From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Ulrich Mueller Newsgroups: gmane.emacs.bugs Subject: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on demand Date: Fri, 05 Nov 2021 20:02:43 +0100 Message-ID: References: <238ece9e-df13-a604-ba3a-36b346857423@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="3048"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) Cc: Ulrich Mueller , 51327@debbugs.gnu.org, Paul Eggert To: Jim Porter Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Fri Nov 05 20:03:22 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mj4Uj-0000dW-FB for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 05 Nov 2021 20:03:21 +0100 Original-Received: from localhost ([::1]:58328 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mj4Uf-0005nA-Qt for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 05 Nov 2021 15:03:19 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:42746) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mj4UQ-0005ls-JR for bug-gnu-emacs@gnu.org; Fri, 05 Nov 2021 15:03:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:35700) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mj4UQ-00024j-As for bug-gnu-emacs@gnu.org; Fri, 05 Nov 2021 15:03:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mj4UQ-0002YI-88 for bug-gnu-emacs@gnu.org; Fri, 05 Nov 2021 15:03:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Ulrich Mueller Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 05 Nov 2021 19:03:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51327 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 51327-submit@debbugs.gnu.org id=B51327.16361389779800 (code B ref 51327); Fri, 05 Nov 2021 19:03:02 +0000 Original-Received: (at 51327) by debbugs.gnu.org; 5 Nov 2021 19:02:57 +0000 Original-Received: from localhost ([127.0.0.1]:47246 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mj4UL-0002Y0-8s for submit@debbugs.gnu.org; Fri, 05 Nov 2021 15:02:57 -0400 Original-Received: from woodpecker.gentoo.org ([140.211.166.183]:37654 helo=smtp.gentoo.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mj4UI-0002Xm-SS for 51327@debbugs.gnu.org; Fri, 05 Nov 2021 15:02:55 -0400 In-Reply-To: (Jim Porter's message of "Fri, 5 Nov 2021 11:38:48 -0700") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:219019 Archived-At: >>>>> On Fri, 05 Nov 2021, Jim Porter wrote: > (Cc'ing Paul Eggert, who can probably answer more confidently than me.) > On 11/5/2021 11:05 AM, Ulrich Mueller wrote: >> Can someone please explain to me how an exploit on the _client_ side >> would look like? >> When starting the server, I can believe that there may be some >> surface for a symlink attack. But once the daemon is running? What is >> the security issue for the client checking TMPDIR? > I'm not an expert on this kind of attack, but my understanding is that > it could go something like this: > 1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil > 2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server' Right, and IIUC this must be carefully timed to exploit some race condition between permission checking and creating the socket. I am not an expert on this either. > 3. User runs `emacsclient --alternate-editor=""' > 4. emacsclient doesn't see a socket in XDG_RUNTIME_DIR, checks TMPDIR > 5. emacsclient connects to evil-daemon Note that after locating the socket, emacsclient will double check for sane permissions. That is, correct user id and _no_ write permission for either group or others. That's why I think that there's little attack surface on the client side, once the socket has been created. > The evil-daemon probably can't get access to the user's files, but > might be able to trick a user into entering some secret. I'll let > others chime in too though, since like I said, I'm not an expert. > If I'm wrong and this isn't an a problem, then I agree that all we > need to do here is silence the warning.