psvn.el: insecure temporary files

[Kalle Olavi Niemitalo <ko...@iki.fi>]

psvn.el writes temporary files "svn.arg", "svn-prop-edit.txt" and
"svn-log-edit.txt" in the directory given as svn-status-temp-dir,
which is typically "/tmp/".  If another user has already created
these files, psvn commands fail with error messages like "Opening
output file: permission denied, /tmp/svn.arg".  Symlink attacks
are also possible.

As a workaround, svn-status-temp-dir can be changed to point to a
directory where other users cannot write.  For example, this
could be done in ~/.emacs:

  (setq svn-status-temp-dir (expand-file-name "~/.svn/psvn.tmp/"))
  (make-directory svn-status-temp-dir t)

However, this has two flaws: any files left over in that
directory are not automatically removed by the system
(although they are generally small so it shouldn't matter),
and simultaneous Emacs sessions of the same user can still
disrupt each other.

I'd prefer to fix this by making psvn automatically generate
unique filenames in the standard tmp directory.  It should also
delete the temporary files as soon as possible, so that it
needn't wonder whether it is safe to reuse files.  However,
this solution seems to require the mustbenew parameter of
write-region, which is not available XEmacs 21.4.
(In that version, the seventh parameter is coding-system.)

Yet another possibility would be to automatically create a unique
directory in /tmp/ and then use that as svn-status-temp-dir.
The make-directory function seems to fail reliably if the
directory already exists.

What is the best way?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: psvn.el: insecure temporary files

[Kalle Olavi Niemitalo <ko...@iki.fi>]

Fumitoshi UKAI <uk...@debian.or.jp> writes:

> FYI, apel ftp://ftp.m17n.org/pub/mule/apel/ 10.5 or later has
> `make-temp-name' implementation for XEmacs or older Emacs.

I think you mean make-temp-file.  The APEL implementation
apparently creates a temporary directory atomically, creates the
temporary file there, hardlinks the file to the final place
atomically, and finally unlinks it from the directory and removes
the directory.  There is also another version of make-temp-file
for single-user operating systems that don't support hard links.

I doubt it's a good idea to copy all this code into psvn, and
adding a dependency on APEL doesn't seem attractive either.

Do more recent versions of XEmacs have a way to pass O_EXCL to
open()?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: psvn.el: insecure temporary files

[Fumitoshi UKAI <uk...@debian.or.jp>]

At Sat, 09 Aug 2003 19:12:03 +0300,
Kalle Olavi Niemitalo wrote:

> > (make-temp-name (temp-directory))
> 
> That does not actually create the file, so it is possible for
> another process to create a symlink there after make-temp-name
> has chosen the name.  The mustbenew parameter of write-region
> would allow detecting that.
> 
> > (mm-make-temp-file (temp-directory))
> >     this actually looks like it comes from gnus..  so maybe borrow the
> >     code?
> 
> The version in CVS Gnus either redirects to make-temp-file (which
> is present in Emacs 21.2 but not in XEmacs 21.4) or is as unsafe
> as make-temp-name.

FYI, apel ftp://ftp.m17n.org/pub/mule/apel/ 10.5 or later has `make-temp-name'
implementation for XEmacs or older Emacs.

Regards,
Fumitoshi UKAI

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: psvn.el: insecure temporary files

[Kalle Olavi Niemitalo <ko...@iki.fi>]

Robert Spier <rs...@pobox.com> writes:

> (make-temp-name (temp-directory))

That does not actually create the file, so it is possible for
another process to create a symlink there after make-temp-name
has chosen the name.  The mustbenew parameter of write-region
would allow detecting that.

> (mm-make-temp-file (temp-directory))
>     this actually looks like it comes from gnus..  so maybe borrow the
>     code?

The version in CVS Gnus either redirects to make-temp-file (which
is present in Emacs 21.2 but not in XEmacs 21.4) or is as unsafe
as make-temp-name.

>> However, this has two flaws: any files left over in that
>> directory are not automatically removed by the system
>
> After generating the file, they should be added to some list to delete
> later via a hook.

I meant a failsafe if Emacs or the whole computer crashes.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: psvn.el: insecure temporary files

[Robert Spier <rs...@pobox.com>]

At 09 Aug 2003 14:23:26 +0300,
Kalle Olavi Niemitalo wrote:
> As a workaround, svn-status-temp-dir can be changed to point to a
> directory where other users cannot write.  For example, this
> could be done in ~/.emacs:
> 
>   (setq svn-status-temp-dir (expand-file-name "~/.svn/psvn.tmp/"))
>   (make-directory svn-status-temp-dir t)

(make-temp-name (temp-directory))

(mm-make-temp-file (temp-directory))
    this actually looks like it comes from gnus..  so maybe borrow the
    code?
    
> However, this has two flaws: any files left over in that
> directory are not automatically removed by the system

After generating the file, they should be added to some list to delete
later via a hook.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org