From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Ulrich Mueller Newsgroups: gmane.emacs.bugs Subject: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on demand Date: Thu, 11 Nov 2021 14:04:05 +0100 Message-ID: References: <238ece9e-df13-a604-ba3a-36b346857423@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="7247"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) Cc: Jim Porter , Paul Eggert To: 51327@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu Nov 11 14:05:42 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ml9lt-0001jF-64 for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 11 Nov 2021 14:05:41 +0100 Original-Received: from localhost ([::1]:59390 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ml9ls-0003vH-2V for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 11 Nov 2021 08:05:40 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:52846) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ml9lG-0003rw-Te for bug-gnu-emacs@gnu.org; Thu, 11 Nov 2021 08:05:02 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]:57073) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ml9lG-0004Sn-JD for bug-gnu-emacs@gnu.org; Thu, 11 Nov 2021 08:05:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ml9lG-0002tL-BV for bug-gnu-emacs@gnu.org; Thu, 11 Nov 2021 08:05:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Ulrich Mueller Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 11 Nov 2021 13:05:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51327 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 51327-submit@debbugs.gnu.org id=B51327.163663585811046 (code B ref 51327); Thu, 11 Nov 2021 13:05:02 +0000 Original-Received: (at 51327) by debbugs.gnu.org; 11 Nov 2021 13:04:18 +0000 Original-Received: from localhost ([127.0.0.1]:40386 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ml9kX-0002s6-RP for submit@debbugs.gnu.org; Thu, 11 Nov 2021 08:04:18 -0500 Original-Received: from woodpecker.gentoo.org ([140.211.166.183]:37168 helo=smtp.gentoo.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ml9kW-0002rs-2P for 51327@debbugs.gnu.org; Thu, 11 Nov 2021 08:04:16 -0500 In-Reply-To: (Ulrich Mueller's message of "Fri, 05 Nov 2021 20:02:43 +0100") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:219637 Archived-At: >>>>> On Fri, 05 Nov 2021, Ulrich Mueller wrote: >>>>> On Fri, 05 Nov 2021, Jim Porter wrote: >> I'm not an expert on this kind of attack, but my understanding is that >> it could go something like this: >> 1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil >> 2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server' > Right, and IIUC this must be carefully timed to exploit some race > condition between permission checking and creating the socket. I am > not an expert on this either. Thinking about it some more, when you always start the daemon with XDG_RUNTIME_DIR present, there won't be a /tmp/emacs1000/server (at least not one with correct user and permissions), and I don't believe that a symlink attack would be possible. OTOH, when you start the daemon without XDG_RUNTIME_DIR, then the socket will be created in /tmp, but in that case you'd want the client to find it there. >> 3. User runs `emacsclient --alternate-editor=""' >> 4. emacsclient doesn't see a socket in XDG_RUNTIME_DIR, checks TMPDIR >> 5. emacsclient connects to evil-daemon See above, unless the daemon was started without XDG*, there won't be any socket in TMPDIR. > Note that after locating the socket, emacsclient will double check for > sane permissions. That is, correct user id and _no_ write permission for > either group or others. That's why I think that there's little attack > surface on the client side, once the socket has been created. >> The evil-daemon probably can't get access to the user's files, but >> might be able to trick a user into entering some secret. I'll let >> others chime in too though, since like I said, I'm not an expert. >> If I'm wrong and this isn't an a problem, then I agree that all we >> need to do here is silence the warning. The core issue is that /run/user/${UID}/ is transient and will disappear after logout. So if you start an Emacs daemon then its process will persist after logout, but its socket file will be gone and it will no longer be possible to connect. This may not be a security issue, but it may cause loss of data.