bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on demand

[Jim Porter <jporterbugs@gmail.com>]

On 11/11/2021 5:04 AM, Ulrich Mueller wrote:
>>>>>> On Fri, 05 Nov 2021, Ulrich Mueller wrote:
> 
>>>>>> On Fri, 05 Nov 2021, Jim Porter wrote:
>>> I'm not an expert on this kind of attack, but my understanding is that
>>> it could go something like this:
> 
>>> 1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil
>>> 2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'
> 
>> Right, and IIUC this must be carefully timed to exploit some race
>> condition between permission checking and creating the socket. I am
>> not an expert on this either.
> 
> Thinking about it some more, when you always start the daemon with
> XDG_RUNTIME_DIR present, there won't be a /tmp/emacs1000/server (at
> least not one with correct user and permissions), and I don't believe
> that a symlink attack would be possible.
> 
> OTOH, when you start the daemon without XDG_RUNTIME_DIR, then the socket
> will be created in /tmp, but in that case you'd want the client to find
> it there.

The case I'm concerned about is when the daemon *hasn't* been started 
yet by the time emacsclient is called. In that case, emacsclient checks 
both XDG_RUNTIME_DIR and TMPDIR before giving up and starting the 
daemon. In this case, that means that even on a system where Emacs only 
uses XDG_RUNTIME_DIR in practice, it'll still search TMPDIR the first 
time when looking for the (non-existent) daemon. The question then is 
whether it's safe for the emacsclient to look in TMPDIR to confirm that 
no daemon already exists.

It's possible that this behavior is perfectly safe, but the way the code 
is currently written (plus Paul Eggert's reply in this bug) seem to 
indicate that it's vulnerable to attack. If it really is vulnerable, 
then I think it should be fixed; if it's safe, then just eliminating the 
warning is sufficient of course.