bug#37445: 27.0.50; Permission denied after make install

[Eli Zaretskii]

> From: Paul Eggert <eggert@cs.ucla.edu>
> Date: Fri, 20 Sep 2019 02:10:10 -0700
> Cc: 37445@debbugs.gnu.org
> 
> This glitch suggests that there are more-serious security problems in the 
> default Emacs install. If source-directory is (say) 
> "/tmp/emacs-build/whatever", 
> and /tmp/emacs-build is removed after the build, an attacker can provide a 
> bogus 
> source directory in place of the real one, and this could cause real problems.

What kind of problems could accessing such a directory cause?

Note that there are also various EMACS* environment variables to which
Emacs heeds, they can override the likes of data-directory.

> Fedora 30 solves this potential security problem by arranging for the Lisp 
> variable source-directory to have a value like "/usr/share/emacs/26.2/", 
> which 
> is a place attackers shouldn't be able to overwrite.
> 
> However, the default Emacs install doesn't do that. It installs the sources 
> into 
> (say) "/usr/local/share/emacs/27.0.50", but it doesn't arrange for 
> source-directory to point there; instead, source-directory points to wherever 
> the sources happened to be when Emacs was built, which could be in /tmp. This 
> sounds like a configuration error in the default Emacs install, and I plan to 
> look into why it's unsafe whereas the Fedora Emacs install is safer.

If you point source-directory away of where the real sources are, some
Help features will cease working.  So I don't think we want the Fedora
solution.  What we want is that sources will be inaccessible in this
situation, but APIs such as 'load' and 'require' still work
regardless.