>From 2eaf3b2ef59868a349af8d5a1a1132ef1d1cbbe2 Mon Sep 17 00:00:00 2001
From: Manuel Giraud <manuel@ledu-giraud.fr>
Date: Wed, 22 Mar 2023 10:46:23 +0100
Subject: [PATCH] Narrow unsafe auto-save

* lisp/net/tramp.el (tramp-dangerous-auto-save-p): New function to
determine dangerouness of an auto-save.
(tramp-handle-make-auto-save-file-name): Use it.
---
 lisp/net/tramp.el | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/lisp/net/tramp.el b/lisp/net/tramp.el
index 6eff5b2ca60..c3ee0ae06a6 100644
--- a/lisp/net/tramp.el
+++ b/lisp/net/tramp.el
@@ -6474,6 +6474,21 @@ tramp-delete-temp-file-function
 	    (remove-hook 'kill-buffer-hook
 			 #'tramp-delete-temp-file-function)))
 
+(defun tramp-dangerous-auto-save-p (filename autosave)
+  (let ((attributes (file-attributes filename 'integer))
+        (modes (file-modes filename 'nofollow)))
+    (and
+     ;; a file own by root and rwx only by root...
+     (and (= (or (file-attribute-user-id attributes)
+	         tramp-unknown-id-integer)
+	     tramp-root-id-integer)
+          (= modes (logand modes #o700)))
+     ;; ... into world readable autosave temporary
+     (and (file-in-directory-p autosave temporary-file-directory)
+          (/= (logand (file-modes temporary-file-directory 'nofollow)
+                      #o006)
+              0)))))
+
 (defun tramp-handle-make-auto-save-file-name ()
   "Like `make-auto-save-file-name' for Tramp files.
 Returns a file name in `tramp-auto-save-directory' for autosaving
@@ -6516,11 +6531,7 @@ tramp-handle-make-auto-save-file-name
 	;; Protect against security hole.
 	(when (and (not tramp-allow-unsafe-temporary-files)
 		   auto-save-default
-		   (file-in-directory-p result temporary-file-directory)
-		   (= (or (file-attribute-user-id
-			   (file-attributes filename 'integer))
-			  tramp-unknown-id-integer)
-		      tramp-root-id-integer)
+                   (tramp-dangerous-auto-save-p filename result)
 		   (not (with-tramp-connection-property
 			    (tramp-get-process v) "unsafe-temporary-file"
 			  (yes-or-no-p
-- 
2.39.2