Handle sensitive auto-save or backup remote files (Bug#45245)

* doc/misc/tramp.texi (Auto-save and Backup):
Describe tramp-allow-unsafe-temporary-files.
(Ad-hoc multi-hops): Use proper format.

* etc/NEWS: Mention confirmation for writing sensitive auto-save
or backup remote files to the local temporary directory..

* lisp/net/tramp-cache.el (tramp-dump-connection-properties):
Strengthen test.

* lisp/net/tramp.el (tramp-allow-unsafe-temporary-files): New defcustom.
(tramp-handle-find-backup-file-name)
(tramp-handle-make-auto-save-file-name): Don't expose sensible
auto-save or backup files on local temporary directory.  (Bug#45245)

* test/lisp/net/tramp-tests.el (tramp--test-always): New defalias.
(tramp-test10-write-region, tramp-test21-file-links)
(tramp--test--deftest-direct-async-process): Use it.
(tramp-test37-make-auto-save-file-name)
(tramp-test38-find-backup-file-name): Extend tests.

3 files changed, 75 insertions, 38 deletions

diff --git a/lisp/net/tramp-cache.el b/lisp/net/tramp-cache.el
index fdde7fbe44e..a41620ab9f7 100644
--- a/lisp/net/tramp-cache.el
+++ b/lisp/net/tramp-cache.el
@@ -70,7 +70,8 @@
 ;;   process key retrieved by `tramp-get-process' (the main connection
 ;;   process).  Other processes could reuse these properties, avoiding
 ;;   recomputation when a new asynchronous process is created by
-;;   `make-process'.  Examples are "remote-path" or "device" (tramp-adb.el).
+;;   `make-process'.  Examples are "remote-path",
+;;   "unsafe-temporary-file" or "device" (tramp-adb.el).
 
 ;;; Code:
 
@@ -470,11 +471,11 @@ used to cache connection properties of the local machine."
 	;; don't save either, because all other properties might
 	;; depend on the login name, and we want to give the
 	;; possibility to use another login name later on.  Key
-	;; "started" exists for the "ftp" method only, which must be
+	;; "started" exists for the "ftp" method only, which must not
 	;; be kept persistent.
 	(maphash
 	 (lambda (key value)
-	   (if (and (tramp-file-name-p key) value
+	   (if (and (tramp-file-name-p key) (hash-table-p value)
 		    (not (string-equal
 			  (tramp-file-name-method key) tramp-archive-method))
 		    (not (tramp-file-name-localname key))
diff --git a/lisp/net/tramp-sh.el b/lisp/net/tramp-sh.el
index 29ed944b8b0..b613ad3f8e7 100644
--- a/lisp/net/tramp-sh.el
+++ b/lisp/net/tramp-sh.el
@@ -5296,8 +5296,7 @@ Nonexistent directories are removed from spec."
 	;; cache the result for the session only.  Otherwise, the
 	;; result is cached persistently.
 	(if (memq 'tramp-own-remote-path tramp-remote-path)
-	    (tramp-get-process vec)
-	  vec)
+	    (tramp-get-process vec) vec)
 	"remote-path"
       (let* ((remote-path (copy-tree tramp-remote-path))
 	     (elt1 (memq 'tramp-default-remote-path remote-path))
diff --git a/lisp/net/tramp.el b/lisp/net/tramp.el
index 838464e88b2..5284981961a 100644
--- a/lisp/net/tramp.el
+++ b/lisp/net/tramp.el
@@ -3627,6 +3627,11 @@ User is always nil."
 	(and (file-directory-p (file-name-directory filename))
 	     (file-writable-p (file-name-directory filename)))))))
 
+(defcustom tramp-allow-unsafe-temporary-files nil
+  "Whether root-owned auto-save or backup files can be written to \"/tmp\"."
+  :version "28.1"
+  :type 'boolean)
+
 (defun tramp-handle-find-backup-file-name (filename)
   "Like `find-backup-file-name' for Tramp files."
   (with-parsed-tramp-file-name filename nil
@@ -3642,8 +3647,25 @@ User is always nil."
 		       (tramp-make-tramp-file-name v (cdr x))
 		     (cdr x))))
 		tramp-backup-directory-alist)
-	     backup-directory-alist)))
-      (tramp-run-real-handler #'find-backup-file-name (list filename)))))
+	     backup-directory-alist))
+	  (uid (tramp-compat-file-attribute-user-id
+		(file-attributes filename 'integer)))
+	  result)
+      (prog1 ;; Run plain `find-backup-file-name'.
+	  (setq result
+		(tramp-run-real-handler
+		 #'find-backup-file-name (list filename)))
+        ;; Protect against security hole.
+	(when (and (natnump uid) (zerop uid)
+		   (file-in-directory-p (car result) temporary-file-directory)
+		   (not tramp-allow-unsafe-temporary-files)
+		   (not (with-tramp-connection-property
+			    (tramp-get-process v) "unsafe-temporary-file"
+			  (yes-or-no-p
+			   (concat
+			    "Backup file on local temporary directory, "
+			    "do you want to continue? ")))))
+	  (tramp-error v 'file-error "Unsafe backup file name"))))))
 
 (defun tramp-handle-insert-directory
   (filename switches &optional wildcard full-directory-p)
@@ -5225,37 +5247,52 @@ Return the local name of the temporary file."
   "Like `make-auto-save-file-name' for Tramp files.
 Returns a file name in `tramp-auto-save-directory' for autosaving
 this file, if that variable is non-nil."
-  (when (stringp tramp-auto-save-directory)
-    (setq tramp-auto-save-directory
-	  (expand-file-name tramp-auto-save-directory)))
-  ;; Create directory.
-  (unless (or (null tramp-auto-save-directory)
-	      (file-exists-p tramp-auto-save-directory))
-    (make-directory tramp-auto-save-directory t))
-
-  (let ((system-type
-	 (if (and (stringp tramp-auto-save-directory)
-		  (tramp-tramp-file-p tramp-auto-save-directory))
-	     'not-windows
-	   system-type))
-	(auto-save-file-name-transforms
-	 (if (null tramp-auto-save-directory)
-	     auto-save-file-name-transforms))
-	(buffer-file-name
-	 (if (null tramp-auto-save-directory)
-	     buffer-file-name
-	   (expand-file-name
-	    (tramp-subst-strs-in-string
-	     '(("_" . "|")
-	       ("/" . "_a")
-	       (":" . "_b")
-	       ("|" . "__")
-	       ("[" . "_l")
-	       ("]" . "_r"))
-	     (tramp-compat-file-name-unquote (buffer-file-name)))
-	    tramp-auto-save-directory))))
-    ;; Run plain `make-auto-save-file-name'.
-    (tramp-run-real-handler #'make-auto-save-file-name nil)))
+  (with-parsed-tramp-file-name buffer-file-name nil
+    (when (stringp tramp-auto-save-directory)
+      (setq tramp-auto-save-directory
+	    (expand-file-name tramp-auto-save-directory)))
+    ;; Create directory.
+    (unless (or (null tramp-auto-save-directory)
+		(file-exists-p tramp-auto-save-directory))
+      (make-directory tramp-auto-save-directory t))
+
+    (let ((system-type
+	   (if (and (stringp tramp-auto-save-directory)
+		    (tramp-tramp-file-p tramp-auto-save-directory))
+	       'not-windows
+	     system-type))
+	  (auto-save-file-name-transforms
+	   (if (null tramp-auto-save-directory)
+	       auto-save-file-name-transforms))
+	  (uid (tramp-compat-file-attribute-user-id
+		(file-attributes buffer-file-name 'integer)))
+	  (buffer-file-name
+	   (if (null tramp-auto-save-directory)
+	       buffer-file-name
+	     (expand-file-name
+	      (tramp-subst-strs-in-string
+	       '(("_" . "|")
+		 ("/" . "_a")
+		 (":" . "_b")
+		 ("|" . "__")
+		 ("[" . "_l")
+		 ("]" . "_r"))
+	       (tramp-compat-file-name-unquote (buffer-file-name)))
+	      tramp-auto-save-directory)))
+	  result)
+      (prog1 ;; Run plain `make-auto-save-file-name'.
+	  (setq result (tramp-run-real-handler #'make-auto-save-file-name nil))
+	;; Protect against security hole.
+	(when (and (natnump uid) (zerop uid)
+		   (file-in-directory-p result temporary-file-directory)
+		   (not tramp-allow-unsafe-temporary-files)
+		   (not (with-tramp-connection-property
+			    (tramp-get-process v) "unsafe-temporary-file"
+			  (yes-or-no-p
+			   (concat
+			    "Autosave file on local temporary directory, "
+			    "do you want to continue? ")))))
+	  (tramp-error v 'file-error "Unsafe autosave file name"))))))
 
 (defun tramp-subst-strs-in-string (alist string)
   "Replace all occurrences of the string FROM with TO in STRING.