Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: > Package: tramp > Version: 1:2.0.47-1 > Severity: normal > Tags: security > > I just noticed that when I edited a buffer /su::/etc/apache/axkit.conf > and file /tmp/#axkit.conf# was created. axkit.conf is owned by root:root > on my system, and is readable only to root: > -rw------- 1 root root 4901 Feb 17 12:39 axkit.conf > I don't want the contents of that file exposed... :-) > > The problem is that the temporary file gets a different set of > permissions: > -rw-r--r-- 1 kjetil kjetil 4900 Feb 17 13:00 #axkit.conf# > It gets the default permissions of my user.
That's strange. Since Tramp 2.0.45, auto-saved files should get the same permissions as the original file (0600 your case). See also <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=274427>. What I'm a little bit surprised is the name of your auto-saved file. It should be "/tmp/#!su::!etc!apache!axkit.conf#". Could you, please, check the variable `auto-save-hook' (it should contain `tramp-set-auto-save-file-modes'). Furtheron, the value of variable `auto-save-file-name-transforms' is important to know. > I'm submitting this only as severity normal, as I'm not confident it is > a bug, it could be that I have a flawed understanding. If it is a bug it You could read the Tramp manual, chapter "Auto-save and Backup", in order to see alternatives when you're concerned with your data. Of course, just as workaround. > would be the first time I find a security problem! :-) What do others > think? Congratulation! > Kjetil Thanx for reporting, and best regards, Michael. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
