sm2@sequent.cc.hull.ac.uk (Simon Marshall) (05/20/91)
For Emacs 18.55.2 (and 18.51.15). This may have been changed in
later versions, and is not really a bug - it just maybe that it never
occurred to anyone before...
When Emacs auto-saves a buffer visiting a file (using a different
name), it uses the value of the file creation mask (typically given
by "umask" on Unix) for the auto-save file's permission bits, not the
permission bits of the file that the buffer is visiting.
Assuming that you're not the type who has umask 077 as the first
line in your ~/.cshrc file (but do those sort of people refuse to use
Emacs on principle anyway? ;-), and have something like umask 022,
any file you edit using Emacs which you have chosen to restrict
access to in some way is effectively unrestricted once an auto-save
is done. If root uses Emacs to edit an access-restricted file, s/he
better beware...
Auto-saving is done on some buffers that are not visiting a file
(*mail* being one such example), so it cannot get permission bits
that way. Also, you may tell Emacs to auto-save under the same name
anyway. However, when using a different name, it would be safer to
use the visited file's permission bits if the buffer is visiting one,
or a more cautious value. Are there any patches for this?
Simon.
_______________________________________________________________________________
Simon Marshall, Dept. of Computer Science, University of Hull, Hull HU6 7RX, UK
"``La la la la la la la la la'' means I love you."
EMAIL: S.Marshall@Hull.ac.uk UUCP: ..!ukc!hu-cs!sm
Telephone: +44 482 465951 (office) Fax: +44 482 466666Dan_Jacobson@ATT.COM (05/22/91)
>>>>> On 20 May 91 11:05:26 GMT, sm2@sequent.cc.hull.ac.uk (Simon Marshall) said:
Simon> When Emacs auto-saves a buffer visiting a file (using a
Simon> different name), it uses the value of the file creation mask
Simon> (typically given by "umask" on Unix) for the auto-save file's
Simon> permission bits, not the permission bits of the file that the
Simon> buffer is visiting.
Simon> Assuming that you're not the type who has umask 077 as the
Simon> first line in your ~/.cshrc file (but do those sort of people
Simon> refuse to use Emacs on principle anyway? ;-), and have
Simon> something like umask 022, any file you edit using Emacs which
Simon> you have chosen to restrict access to in some way is
Simon> effectively unrestricted once an auto-save is done. If root
Simon> uses Emacs to edit an access-restricted file, s/he better
Simon> beware...
Simon> Auto-saving is done on some buffers that are not visiting a
Simon> file (*mail* being one such example), so it cannot get
Simon> permission bits that way.
here's what i use for the mail buffers
(let ((tmp (expand-file-name "~/.mail/"))) ; .mail == 700 mode
(if (file-directory-p tmp)
(setq vm-folder-directory tmp)
(setq vm-folder-directory (expand-file-name "~/"))))
(setq mail-archive-file-name (concat vm-folder-directory "outbox"))
(setq mail-mode-hook
(function
(lambda ()
;;;at last: can save the "*mail*" auto-save buffer in a protected
;;;directory, so I don't have to set a restrictive (077) umask.
;;;[idea is thanks to Kyle Jones]
;;; (and (string= buffer-auto-save-file-name
;;; (expand-file-name "~/#%*mail*#"))
(setq buffer-auto-save-file-name
(concat vm-folder-directory "#%*mail"
(int-to-string (random t)))
;; VM5: "#_reply_to_Kyle_Jones#" still to long
;; maybe "#-5421Kyle_Jones" is cooler
);)
)))
;;(I have a cron job regularly clean out any old mail backups that are
;;produced when i change my mind and dont send a e-mail)sm2@sequent.cc.hull.ac.uk (Simon Marshall) (05/23/91)
Reminder for those who've forgotten (we get posted news a few days
later in the UK than US, so although I'm replying as soon as I see
postings, it's late to some).
The "problem" concerns Emacs' auto-save files having their
permission bits set to umask, not the permission bits of the file the
buffer is visiting if it has one. In other words:
editing READ-RESTRICTED files
still produces READABLE auto-save files
if umask==022 or something similar, and similarly for auto-save files
of buffers such as *mail* etc. which are not visiting files, but are
auto-saved.
Nightmare! Your boss can read all your mail as you write it!
On 22 May, Dan Jacobson (Dan_Jacobson@attribute.com) writes in alt.security:
(basically, in a condensed way, something like this:)
(setq mail-mode-hook (function (lambda ()
(setq buffer-auto-save-file-name ;;; Thanks to Kyle Jones
(expand-file-name (concat "~/<read-restricted-directory>/#%*mail"
(random t) "*#"))))))
this solves the problem of an auto-save *mail* file, although
auto-save files remain (and pile up) if the mail is not sent.
This does not of course solve the problem of readable auto-save
files of buffers visiting read-restricted files, but something
similar can be done with find-file-hooks in this case.
Obviously though, this should not be left to the user (who may not
even be aware of the problem) - isn't this a feature that needs to be
addressed/fixed? Do any Emacs/GNU people have any input? It has
frightened some people into making umask=077, another nightmare!
Simon.
_______________________________________________________________________________
Simon Marshall, Dept. of Computer Science, University of Hull, Hull HU6 7RX, UK
"``La la la la la la la la la'' means I love you."
EMAIL: S.Marshall@Hull.ac.uk UUCP: ..!ukc!hu-cs!sm
Telephone: +44 482 465951 (office) Fax: +44 482 466666