From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jim Porter Newsgroups: gmane.emacs.devel Subject: Re: emacsclient startup messages Date: Sat, 30 Oct 2021 12:47:29 -0700 Message-ID: <074495a9-aff8-edce-f81f-51fdfc622f6e@gmail.com> References: <89dc096b-6c33-db5a-d2d2-b43fb92e4900@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="15289"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Pedro Andres Aranda Gutierrez , emacs-devel To: Ulrich Mueller Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Oct 30 21:48:12 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mguKo-0003h2-Ia for ged-emacs-devel@m.gmane-mx.org; Sat, 30 Oct 2021 21:48:10 +0200 Original-Received: from localhost ([::1]:53760 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mguKm-0007rB-7L for ged-emacs-devel@m.gmane-mx.org; Sat, 30 Oct 2021 15:48:08 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:54638) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mguKD-0007CC-8K for emacs-devel@gnu.org; Sat, 30 Oct 2021 15:47:33 -0400 Original-Received: from mail-pj1-x1035.google.com ([2607:f8b0:4864:20::1035]:43530) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mguKB-0000ob-Ld for emacs-devel@gnu.org; Sat, 30 Oct 2021 15:47:32 -0400 Original-Received: by mail-pj1-x1035.google.com with SMTP id k2-20020a17090ac50200b001a218b956aaso9752238pjt.2 for ; Sat, 30 Oct 2021 12:47:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:from:to:cc:references:message-id:date:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=AhriLrY+thkK5JS3VA0x6IYYLit1RztmeIeMNEsuo1U=; b=Ck/TsDE7jpVAl/5UVkokZIi+vP0miM+9wY5HHucN742wWBFNuKc0Hylq7EVWD387Yx lZnypi5yPYmqVbmtmDKqOmYuq6rYrekYtBwsV3x9E40BKnl8+J2fLZqgWaKh1Ej/EH60 +DMXBhyf0mvNttpnvO8qQcH4nS4+5ZQpOMhoJRhMKoQxJubniasEfQlOaVg+H9PH7vjn QdqsBso/QlU5R/4FkZMDfWmxucoh2Xi8UQOb7IqMv7Ia/OIvFY9/6NinCoUEe+pvSsbf okZRiYjuHtCd77tVVt3uITxXNsZJr3n/iwubcXBtvmG7zQrdg6XvvfMNIaQNey4htqy0 JuiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:from:to:cc:references:message-id:date :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=AhriLrY+thkK5JS3VA0x6IYYLit1RztmeIeMNEsuo1U=; b=ETCDOzYRxOIi65pzV6FXROc0GhqdtkHyR+IGqJPEK9AdjN5TDjos2nnA3LGhDQZNo6 uSh8qhCLkXPcDrQzFPly9KlI6dvR92vv0Wk/gSE3YU75+PMzLotu+U+QMp5byymZJiys Nh7etltHJeDwL14V3BtYfjsJFJfIq7JZTMSMgn0IAKwqLrzbkDVinKVsqode02mbTcJV 6k6dTMoFiZUz87IK8kszy5WCSY0MhyzKYxNXqaSUVdjAq4JQmP/5gdhuY7g2DadQ0To/ crho4NtznDIqklQUb8l+4hKon2ODFLoili6jIuth65Pfk5TxCJSA1aU9rtR9prG73TG9 NXwA== X-Gm-Message-State: AOAM5336RdrA0Zd4fFhJXz9EcGLT+Z0SoRDRmeCryC6TY1RmKvUjGCCQ 7prOWkyBaWkC2mLsrEeBcwHE82Spx8Y= X-Google-Smtp-Source: ABdhPJzzVl4XdNw4CTMgUZVYiF0Ojpy/+OWjB+PDqQHWdwbNVlFTM/5RbGeA8wZAl5xQn11oLISveA== X-Received: by 2002:a17:902:6b86:b0:13f:8d7a:397c with SMTP id p6-20020a1709026b8600b0013f8d7a397cmr16981062plk.50.1635623250234; Sat, 30 Oct 2021 12:47:30 -0700 (PDT) Original-Received: from [192.168.1.2] (cpe-76-168-148-233.socal.res.rr.com. [76.168.148.233]) by smtp.googlemail.com with ESMTPSA id p3sm10231412pfb.205.2021.10.30.12.47.29 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 30 Oct 2021 12:47:29 -0700 (PDT) In-Reply-To: Content-Language: en-US Received-SPF: pass client-ip=2607:f8b0:4864:20::1035; envelope-from=jporterbugs@gmail.com; helo=mail-pj1-x1035.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:278290 Archived-At: On 10/30/2021 12:16 PM, Jim Porter wrote: > On 10/30/2021 10:39 AM, Ulrich Mueller wrote: >> There can be situations where there is an XDG environment for the client >> but not for the daemon. > > Right, the patch in bug#33847 should handle that case correctly, but I'm > pretty sure the current implementation opens users who spawn the Emacs > daemon on-demand to symlink attacks. That's due to the code needing to > check both XDG_RUNTIME_DIR and TMPDIR before being sure there's no > daemon to connect to. > > I can think of two ways to avoid this issue: [snip] > 2) If XDG_RUNTIME_DIR and ALTERNATE_EDITOR/--alternate-editor are both > set, never check TMPDIR. This should let both cases work without > requiring users to explicitly set a flag anywhere, but it the lack of > explicitness could be more confusing. I think this should work fine in > all cases, since users running `emacs --daemon' without XDG probably > won't be using ALTERNATE_EDITOR (the daemon should always be running, so > there's no need for an alternate editor). I posted a patch for method (2) to bug#51327 here: .