[Emacs-diffs] /srv/bzr/emacs/trunk r106821: Fix two security races with

emacs-diffs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Emacs-diffs] /srv/bzr/emacs/trunk r106821: Fix two security races with

From:	Paul Eggert
Subject:	[Emacs-diffs] /srv/bzr/emacs/trunk r106821: Fix two security races with file permissions.
Date:	Sat, 07 Jan 2012 12:03:28 -0800
User-agent:	Bazaar (2.3.1)

------------------------------------------------------------
revno: 106821 [merge]
fixes bug(s): http://debbugs.gnu.org/10400 http://debbugs.gnu.org/10401
committer: Paul Eggert <address@hidden>
branch nick: trunk
timestamp: Sat 2012-01-07 12:03:28 -0800
message:
  Fix two security races with file permissions.
modified:
  lisp/ChangeLog
  lisp/files.el
  src/ChangeLog
  src/fileio.c

=== modified file 'lisp/ChangeLog'
--- a/lisp/ChangeLog    2012-01-07 06:00:56 +0000
+++ b/lisp/ChangeLog    2012-01-07 20:00:56 +0000
@@ -1,3 +1,8 @@
+2012-01-07  Paul Eggert  <address@hidden>
+
+       * files.el (move-file-to-trash): Preserve default file modes on error.
+       (Bug#10401)
+
 2012-01-07  Lars Magne Ingebrigtsen  <address@hidden>
 
        * faces.el (set-face-attribute): Clarify the meaning of the nil

=== modified file 'lisp/files.el'
--- a/lisp/files.el     2012-01-06 10:53:41 +0000
+++ b/lisp/files.el     2012-01-07 19:51:13 +0000
@@ -6461,12 +6461,14 @@
 
           ;; Ensure that the trash directory exists; otherwise, create it.
           (let ((saved-default-file-modes (default-file-modes)))
-            (set-default-file-modes ?\700)
-            (unless (file-exists-p trash-files-dir)
-              (make-directory trash-files-dir t))
-            (unless (file-exists-p trash-info-dir)
-              (make-directory trash-info-dir t))
-            (set-default-file-modes saved-default-file-modes))
+            (unwind-protect
+                (progn
+                  (set-default-file-modes #o700)
+                  (unless (file-exists-p trash-files-dir)
+                    (make-directory trash-files-dir t))
+                  (unless (file-exists-p trash-info-dir)
+                    (make-directory trash-info-dir t)))
+              (set-default-file-modes saved-default-file-modes)))
 
           ;; Try to move to trash with .trashinfo undo information
           (save-excursion

=== modified file 'src/ChangeLog'
--- a/src/ChangeLog     2012-01-07 11:57:48 +0000
+++ b/src/ChangeLog     2012-01-07 19:51:13 +0000
@@ -1,3 +1,15 @@
+2012-01-07  Paul Eggert  <address@hidden>
+
+       emacs: fix an auto-save permissions race condition (Bug#10400)
+       * fileio.c (auto_saving_dir_umask): New static var.
+       (Fmake_directory_internal): Use it.
+       (do_auto_save_make_dir): Set it, instead of invoking chmod after
+       creating the directory.  The old code temporarily assigns
+       too-generous permissions to the directory.
+       (do_auto_save_eh): Clear it.
+       (Fdo_auto_save): Catch all errors, not just file errors, so
+       that the var is always cleared.
+
 2012-01-07  Eli Zaretskii  <address@hidden>
 
        * search.c (scan_buffer): Pass character positions to

=== modified file 'src/fileio.c'
--- a/src/fileio.c      2012-01-05 09:46:05 +0000
+++ b/src/fileio.c      2012-01-07 19:51:13 +0000
@@ -90,6 +90,9 @@
 /* Nonzero during writing of auto-save files */
 static int auto_saving;
 
+/* Nonzero umask during creation of auto-save directories */
+static int auto_saving_dir_umask;
+
 /* Set by auto_save_1 to mode of original file so Fwrite_region will create
    a new file with the same mode as the original */
 static int auto_save_mode_bits;
@@ -2062,7 +2065,7 @@
 #ifdef WINDOWSNT
   if (mkdir (dir) != 0)
 #else
-  if (mkdir (dir, 0777) != 0)
+  if (mkdir (dir, 0777 & ~auto_saving_dir_umask) != 0)
 #endif
     report_file_error ("Creating directory", list1 (directory));
 
@@ -5205,16 +5208,18 @@
 static Lisp_Object
 do_auto_save_make_dir (Lisp_Object dir)
 {
-  Lisp_Object mode;
+  Lisp_Object result;
 
-  call2 (Qmake_directory, dir, Qt);
-  XSETFASTINT (mode, 0700);
-  return Fset_file_modes (dir, mode);
+  auto_saving_dir_umask = 077;
+  result = call2 (Qmake_directory, dir, Qt);
+  auto_saving_dir_umask = 0;
+  return result;
 }
 
 static Lisp_Object
 do_auto_save_eh (Lisp_Object ignore)
 {
+  auto_saving_dir_umask = 0;
   return Qnil;
 }
 
@@ -5282,7 +5287,7 @@
          dir = Ffile_name_directory (listfile);
          if (NILP (Ffile_directory_p (dir)))
            internal_condition_case_1 (do_auto_save_make_dir,
-                                      dir, Fcons (Fcons (Qfile_error, Qnil), 
Qnil),
+                                      dir, Qt,
                                       do_auto_save_eh);
          UNGCPRO;
        }

[Prev in Thread]

Current Thread

[Next in Thread]

[Emacs-diffs] /srv/bzr/emacs/trunk r106821: Fix two security races with file permissions., Paul Eggert <=

Prev by Date: [Emacs-diffs] /srv/bzr/emacs/trunk r106819: shr.el (shr-visit-file): Move point to the beginning of the buffer after rendering.
Next by Date: [Emacs-diffs] /srv/bzr/emacs/trunk r106822: Optimise font locking in long enum definitions.
Previous by thread: [Emacs-diffs] /srv/bzr/emacs/trunk r106819: shr.el (shr-visit-file): Move point to the beginning of the buffer after rendering.
Next by thread: [Emacs-diffs] /srv/bzr/emacs/trunk r106822: Optimise font locking in long enum definitions.
Index(es):
- Date
- Thread