Auto-save, File Lock and Backup configuration
To avoid TRAMP from saving backup files owned by ‘root’ to locations accessible to others, default backup settings in backup-directory-alist have to be altered.
Here’s a scenario where files could be inadvertently exposed. Emacs by default writes backup files to the same directory as the original files unless changed to another location, such as ~/.emacs.d/backups/. Such a directory will also be used by default by TRAMP when using, say, a restricted file /su:root@localhost:/etc/secretfile. The backup file of the secretfile is now owned by the user logged in from TRAMP and not ‘root’.
When backup-directory-alist is nil (the default), such problems do not occur.
To “turn off” the backup feature for remote files and stop TRAMP from saving to the backup directory, use this:
(add-to-list 'backup-directory-alist
(cons tramp-file-name-regexp nil))Disabling backups can be targeted to just the su and sudo methods:
(setq backup-enable-predicate
(lambda (name)
(and (normal-backup-enable-predicate name)
(not
(let ((method (file-remote-p name 'method)))
(when (stringp method)
(member method '("su" "sudo"))))))))Another option is to create better backup file naming with user and host names prefixed to the file name. For example, transforming /etc/secretfile to ~/.emacs.d/backups/!su:root@localhost:!etc!secretfile, set the TRAMP user option tramp-backup-directory-alist from the existing user option backup-directory-alist.
Then TRAMP backs up to a file name that is transformed with a prefix consisting of the DIRECTORY name. This file name prefixing happens only when the DIRECTORY is an absolute local file name.
Example:
(add-to-list 'backup-directory-alist
(cons "." "~/.emacs.d/backups/"))
(customize-set-variable
'tramp-backup-directory-alist backup-directory-alist)The backup file name of /su:root@localhost:/etc/secretfile would be /su:root@localhost:~/.emacs.d/backups/!su:root@localhost:!etc!secretfile~.
Just as for backup files, similar issues of file naming affect auto-saving remote files. Auto-saved files are saved in the directory specified by the user option auto-save-file-name-transforms. By default this is set to the local temporary directory. But in some versions of Debian GNU/Linux, this points to the source directory where the Emacs was compiled. Reset such values to a valid directory.
Set auto-save-file-name-transforms to nil to save auto-saved files to the same directory as the original file.
Alternatively, set the user option tramp-auto-save-directory to direct all auto saves to that location.
If you want to suppress auto-saving of remote files at all, set user option remote-file-name-inhibit-auto-save to non-nil.
An alternative to auto-save-mode is auto-save-visited-mode. In this mode, auto-saving is identical to explicit saving. If you want to disable this behavior for remote files, set user option remote-file-name-inhibit-auto-save-visited to non-nil.
And still more issues to handle. Since Emacs 28, file locks use a similar user option as auto-save files, called lock-file-name-transforms. By default this user option is nil, meaning to keep file locks in the same directory as the original file.
If you change lock-file-name-transforms in order to keep file locks for remote files somewhere else, you will lose Emacs’s feature to warn you, if a file is changed in parallel from different Emacs sessions, or via different remote connections. Be careful with such settings.
Setting remote-file-name-inhibit-locks to non-nil prevents the creation of remote lock files at all.
Per default, TRAMP asks for confirmation if a ‘root’-owned remote backup, auto-save or lock file has to be written to your local temporary directory. If you want to suppress this confirmation question, set user option tramp-allow-unsafe-temporary-files to t.