the file was created in-between, it will be overwritten without any warning. The correct way to do this is to open the file with O_CREAT|O_EXCL and ask the user what to do if it fails with EEXIST. As far as I know, it's the only way to check for the existence of a file and create it atomically. I don't know how we should fix this one, maybe by replacing barf_or_query_if_file_exists with some open_and_barf_or_query_if_file_exists ? -- Gaëtan LEURENT _______________________________________________ Emacs-devel mailing list Emacs-devel@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-devel
