bug#865: 23.0.60; The directory is unsafe today

[Eli Zaretskii]

> From: Stefan Monnier <monnier@iro.umontreal.ca>
> Cc: 865@emacsbugs.donarmstrong.com,  jasonr@gnu.org,  
> emacs-pretest-bug@gnu.org
> Date: Sun, 07 Sep 2008 23:33:28 -0400
> 
> > This is impossible on Windows, AFAIK.  There are special flags to the
> > syscall that opens a file or directory that can bypass any denied
> > rights to enter a directory or open a file.  (These flags allegedly
> > exist so that system backup and restore programs could DTRT without
> > running as a privileged user.)
> 
> Are you saying that anybody can read any file (or dir) simply by using
> those extra flags when they open those files and dirs?  So there's no
> possible privacy between users on the same machine?  If so, we may just
> stop to worry about server-ensure-safe-dir under w32 since there's
> simply no way for it to be safe (short of encrypting it, which implies
> a fairly different UI).

Not exactly: most programs don't use these special flags, and some of
them seem to require special privileges, although I'm not quite sure
who can gain those privileges.  (A small test program confirmed that I
can gain them, even though I'm not in the Administrators group.)

See:

  http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx

for more details.

But I don't think we should dismiss the privacy issue just because it
can be bypassed by an ill meaning program: the same can happen on
Unix, given a program that deliberately gains root access.  "Normal"
programs don't use those special access flags and privileges, and so
cannot access files in a private directory.