[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: set-file-extended-attributes and backups

From: Eli Zaretskii
Subject: Re: set-file-extended-attributes and backups
Date: Fri, 21 Dec 2012 20:08:17 +0200

> Date: Fri, 21 Dec 2012 09:48:20 -0800
> From: Paul Eggert <address@hidden>
> CC: address@hidden, address@hidden
> On 12/21/12 08:44, Eli Zaretskii wrote:
> > How about if it tried to copy ACLs, and if that failed, attempted to
> > copy the file modes?  That would DTRT if possible, and fall back on
> > the pre-ACL method if not.
> That could lead to security issues if the file modes are more
> permissive than the ACLs.

But we did that until a week ago.  If we want Emacs to be more secure,
just because it can now access ACLs, this decision should be left to
the user, i.e. be a user option.  Otherwise, we are forcing users the
level of security they not necessary want.

> Is there an easy way to test whether a file's ACLs could deny
> access when the file's modes would allow it?

There are no modes without ACLs.  Systems that support ACLs always
provide ACLs for files, just the default ones.  So what you ask is
whether the default ACLs will allow some access that a specific ACLs
won't.  And the answer to that is "it depends on the user" whose
access we are interested in.  E.g., if the default ACLs allow some
access to the file's group, the answer depends on whether a user
belongs to that group.

> The simplest conservative approximation that I can think of offhand
> is to test whether a file has any nontrivial ACLs.

That's not good enough, I think: if the nontrivial ACLs specify the
same group as the file's group, the modes and the ACLs are equivalent,
although the ACLs are "nontrivial".

> Whatever test Emacs uses, if the test says "yes" Emacs should
> be more cautious: create a destination file with a restrictive
> mode (e.g., -rw-------), copy the data, then attempt to copy the ACLs,
> and if the ACL copy fails then Emacs should not attempt to change
> the mode.

That assumes that -rw------- is secure.  But that assumption is false,
because ACLs can be more restrictive than that, even on Posix
platforms.  E.g., they could disallow write access to the user who
makes the copy, or disallow attributes changes.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]