To avoid TRAMP from saving backup files owned by ‘root’
to locations accessible to others, default backup settings in
backup-directory-alist have to be altered.
Here’s a scenario where files could be inadvertently exposed. Emacs by default writes backup files to the same directory as the original files unless changed to another location, such as ~/.emacs.d/backups/. Such a directory will also be used by default by TRAMP when using, say, a restricted file /su:root@localhost:/etc/secretfile. The backup file of the secretfile is now owned by the user logged in from TRAMP and not ‘root’.
When backup-directory-alist is nil (the default), such
problems do not occur.
To “turn off” the backup feature for remote files and stop TRAMP from saving to the backup directory, use this:
(add-to-list 'backup-directory-alist
(cons tramp-file-name-regexp nil))
Disabling backups can be targeted to just the su and sudo methods:
(setq backup-enable-predicate
(lambda (name)
(and (normal-backup-enable-predicate name)
(not
(let ((method (file-remote-p name 'method)))
(when (stringp method)
(member method '("su" "sudo"))))))))
Another option is to create better backup file naming with user and
host names prefixed to the file name. For example, transforming
/etc/secretfile to
~/.emacs.d/backups/!su:root@localhost:!etc!secretfile, set the
TRAMP user option tramp-backup-directory-alist from
the existing user option backup-directory-alist.
Then TRAMP backs up to a file name that is transformed with a prefix consisting of the DIRECTORY name. This file name prefixing happens only when the DIRECTORY is an absolute local file name.
Example:
(add-to-list 'backup-directory-alist
(cons "." "~/.emacs.d/backups/"))
(customize-set-variable
'tramp-backup-directory-alist backup-directory-alist)
The backup file name of /su:root@localhost:/etc/secretfile would be /su:root@localhost:~/.emacs.d/backups/!su:root@localhost:!etc!secretfile~.
Just as for backup files, similar issues of file naming affect
auto-saving remote files. Auto-saved files are saved in the directory
specified by the user option auto-save-file-name-transforms.
By default this is set to the local temporary directory. But in some
versions of Debian GNU/Linux, this points to the source directory
where the Emacs was compiled. Reset such values to a valid directory.
Set auto-save-file-name-transforms to nil to save
auto-saved files to the same directory as the original file.
Alternatively, set the user option tramp-auto-save-directory
to direct all auto saves to that location.
An alternative to auto-save-mode is
auto-save-visited-mode. In this mode, auto-saving is identical
to explicit saving. If you want to disable this behavior for remote
files, set user option
remote-file-name-inhibit-auto-save-visited to non-nil.
And still more issues to handle. Since Emacs 28, file locks use a
similar user option as auto-save files, called
lock-file-name-transforms. By default this user option is
nil, meaning to keep file locks in the same directory as the
original file.
If you change lock-file-name-transforms in order to keep file
locks for remote files somewhere else, you will lose Emacs’s feature
to warn you, if a file is changed in parallel from different Emacs
sessions, or via different remote connections. Be careful with such
settings.
Setting remote-file-name-inhibit-locks to non-nil
prevents the creation of remote lock files at all.
Per default, TRAMP asks for confirmation if a
‘root’-owned remote backup, auto-save or lock file has to be
written to your local temporary directory. If you want to suppress
this confirmation question, set user option
tramp-allow-unsafe-temporary-files to t.