sm2@sequent.cc.hull.ac.uk (Simon Marshall) (05/20/91)
For Emacs 18.55.2 (and 18.51.15). This may have been changed in later versions, and is not really a bug - it just maybe that it never occurred to anyone before... When Emacs auto-saves a buffer visiting a file (using a different name), it uses the value of the file creation mask (typically given by "umask" on Unix) for the auto-save file's permission bits, not the permission bits of the file that the buffer is visiting. Assuming that you're not the type who has umask 077 as the first line in your ~/.cshrc file (but do those sort of people refuse to use Emacs on principle anyway? ;-), and have something like umask 022, any file you edit using Emacs which you have chosen to restrict access to in some way is effectively unrestricted once an auto-save is done. If root uses Emacs to edit an access-restricted file, s/he better beware... Auto-saving is done on some buffers that are not visiting a file (*mail* being one such example), so it cannot get permission bits that way. Also, you may tell Emacs to auto-save under the same name anyway. However, when using a different name, it would be safer to use the visited file's permission bits if the buffer is visiting one, or a more cautious value. Are there any patches for this? Simon. _______________________________________________________________________________ Simon Marshall, Dept. of Computer Science, University of Hull, Hull HU6 7RX, UK "``La la la la la la la la la'' means I love you." EMAIL: S.Marshall@Hull.ac.uk UUCP: ..!ukc!hu-cs!sm Telephone: +44 482 465951 (office) Fax: +44 482 466666
Dan_Jacobson@ATT.COM (05/22/91)
>>>>> On 20 May 91 11:05:26 GMT, sm2@sequent.cc.hull.ac.uk (Simon Marshall) said:
Simon> When Emacs auto-saves a buffer visiting a file (using a
Simon> different name), it uses the value of the file creation mask
Simon> (typically given by "umask" on Unix) for the auto-save file's
Simon> permission bits, not the permission bits of the file that the
Simon> buffer is visiting.
Simon> Assuming that you're not the type who has umask 077 as the
Simon> first line in your ~/.cshrc file (but do those sort of people
Simon> refuse to use Emacs on principle anyway? ;-), and have
Simon> something like umask 022, any file you edit using Emacs which
Simon> you have chosen to restrict access to in some way is
Simon> effectively unrestricted once an auto-save is done. If root
Simon> uses Emacs to edit an access-restricted file, s/he better
Simon> beware...
Simon> Auto-saving is done on some buffers that are not visiting a
Simon> file (*mail* being one such example), so it cannot get
Simon> permission bits that way.
here's what i use for the mail buffers
(let ((tmp (expand-file-name "~/.mail/"))) ; .mail == 700 mode
(if (file-directory-p tmp)
(setq vm-folder-directory tmp)
(setq vm-folder-directory (expand-file-name "~/"))))
(setq mail-archive-file-name (concat vm-folder-directory "outbox"))
(setq mail-mode-hook
(function
(lambda ()
;;;at last: can save the "*mail*" auto-save buffer in a protected
;;;directory, so I don't have to set a restrictive (077) umask.
;;;[idea is thanks to Kyle Jones]
;;; (and (string= buffer-auto-save-file-name
;;; (expand-file-name "~/#%*mail*#"))
(setq buffer-auto-save-file-name
(concat vm-folder-directory "#%*mail"
(int-to-string (random t)))
;; VM5: "#_reply_to_Kyle_Jones#" still to long
;; maybe "#-5421Kyle_Jones" is cooler
);)
)))
;;(I have a cron job regularly clean out any old mail backups that are
;;produced when i change my mind and dont send a e-mail)
sm2@sequent.cc.hull.ac.uk (Simon Marshall) (05/23/91)
Reminder for those who've forgotten (we get posted news a few days later in the UK than US, so although I'm replying as soon as I see postings, it's late to some). The "problem" concerns Emacs' auto-save files having their permission bits set to umask, not the permission bits of the file the buffer is visiting if it has one. In other words: editing READ-RESTRICTED files still produces READABLE auto-save files if umask==022 or something similar, and similarly for auto-save files of buffers such as *mail* etc. which are not visiting files, but are auto-saved. Nightmare! Your boss can read all your mail as you write it! On 22 May, Dan Jacobson (Dan_Jacobson@attribute.com) writes in alt.security: (basically, in a condensed way, something like this:) (setq mail-mode-hook (function (lambda () (setq buffer-auto-save-file-name ;;; Thanks to Kyle Jones (expand-file-name (concat "~/<read-restricted-directory>/#%*mail" (random t) "*#")))))) this solves the problem of an auto-save *mail* file, although auto-save files remain (and pile up) if the mail is not sent. This does not of course solve the problem of readable auto-save files of buffers visiting read-restricted files, but something similar can be done with find-file-hooks in this case. Obviously though, this should not be left to the user (who may not even be aware of the problem) - isn't this a feature that needs to be addressed/fixed? Do any Emacs/GNU people have any input? It has frightened some people into making umask=077, another nightmare! Simon. _______________________________________________________________________________ Simon Marshall, Dept. of Computer Science, University of Hull, Hull HU6 7RX, UK "``La la la la la la la la la'' means I love you." EMAIL: S.Marshall@Hull.ac.uk UUCP: ..!ukc!hu-cs!sm Telephone: +44 482 465951 (office) Fax: +44 482 466666