From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jim Porter Newsgroups: gmane.emacs.bugs Subject: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on-demand Date: Tue, 7 Dec 2021 22:57:28 -0800 Message-ID: <3107b151-c56b-7c8d-7277-cbc39273a401@gmail.com> References: <53706fa9-1458-fb5c-bd31-15ab555b59e9@gmail.com> <834k7kze0z.fsf@gnu.org> <212e4974-785a-65e0-70cc-fed7ea3ddacf@cs.ucla.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="6278"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 51327@debbugs.gnu.org To: Paul Eggert , Stefan Kangas , Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed Dec 08 08:05:38 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mur1G-0001NT-16 for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 08 Dec 2021 08:05:38 +0100 Original-Received: from localhost ([::1]:43708 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mur1E-0001IH-4b for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 08 Dec 2021 02:05:36 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:40690) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1muqtu-0004LB-IQ for bug-gnu-emacs@gnu.org; Wed, 08 Dec 2021 01:58:02 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]:56130) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1muqtu-0005Cc-89 for bug-gnu-emacs@gnu.org; Wed, 08 Dec 2021 01:58:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1muqtt-0008Ch-Us for bug-gnu-emacs@gnu.org; Wed, 08 Dec 2021 01:58:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Jim Porter Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 08 Dec 2021 06:58:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51327 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security patch Original-Received: via spool by 51327-submit@debbugs.gnu.org id=B51327.163894665931506 (code B ref 51327); Wed, 08 Dec 2021 06:58:01 +0000 Original-Received: (at 51327) by debbugs.gnu.org; 8 Dec 2021 06:57:39 +0000 Original-Received: from localhost ([127.0.0.1]:39443 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1muqtX-0008C6-GG for submit@debbugs.gnu.org; Wed, 08 Dec 2021 01:57:39 -0500 Original-Received: from mail-pf1-f176.google.com ([209.85.210.176]:42619) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1muqtS-0008Bq-OJ for 51327@debbugs.gnu.org; Wed, 08 Dec 2021 01:57:38 -0500 Original-Received: by mail-pf1-f176.google.com with SMTP id u80so1633964pfc.9 for <51327@debbugs.gnu.org>; Tue, 07 Dec 2021 22:57:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:cc:references:from:message-id:date:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=4hVJwWKtRr5u/kGEXJYLmljZdr4o8PsaedruMAid1o8=; b=Vg4AKnBWE9cCOaOBmKnyGwl0OImwS2sxXW4ZIg4XeWO62Qj8b5tK2U2nkciHK5LLb4 030Lr0hAu0WJqMXDgDks9Mr7sx/Jy1/OuEW2h5IXvDtSZFBqFygoekSsUIlVsTZSz8wi 6KiTWT3PhLuVvT10Ejll70wncZm36Ct8OdhIyyh1a6hpoYxjDelUqd8RHeYLBR+uX+bh xY7CC9XP+zwsVFYEtzFe6WGoKYxWxPKmXL4duu3PhyIgPmWNwBz1q1QPZkRqkiEVuKEF 8pPMcOVabGHM5BI/9kVFJ/0bjHlGGko72/CDYYO4ad4bT460DGF77yFs3N9YdzaYPAQJ Elfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=4hVJwWKtRr5u/kGEXJYLmljZdr4o8PsaedruMAid1o8=; b=2f+zAKdzLf6dAao+GTLRJjCgF+nmkNM6YdpaMnzAu4CVHeRlaMqLruiNOKIwLyPk18 up2htOsoO8nQU5892uv0jvJ+ujqWfOQIqGxTAmqVI7dKYfKjfryL1ZyjSqZDxgis8ZzS BZK4mVo9bxFQQpCBHddMs6b8bvwGeIgNRn4CE3NkHWKJ0gdmgy7fpVBeqqCSzR0jiJFq b+Q+2VklCxx3Flb9yWOBnAgaDuFdHq9WsSr38IzQzccwy/j5+RSGR4P2z54xw/qdSGG+ pyO2azUfH9LuN0LrVORBFTJZz9AOEWkC5O/PsmjU22B4A6f3rI19xdYUX1HL4MZ1hKWu Nu3A== X-Gm-Message-State: AOAM532ueUlUXY0c1vKj/26L9haUSa9svqwN1By4gG+Ypn1sOuJl8m6t qRYyZHoxdyuTvJ3y463Mrxg5wg24y4E= X-Google-Smtp-Source: ABdhPJy/Eo5znIraPF0TCzwIuKic1fxA3SVpFxaXv1VN4PLCX9kqfawpcz0b3nbSw9LhX38UshR4gA== X-Received: by 2002:a63:d008:: with SMTP id z8mr24160303pgf.623.1638946648826; Tue, 07 Dec 2021 22:57:28 -0800 (PST) Original-Received: from [192.168.1.2] (cpe-76-168-148-233.socal.res.rr.com. [76.168.148.233]) by smtp.googlemail.com with ESMTPSA id lb4sm5462593pjb.18.2021.12.07.22.57.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 07 Dec 2021 22:57:28 -0800 (PST) In-Reply-To: <212e4974-785a-65e0-70cc-fed7ea3ddacf@cs.ucla.edu> Content-Language: en-US X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:221909 Archived-At: On 12/7/2021 11:03 AM, Paul Eggert wrote: > Ulrich says the loophole is small because Emacs verifies that the > current user is the socket owner. However, small loopholes can still be > exploited: for example, an attacker could cause you to think that you're > connecting to your Emacs when you're really connecting to another of > your processes, and this could still lead to problems (particularly if > you're root). While I understand that Ulrich's goal is for things to Just Work with Gentoo's app-emacs/emacs-daemon package (which puts the socket in $TMPDIR), it seems there's no way to get that without opening at least a small loophole. When the user is guaranteed to be connecting to an Emacs daemon whose socket is in $TMPDIR, it's sufficient on Emacs 27 to just unset $XDG_RUNTIME_DIR first. However, from my discussion with Ulrich before[1], I believe one of the goals is to look in *both* places for a socket to be more flexible, as Emacs 28 currently does. Doing that by default opens a loophole for all emacsclient users, but what about a command-line flag like `emacsclient --allow-tmpdir-loophole' and/or an environment variable like `EMACS_ALLOW_TMPDIR_LOOPHOLE=1 emacsclient' (with a better name, of course)? Then, the default behavior would be free of loopholes[2], but Ulrich's case could be achieved by passing that flag when calling emacsclient. It might even be possible for Gentoo to enable that for the user in the appropriate cases... That's not as user-/distro-friendly as things just working automatically, but maybe it would be a decent compromise? Of course, if the loophole is small enough, maybe the current behavior in Emacs 28 is ok (aside from the warning message). I'm not an expert on the security implications though, so I don't have a strong opinion on which way to go here. [1] https://lists.gnu.org/archive/html/emacs-devel/2021-11/msg00435.html [2] Well, *known* loopholes...