From: Stefan Kangas <stefankangas@gmail.com>
To: Eli Zaretskii <eliz@gnu.org>, Dmitry Gutov <dmitry@gutov.dev>
Cc: jm@pub.pink, 75017@debbugs.gnu.org
Subject: bug#75017: 31.0.50; Untrusted user lisp files
Date: Mon, 23 Dec 2024 14:36:35 +0000 [thread overview]
Message-ID: <CADwFkmk7A+KmWYuBcF3kQAuDJCi2Vx2san6xpJ6Y4T7PWkrYNw@mail.gmail.com> (raw)
In-Reply-To: <865xna60oj.fsf@gnu.org>
Eli Zaretskii <eliz@gnu.org> writes:
>> Date: Sun, 22 Dec 2024 22:27:34 +0200
>> Cc: stefankangas@gmail.com, jm@pub.pink, 75017@debbugs.gnu.org
>> From: Dmitry Gutov <dmitry@gutov.dev>
>>
>> On 22/12/2024 22:23, Eli Zaretskii wrote:
>> >> And Emacs will load whatever's written there on the next restart.
>> >> Whether the user wrote to those files, or someone else.
>> > Yes, and your point is..?
>>
>> That whatever malicious code we try to protect against using the
>> "trusted content" mechanism would be executed anyway.
>
> The scenario I have in mind is this:
>
> . Emacs session is running; when it was started, there was no
> site-init file
> . User notices that site-init file appeared
> . User visits the site-init file
> . Malicious macro in site-init file is executed
>
> IOW, there could be valid situations where the user visits the file
> before restarting Emacs (which would load the file). In these
> situations, it would make sense to treat the file as not trusted --
> unless the user tells us it should always be unconditionally trusted.
Thanks, I saw this post after sending my most recent reply. I think the
above scenario is valid, but I don't think it's common.
However, if we want to mitigate that specific scenario, maybe we should
only treat `site-init-file` as `trusted-content-p` if a site-file
existed on Emacs startup.
While I do see a difference between `user-init-file` and
`site-init-file`, I think we should treat this set of files as
equivalent when it comes to `trusted-content-p`:
user-init-file
early-init-file
site-init-file
Either they should all be `trusted-content-p`, or none of them should.
In other words, I believe that this part of my reply also still stands:
SK> First, I note that it's likely already game over if an attacker can
SK> write to `site-init-file`, because they can then just as easily write
SK> to your init file (or other relevant files in `load-path`) instead.
BTW, this all shows that Stefan Monnier is correct when he laments that
"trust sucks". It really does. We should implement proper sandboxing
when byte-compiling these files, using bwrap or similar. Only when that
is done, can we have reasonably strong security guarantees.
next prev parent reply other threads:[~2024-12-23 14:36 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-21 20:48 bug#75017: 31.0.50; Untrusted user lisp files john muhl
2024-12-22 2:47 ` Stefan Kangas
2024-12-22 3:16 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-22 6:12 ` Eli Zaretskii
2024-12-22 17:36 ` Stefan Kangas
2024-12-22 18:41 ` Eli Zaretskii
2024-12-22 18:47 ` Drew Adams via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-23 14:10 ` Stefan Kangas
2024-12-23 14:29 ` Eli Zaretskii
2024-12-24 0:35 ` Stefan Kangas
2024-12-24 12:15 ` Eli Zaretskii
2024-12-23 19:15 ` Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-22 6:19 ` Eli Zaretskii
2024-12-22 17:20 ` Stefan Kangas
2024-12-22 18:38 ` Eli Zaretskii
2024-12-22 19:52 ` Dmitry Gutov
2024-12-22 20:23 ` Eli Zaretskii
2024-12-22 20:27 ` Dmitry Gutov
[not found] ` <865xna60oj.fsf@gnu.org>
2024-12-23 14:36 ` Stefan Kangas [this message]
2024-12-24 23:29 ` Dmitry Gutov
2024-12-23 0:32 ` john muhl
[not found] ` <86v7va4kj6.fsf@gnu.org>
2024-12-23 17:53 ` john muhl
2024-12-24 5:48 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-24 23:58 ` Stefan Kangas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CADwFkmk7A+KmWYuBcF3kQAuDJCi2Vx2san6xpJ6Y4T7PWkrYNw@mail.gmail.com \
--to=stefankangas@gmail.com \
--cc=75017@debbugs.gnu.org \
--cc=dmitry@gutov.dev \
--cc=eliz@gnu.org \
--cc=jm@pub.pink \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).