* How do I report security issue?
@ 2021-07-11 9:18 Kenneth Wyatt
2021-07-11 11:26 ` Michael Albinus
0 siblings, 1 reply; 2+ messages in thread
From: Kenneth Wyatt @ 2021-07-11 9:18 UTC (permalink / raw)
To: emacs-devel
Hi guys,
I found a very simple way to get sudo/root shell in Emacs without
passing a password check for launching the shell. While it does rely on
actions by a user who does know the sudo password, once these actions
are taken, an unattended terminal can be used to gain full sudo shell
session with (from what I can tell) no timeout on one's ability to do so.
Unsure exactly where to report this as the public bugtracker seems
inappropriate even if reporting it seems unlikely to result in
widespread in-the-wild use.
It's totally possible this is also "as intended" behaviour, but that
seems unlikely, and if it is, I think changing the default behaviour
would be the responsible thing to do. I'm sure I'm not the first person
to discover this, but an admittedly cursory search didn't turn up
discussion online.
Could someone direct me where to report the replication steps in a
responsible manner?
Thanks so much,
Kenneth
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: How do I report security issue?
2021-07-11 9:18 How do I report security issue? Kenneth Wyatt
@ 2021-07-11 11:26 ` Michael Albinus
0 siblings, 0 replies; 2+ messages in thread
From: Michael Albinus @ 2021-07-11 11:26 UTC (permalink / raw)
To: Kenneth Wyatt; +Cc: emacs-devel
Kenneth Wyatt <soy.el.gato.negro@gmail.com> writes:
> Hi guys,
Hi Kenneth,
> I found a very simple way to get sudo/root shell in Emacs without
> passing a password check for launching the shell. While it does rely
> on actions by a user who does know the sudo password, once these
> actions are taken, an unattended terminal can be used to gain full
> sudo shell session with (from what I can tell) no timeout on one's
> ability to do so.
>
> Unsure exactly where to report this as the public bugtracker seems
> inappropriate even if reporting it seems unlikely to result in
> widespread in-the-wild use.
>
> It's totally possible this is also "as intended" behaviour, but that
> seems unlikely, and if it is, I think changing the default behaviour
> would be the responsible thing to do. I'm sure I'm not the first
> person to discover this, but an admittedly cursory search didn't turn
> up discussion online.
>
> Could someone direct me where to report the replication steps in a
> responsible manner?
I suppose you mean Tramp's sudo method. Yes, this has been discussed
already. We made some counter measures:
- For sudo (and doas) methods, there is a session timeout of 300
seconds. That is, after that time of inactivity you must enter the
password, again. This behaviour is similar to a sudo call in a shell.
- If you are still concerned, there is the Tramp sudoedit method. This
does not keep an open session running in the background.
For further discussion of Tramp problems, I might be the person to
contact, 'cos I'm the Tramp maintainer.
If you do not mean Tramp, I recommend to contact one of the Emacs
maintainers directly. These are Eli Zaretskii <eliz@gnu.org> and Lars
Ingebrigtsen <larsi@gnus.org>.
> Thanks so much,
>
> Kenneth
Best regards, Michael.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-07-11 11:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-11 9:18 How do I report security issue? Kenneth Wyatt
2021-07-11 11:26 ` Michael Albinus
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).