[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: set-file-extended-attributes and backups

From: Paul Eggert
Subject: Re: set-file-extended-attributes and backups
Date: Fri, 21 Dec 2012 10:31:30 -0800
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0

On 12/21/12 10:08, Eli Zaretskii wrote:

> But we did that until a week ago.

True, but we're trying to do the right thing with ACLs now,
rather than ignore them and do the wrong thing.

> this decision should be left to the user, i.e. be a user option.

Possibly, but the default should be safe, i.e., it shouldn't
grant access rights that were not already there.

> So what you ask is
> whether the default ACLs will allow some access that a specific ACLs
> won't.  And the answer to that is "it depends ..."

Yes, and the question is whether it's easy to find out
all the dependencies, so that Emacs can tell whether the
default ACLs would allow any access that the correct ACLs
would deny.  My guess is that the answer is "no", unfortunately.

>> The simplest conservative approximation that I can think of offhand
>> is to test whether a file has any nontrivial ACLs.
> That's not good enough, I think: if the nontrivial ACLs specify the
> same group as the file's group, the modes and the ACLs are equivalent,
> although the ACLs are "nontrivial".

Sure, but here it's OK from a security point of view to use a
conservative approximation, i.e., a test that sometimes says
"yes" even when the true answer is "no".  The only downside is
that when the conservative approximation is incorrect, then when
the ACLs cannot be copied the file will end up in mode -rw-------.
That's annoying, but it's safe and I hope it's rare.

> That assumes that -rw------- is secure.  But that assumption is false,
> because ACLs can be more restrictive than that, even on Posix
> platforms.

No, because if an attacker can read and write a file with
permissions -rw-------, then the attacker owns the file
(or is superuser) and can change its ACLs.  ACLs cannot stop
such an attacker.  So long as Emacs doesn't grant permissions
to anybody other than the owner, Emacs is not giving any
secrets away that aren't being given away already.

As a minor nicety, we could use mode ----------, if we prefer being safer
in an advisory sense.  Mode ---------- won't stop an attacker
who is the owner, but it would be more likely to prevent
blundering owners from shooting themselves in the foot.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]