Re: master 739593d 3/5: Make gnus-copy-file act like copy-file etc.

[Paul Eggert]

On 09/13/2017 01:11 PM, Lars Ingebrigtsen wrote:
> What are the security implications of writing the file to the directory
> if the user (interactively) types in that directory name?

If the attacker knows what the user is up to (and this can be guessed 
often enough by looking at what Emacs has done to the file system 
recently), the attacker can hijack the rename. For example, if you type 
'M-x rename-file RET abc RET /tmp/def RET', the attacker can create a 
symlink /tmp/def to a victim directory D so that the file abc is moved 
to D/abc rather than to its intended location /tmp/def.

This attack can happen only when the destination's parent directory 
(/tmp in the above example) is writable to the attacker. So we could 
bring back support for interactive renames to destination directories 
whose parents are writable only by self or root. (Most likely the actual 
rule will be more complicated than this, but the basic idea will work.) 
This would lessen the scope of the change, albeit at the cost of 
complication of the documentation and implementation.

> The user can type anything, like "/home/larsi" and "/var/tmp" and the
> behaviour should be the same across directories.
/home/larsi and /var/tmp should both be safe destinations in the above 
sense, as their parents aren't writable to others. So they would both 
work without the trailing slash, under the above proposal.

I'd rather leave it alone as it's simpler and easier to describe the way 
it is, and I type the same keystrokes as before since I normally use tab 
completion which adds a trailing / which gives me visual feedback that 
it's a move into a directory which is a win. But I can be talked into 
something like the above if it'd be valuable for others' interactive 
use. (Do you type "/ h o m e / l a r s i" by hand a lot? :-)