From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Jim Porter <jporterbugs@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#51327: 28.0.60;
 emacsclient warns about XDG_RUNTIME_DIR when starting daemon on-demand
Date: Sat, 30 Oct 2021 12:37:02 -0700
Message-ID: <53706fa9-1458-fb5c-bd31-15ab555b59e9@gmail.com>
References: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------D0A415F2BE8E27FC4474B716"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="10332"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: eggert@cs.ucla.edu
To: 51327@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Oct 30 21:38:13 2021
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1mguBA-0002ZD-UK
	for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 30 Oct 2021 21:38:13 +0200
Original-Received: from localhost ([::1]:51380 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1mguB9-0005qI-K7
	for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 30 Oct 2021 15:38:11 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:53140)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1mguB0-0005qA-GB
 for bug-gnu-emacs@gnu.org; Sat, 30 Oct 2021 15:38:02 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:46939)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1mguB0-0004Ni-6h
 for bug-gnu-emacs@gnu.org; Sat, 30 Oct 2021 15:38:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1mguAz-0008PV-TW
 for bug-gnu-emacs@gnu.org; Sat, 30 Oct 2021 15:38:01 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Jim Porter <jporterbugs@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sat, 30 Oct 2021 19:38:01 +0000
Resent-Message-ID: <handler.51327.B51327.163562263332274@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 51327
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: security
Original-Received: via spool by 51327-submit@debbugs.gnu.org id=B51327.163562263332274
 (code B ref 51327); Sat, 30 Oct 2021 19:38:01 +0000
Original-Received: (at 51327) by debbugs.gnu.org; 30 Oct 2021 19:37:13 +0000
Original-Received: from localhost ([127.0.0.1]:58485 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1mguAC-0008OU-JA
 for submit@debbugs.gnu.org; Sat, 30 Oct 2021 15:37:12 -0400
Original-Received: from mail-pj1-f43.google.com ([209.85.216.43]:42703)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jporterbugs@gmail.com>) id 1mguAA-0008OI-Pd
 for 51327@debbugs.gnu.org; Sat, 30 Oct 2021 15:37:11 -0400
Original-Received: by mail-pj1-f43.google.com with SMTP id
 nn3-20020a17090b38c300b001a03bb6c4ebso9745835pjb.1
 for <51327@debbugs.gnu.org>; Sat, 30 Oct 2021 12:37:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; 
 h=subject:from:to:cc:references:message-id:date:mime-version
 :in-reply-to:content-language;
 bh=eokKXPErDDuO3HWssqTTmpUCjEMOQ0t7scrKT861+FM=;
 b=MKFM5CpMfMzjNU9Rk49uX0Q6htO1L0/WD6b3rRYwq/ddS1v8spZmvcUGXdA5G5o/iZ
 BjLAoyMPEKqHJJAyIa2A6v9w3egfXuL/MUUFgtZBYKvFXdfYGX4FQt+6Ne6wvGbTpOZs
 ieNeIBvq72/S4lQjWB5kjVP74QLKOriTGa4VWC0yrhP3MIIXa/gVY/1vaMTfV6flU+LZ
 OgycYyVGSiu1PaqGeQBA55muV9xd2k5Km1VeetGupbjoFLCJqIhWm7OGOib2hxvvDwsj
 YcHvck/7XDGrKbM7NXNog25Ksi5V/o4iBZIz5tLyylAkpoPXtr9U+BkAZfAUWczimPo2
 G+6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:subject:from:to:cc:references:message-id:date
 :mime-version:in-reply-to:content-language;
 bh=eokKXPErDDuO3HWssqTTmpUCjEMOQ0t7scrKT861+FM=;
 b=zjW/oHg85xGFj2hDCqV3Wx3OVvNt7EMmZWYWc/SV951MoIOPPIe9VonBU1LewVbo0V
 clnr9v5QwdYtTdDQvOvmeZRpfwHoFcb5AWMwdgNAd9WK4b19Ax/fmuGL7RJt4xAb0t53
 p5HSntoBMbOE5IgAvFUIhL6UbuUI/dAMW3JTfbzBQlxe3q4PWTag395s2sLTc8mzbACZ
 etbuGI3L4I+1A4OUHqZuEkR1auQyGqKIX3/nt4W6NCUVQlXEYmIGS3Qv9H0e1EcsikZL
 AgVU8sOS7uf4b6HUPci/8urSpkvy9KVuuGBN90F1ljG04lTKfBqc7xeHWRaOsaZR0OXN
 QpUQ==
X-Gm-Message-State: AOAM533/Bc9CREgNUDSfv3IkpumPVUZ21qO+bXIi6WB8bCNNEqfqCbRp
 CRTOwD1G/Y66d3hEFJAEETI=
X-Google-Smtp-Source: ABdhPJyI/e8AoTgDvlm292LxfLerIobqInZXnNEjgRxp3IKmNOOofiPqOAh0sZR4ovGdup3gUKJdeg==
X-Received: by 2002:a17:902:b94a:b0:141:8454:d665 with SMTP id
 h10-20020a170902b94a00b001418454d665mr16548780pls.88.1635622624834; 
 Sat, 30 Oct 2021 12:37:04 -0700 (PDT)
Original-Received: from [192.168.1.2] (cpe-76-168-148-233.socal.res.rr.com.
 [76.168.148.233])
 by smtp.googlemail.com with ESMTPSA id m4sm4176913pjs.1.2021.10.30.12.37.02
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sat, 30 Oct 2021 12:37:03 -0700 (PDT)
In-Reply-To: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@gmail.com>
Content-Language: en-US
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:218641
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/218641>

This is a multi-part message in MIME format.
--------------D0A415F2BE8E27FC4474B716
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

On 10/21/2021 9:58 PM, Jim Porter wrote:
> Normally, when running `emacsclient --alternate-editor=""' with no Emacs 
> server running, it will run `emacs --daemon' and then connect to it. In 
> Emacs 28, it will also issue the following warning:
> 
>    Should XDG_RUNTIME_DIR='/run/user/1000' be in the environment?
>    (Be careful: XDG_RUNTIME_DIR is security-related.)
> 
> However, XDG_RUNTIME_DIR *is* set in my environment, so it shouldn't be 
> warning me about it.
> 
> I believe this is due to the fix for bug#33847 (see commit 
> 007744dd0404d6febca88b00c22981cc630fb8c0). That bug asked for 
> emacsclient to look in both XDG_RUNTIME_DIR and TMPDIR to find the 
> server socket, in order to accommodate the case where `emacs --daemon' 
> is started when XDG_RUNTIME_DIR is unset, but *is* set when running 
> `emacsclient'.

Attached is a patch that should fix this by skipping the TMPDIR check 
whenever a) we have an alternate editor and b) XDG_RUNTIME_DIR is set. 
This has the benefit of supporting the use case in bug#33847 as well as 
users who start the Emacs daemon on-demand.

The only flaw I can think of with this method is that it would still be 
technically possible to perform a symlink attack against a user who runs 
`emacs --daemon' explicitly with XDG_RUNTIME_DIR set, and then runs 
`emacsclient' without an alternate editor set. However, this would 
require the attacker to be able to kill the `emacs --daemon' process 
somehow so that emacsclient falls back to looking in TMPDIR. I'm not 
sure that's a realistic attack vector, but I thought I'd mention it for 
completeness.

--------------D0A415F2BE8E27FC4474B716
Content-Type: text/plain; charset=UTF-8;
 name="0001-Prevent-symlink-attacks-in-emacsclient-when-an-alter.patch"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename*0="0001-Prevent-symlink-attacks-in-emacsclient-when-an-alter.pa";
 filename*1="tch"

RnJvbSA2YjhjN2E5ODgxYjc5MjU0YzYxODM1NmE0ZGZhMjU3ODEyYTZmZTVjIE1vbiBTZXAg
MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKaW0gUG9ydGVyIDxqcG9ydGVyYnVnc0BnbWFpbC5j
b20+CkRhdGU6IFNhdCwgMzAgT2N0IDIwMjEgMTI6MjI6MDIgLTA3MDAKU3ViamVjdDogW1BB
VENIXSBQcmV2ZW50IHN5bWxpbmsgYXR0YWNrcyBpbiBlbWFjc2NsaWVudCB3aGVuIGFuIGFs
dGVybmF0ZQogZWRpdG9yIGlzIHNldAoKKiBsaWItc3JjL2VtYWNzY2xpZW50LmMgKHNldF9s
b2NhbF9zb2NrZXQpOiBEb24ndCBsb29rIGluIFRNUERJUiBmb3IgYQpzb2NrZXQgaWYgd2Ug
aGF2ZSBhbiBhbHRlcm5hdGUgZWRpdG9yIGFuZCBYREdfUlVOVElNRV9ESVIgaXMgc2V0CihC
dWcjNTEzMjcpLgotLS0KIGxpYi1zcmMvZW1hY3NjbGllbnQuYyB8IDUgKysrKy0KIDEgZmls
ZSBjaGFuZ2VkLCA0IGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkKCmRpZmYgLS1naXQg
YS9saWItc3JjL2VtYWNzY2xpZW50LmMgYi9saWItc3JjL2VtYWNzY2xpZW50LmMKaW5kZXgg
Y2ZmM2NlYzJhNy4uMTMwNTIyNjA1NiAxMDA2NDQKLS0tIGEvbGliLXNyYy9lbWFjc2NsaWVu
dC5jCisrKyBiL2xpYi1zcmMvZW1hY3NjbGllbnQuYwpAQCAtMTQ2Niw3ICsxNDY2LDEwIEBA
IHNldF9sb2NhbF9zb2NrZXQgKGNoYXIgY29uc3QgKnNlcnZlcl9uYW1lKQogCQkJID8gY29u
bmVjdF9zb2NrZXQgKEFUX0ZEQ1dELCBzb2NrbmFtZSwgcywgMCkKIAkJCSA6IEVOQU1FVE9P
TE9ORyk7CiAJfQotICAgICAgaWYgKHNvY2tfc3RhdHVzID09IEVOT0VOVCkKKyAgICAgIC8q
IEZhbGwgYmFjayB0byBjaGVja2luZyBmb3IgYSBzb2NrZXQgaW4gVE1QRElSIHVubGVzcyB3
ZSBoYXZlCisJIGFuIGFsdGVybmF0ZSBlZGl0b3IgYW5kIFhER19SVU5USU1FX0RJUiBpcyBz
ZXQuICBJbiB0aGF0CisJIGNhc2UsIHdlIHdhbnQgdG8gYmFpbCBvdXQgYW5kIHNwYXduIHRo
ZSBhbHRlcm5hdGUgZWRpdG9yLiAqLworICAgICAgaWYgKCEoeGRnX3J1bnRpbWVfZGlyICYm
IGFsdGVybmF0ZV9lZGl0b3IpICYmIHNvY2tfc3RhdHVzID09IEVOT0VOVCkKIAl7CiAJICBj
aGFyIGNvbnN0ICp0bXBkaXIgPSBlZ2V0ZW52ICgiVE1QRElSIik7CiAJICBpZiAodG1wZGly
KQotLSAKMi4yNS4xCgo=
--------------D0A415F2BE8E27FC4474B716--