Re: many packages write to `temporary-file-directory' insecurely

[Al Petrofsky]

> From: "Stefan Monnier" <monnier+gnu/address@hidden>
> 
> > My solution is to first write the scores securely into a temp file and
> > then move it to the desired place.  This is safe, because if someone
> > has made the destination filename a symbolic link, then the rename
> > system call removes the link, rather than overwriting the linked-to file.
> 
> The idea is alright, but:
> 
> > This requires storing the file in a subdirectory of /tmp that is
> > world-writable without restriction, as opposed to /tmp itself, which
> > normally has its sticky bit set, thus forbidding people from deleting
> > others' files or renaming over them.
> 
> This creates another problem, which comes from the fact that Emacs does
> not have the notion of file descriptor: an attacker can change the
> temp file into a symlink between the call to make-temp-file and the call
> to write-region.

The temp file is created directly in /tmp, which has sticky bit
protection, thus preventing an attacker from changing the temp file
into a symlink.  If /tmp does not have sticky bit protection, then all
uses of make-temp-file are insecure.

> I really think it's better to require that the parent directory
> of the file we're writing to is only writable by ourselves and/or
> by root.

I agree, but it doesn't have to be root.  If joe user installs emacs
with --prefix=/home/joe and the install process makes a world-writable
snake-scores file in directory /home/joe/var/emacs/game-scores, which
is unwritable by anyone but joe, then that is sufficient.  Anyone who
uses the binaries has to trust joe anyway.

-al