From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jim Porter Newsgroups: gmane.emacs.bugs Subject: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on demand Date: Thu, 11 Nov 2021 09:06:36 -0800 Message-ID: <82a66db9-f9b3-fc0f-a98d-8900d4fec066@gmail.com> References: <238ece9e-df13-a604-ba3a-36b346857423@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="7609"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Paul Eggert To: Ulrich Mueller , 51327@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu Nov 11 18:09:09 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mlDZV-0001iJ-EF for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 11 Nov 2021 18:09:09 +0100 Original-Received: from localhost ([::1]:57442 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mlDZU-0007Gj-A8 for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 11 Nov 2021 12:09:08 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:38508) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mlDXS-0004zG-JR for bug-gnu-emacs@gnu.org; Thu, 11 Nov 2021 12:07:02 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]:58820) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mlDXS-0001kl-B9 for bug-gnu-emacs@gnu.org; Thu, 11 Nov 2021 12:07:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mlDXS-000495-4I for bug-gnu-emacs@gnu.org; Thu, 11 Nov 2021 12:07:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Jim Porter Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 11 Nov 2021 17:07:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51327 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 51327-submit@debbugs.gnu.org id=B51327.163665040415904 (code B ref 51327); Thu, 11 Nov 2021 17:07:02 +0000 Original-Received: (at 51327) by debbugs.gnu.org; 11 Nov 2021 17:06:44 +0000 Original-Received: from localhost ([127.0.0.1]:42133 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mlDXA-00048R-Aa for submit@debbugs.gnu.org; Thu, 11 Nov 2021 12:06:44 -0500 Original-Received: from mail-pg1-f170.google.com ([209.85.215.170]:33326) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mlDX8-000488-Ku for 51327@debbugs.gnu.org; Thu, 11 Nov 2021 12:06:43 -0500 Original-Received: by mail-pg1-f170.google.com with SMTP id 136so1036394pgc.0 for <51327@debbugs.gnu.org>; Thu, 11 Nov 2021 09:06:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:cc:references:from:message-id:date:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=6o6VHQtLCx81SdiuQjRF5NVLhaEm0M3mHwQJHLvis6s=; b=n+hloJschzHzW29ndgGrXjA2YanVpXUzp74tvPQpwpGtJv3wBWu4XpUHjL2kwSlfU9 yNVd4+aH6KID2hi0+mYcfRszzUOkdpfaGMvoFuofCDRFOvm+/2RDYmh+fbZX1pbkbV+6 /lWvloCtlXYT6UXrMlqVVLjXbB8KK/Yjgny4gFN1IqaybQ4eIlWQ9uCXUNIN3iSSlGNQ oSDa374zx1dEyV9fcTcoH28HIuhvl/hachv59lxbkXUm/y7L2wwdJI0XWPm2Pih9Yz+L CpUJsom2dODjwfjuZbTp8/RNoJWqv1vqHHTnPK/3weFr7cEWYuKhWDNJbmH55c5+fH45 MljQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=6o6VHQtLCx81SdiuQjRF5NVLhaEm0M3mHwQJHLvis6s=; b=wUZxB/Zf1Kcl2cPjUg5hNofBaz6JknONeQjjT77r/50aCa0MB7DsCwd6iOx7e/jZ0p E4+e66H245JpFjps33lCZoIlE7IqvViV35isa7ZOM2oAgop7Zd0vXp8iuddxp1D/WlpL Lk7lHQfULwedfACek3Jo4MTVWX4L9eim4Q42dW+9nld8ObMbIDCvMHm16usOX0motflS JSJyJuXIoiLmMJc+DUoZRqbR9BsahqrI54Qc8GIn+RaqRd1nHW2YsUvmzlB0fBtMdE2/ 9zEBbyjHmH902RsiW2iPl6vUSU/dTMeltZ5ooOUed/ku/mHUw35xVGxkJZECtHDv+cEp 5O6Q== X-Gm-Message-State: AOAM5315iMj6VXsiU5cKw1I7OL6DX5VY5/SGI26XQLVLRY6PGCbfwyLw drpugKU6doQhwZoyy3tjgnU= X-Google-Smtp-Source: ABdhPJwal05qtudO4HS5aJIy4x1pg39qXy9zZK4aQtRUGi8o8nOImsLaHaLZ9pnvo/6RE0Sy7NK2Hg== X-Received: by 2002:a63:ff04:: with SMTP id k4mr5386302pgi.309.1636650396629; Thu, 11 Nov 2021 09:06:36 -0800 (PST) Original-Received: from [192.168.1.2] (cpe-76-168-148-233.socal.res.rr.com. [76.168.148.233]) by smtp.googlemail.com with ESMTPSA id h22sm2681045pgh.80.2021.11.11.09.06.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 11 Nov 2021 09:06:36 -0800 (PST) In-Reply-To: Content-Language: en-US X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:219656 Archived-At: On 11/11/2021 5:04 AM, Ulrich Mueller wrote: >>>>>> On Fri, 05 Nov 2021, Ulrich Mueller wrote: > >>>>>> On Fri, 05 Nov 2021, Jim Porter wrote: >>> I'm not an expert on this kind of attack, but my understanding is that >>> it could go something like this: > >>> 1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil >>> 2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server' > >> Right, and IIUC this must be carefully timed to exploit some race >> condition between permission checking and creating the socket. I am >> not an expert on this either. > > Thinking about it some more, when you always start the daemon with > XDG_RUNTIME_DIR present, there won't be a /tmp/emacs1000/server (at > least not one with correct user and permissions), and I don't believe > that a symlink attack would be possible. > > OTOH, when you start the daemon without XDG_RUNTIME_DIR, then the socket > will be created in /tmp, but in that case you'd want the client to find > it there. The case I'm concerned about is when the daemon *hasn't* been started yet by the time emacsclient is called. In that case, emacsclient checks both XDG_RUNTIME_DIR and TMPDIR before giving up and starting the daemon. In this case, that means that even on a system where Emacs only uses XDG_RUNTIME_DIR in practice, it'll still search TMPDIR the first time when looking for the (non-existent) daemon. The question then is whether it's safe for the emacsclient to look in TMPDIR to confirm that no daemon already exists. It's possible that this behavior is perfectly safe, but the way the code is currently written (plus Paul Eggert's reply in this bug) seem to indicate that it's vulnerable to attack. If it really is vulnerable, then I think it should be fixed; if it's safe, then just eliminating the warning is sufficient of course.