unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Re: sudo:: method in tramp possible security issue
       [not found]                     ` <87o9ajvost.fsf@gmx.de>
@ 2018-11-20 14:13                       ` João Távora
  2018-11-20 21:14                         ` Paul Eggert
  2018-11-20 22:30                         ` Michael Albinus
  0 siblings, 2 replies; 21+ messages in thread
From: João Távora @ 2018-11-20 14:13 UTC (permalink / raw)
  To: Michael Albinus, emacs-devel; +Cc: Eli Zaretskii, Stefan Monnier

[-- Attachment #1: Type: text/plain, Size: 3548 bytes --]

Hello emacs-devel,

The off-list discussion below is about TRAMP's usage of
the /sudo:: method, which surprised me very much recently
because I discovered that it lets any elisp run arbitrary shell
commands with root permissions while the buffer editing a file
with /sudo:: is live.

So in theory you could write malicious elisp code to lay there
hoping to hijack a users system on their first file of
/sudo::/etc/apt/sources.list, for example. Supposing all the user
wanted is to edit that file, starting a full "elisp sudo server" for
the duration of the buffer is clearly overkill and unnecessarily
dangerous for most users.

For me this is a very serious security hole, but apparently
it's part of the contract of the /sudo:: method.

I am arguing for:

1. A sudoedit method that works like `sudo -e`

2. A one-time stern warning the first time that the user uses /sudo::
to explain the security implications to new users.

Michael and I are converging on some possibilities, but I
think it's a good idea to have the rest of emacs-devel speak
their mind.

[Michael you have my new in-line replies below, too]

Thanks,
João


On Tue, Nov 20, 2018 at 1:53 PM Michael Albinus <michael.albinus@gmx.de>
wrote:

> João Távora <joaotavora@gmail.com> writes:
>
> >     For the time being, the Tramp manual says:
> >
> >     --8<---------------cut here---------------start------------->8---
> >     ‘sudo’
> >
> >          Similar to ‘su’ method, ‘sudo’ uses ‘sudo’.  ‘sudo’ must have
> >          sufficient rights to start a shell.
> >     --8<---------------cut here---------------end--------------->8---
> >
> >     It says already that a shell is used, but perhaps we shall
> >     emphasize it more. As I said: manuals are unread ...
> >
> > Very true, and this is why I am suggesting an in-your-face warning.
>
> That would be bossy. People would start to modify the code in order to
> bypass this.
>

Perhaps I didn't explain myself. I'm talking about a one-time thing, like
the warnings for a disabled command. Something that you can answer
"I understand the risks: never ask for this again".

Once sudoedit is offered by Tramp, I expect a respective recommendation
> for Emacs.
>

OK. I believe this is not quite enough. But I'm talking for myself. I think
we should indeed raise the matter publicly.


> > And I don't agree it's like sudo -i, because I don't think there is an
> > easy way for non-root code running before the sudo -i session to
> > inject itself into the root session, or is there? Certainly not as
> > easy as writing some trivial elisp.
>
> Everybody is able to write such code. A simple `shell-command' with
> "sudo" might suffice to run any command with root permissions. Or use
> the interactive `shell', and call "sudo -i" there. Nothing you need
> Tramp for.
>

I was just arguing that the comparison between "sudo -i", meant to be
run in a shell and tramp's launching of a "sudo shell" isn't adequate,
because
there's no easy way for some unprivileged code to stay around
and wait for an opportunity to hijack your interactive "sudo -i"


>
> > /Sudoedit:: would be a really good addition. It would replace all the
> > usage I and quite possibly many others have ever had of /sudo::.
>
> Agreed. If it is possible to implement as proposed.
>
> (Please write the bug report about, in order to discuss it with greater
> audience. Or start a discussion at the emacs-devel ML.)
>

I just did that.

[-- Attachment #2: Type: text/html, Size: 5127 bytes --]

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-20 14:13                       ` sudo:: method in tramp possible security issue João Távora
@ 2018-11-20 21:14                         ` Paul Eggert
  2018-11-20 21:18                           ` Stefan Monnier
  2018-11-20 22:16                           ` Michael Albinus
  2018-11-20 22:30                         ` Michael Albinus
  1 sibling, 2 replies; 21+ messages in thread
From: Paul Eggert @ 2018-11-20 21:14 UTC (permalink / raw)
  To: João Távora, Michael Albinus, emacs-devel
  Cc: Eli Zaretskii, Stefan Monnier

Is there a simple way to configure Emacs so that it does not use this 
sudo (or sudoedit) feature of Tramp? If not, perhaps there should be one.

I long ago put (setq tramp-mode nil) into my ~/.emacs file because of 
security concerns, so I wouldn't need to selectively disable sudo 
myself. But perhaps others who are less concerned about security (but 
still somewhat concerned) might want it.

Come to think of it, if 'emacs -Q' enables Tramp by default then perhaps 
I should stop using 'emacs -Q'....




^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-20 21:14                         ` Paul Eggert
@ 2018-11-20 21:18                           ` Stefan Monnier
  2018-11-20 21:25                             ` Paul Eggert
  2018-11-20 22:16                           ` Michael Albinus
  1 sibling, 1 reply; 21+ messages in thread
From: Stefan Monnier @ 2018-11-20 21:18 UTC (permalink / raw)
  To: Paul Eggert
  Cc: Eli Zaretskii, Michael Albinus, João Távora,
	emacs-devel

> Is there a simple way to configure Emacs so that it does not use this sudo
> (or sudoedit) feature of Tramp?

Yes: use the default config and just don't use Tramp's sudo method.

> I long ago put (setq tramp-mode nil) into my ~/.emacs file because of
> security concerns, so I wouldn't need to selectively disable sudo
> myself.

Tramp is not magical: it can do no more nor less than what an attacker
could do.  So disabling it doesn't buy you anything in this respect, AFAICT.


        Stefan



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-20 21:18                           ` Stefan Monnier
@ 2018-11-20 21:25                             ` Paul Eggert
  2018-11-20 21:44                               ` Stefan Monnier
  2018-11-20 22:06                               ` Michael Albinus
  0 siblings, 2 replies; 21+ messages in thread
From: Paul Eggert @ 2018-11-20 21:25 UTC (permalink / raw)
  To: Stefan Monnier
  Cc: Eli Zaretskii, Michael Albinus, João Távora,
	emacs-devel

On 11/20/18 1:18 PM, Stefan Monnier wrote:
> Tramp is not magical: it can do no more nor less than what an attacker
> could do.

Sure, if the attacker has control over my keyboard, or over my display, 
or over the Lisp code that I load and execute. That being said, Tramp 
does make attacks easier, so it has been an easy call for me to disable it.




^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-20 21:25                             ` Paul Eggert
@ 2018-11-20 21:44                               ` Stefan Monnier
  2018-11-20 22:06                               ` Michael Albinus
  1 sibling, 0 replies; 21+ messages in thread
From: Stefan Monnier @ 2018-11-20 21:44 UTC (permalink / raw)
  To: emacs-devel

>> Tramp is not magical: it can do no more nor less than what an attacker
>> could do.
> Sure, if the attacker has control over my keyboard, or over my display, or
> over the Lisp code that I load and execute.  That being said, Tramp does make
> attacks easier, so it has been an easy call for me to disable it.

I don't see in which way you think it makes attacks easier.
Are you thinking if things like file-local variables which may point
to a file like "/sudo:..."?

I'd expect that in most such cases such vars pointing to arbitrary files
would be a risk even without the sudo method, so I'd hope we'd plug
those quickly enough (and yes, the sudo method would make such attacks
worse, indeed).


        Stefan




^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-20 21:25                             ` Paul Eggert
  2018-11-20 21:44                               ` Stefan Monnier
@ 2018-11-20 22:06                               ` Michael Albinus
  2018-11-20 22:27                                 ` João Távora
  1 sibling, 1 reply; 21+ messages in thread
From: Michael Albinus @ 2018-11-20 22:06 UTC (permalink / raw)
  To: Paul Eggert
  Cc: Eli Zaretskii, emacs-devel, Stefan Monnier, João Távora

Paul Eggert <eggert@cs.ucla.edu> writes:

> On 11/20/18 1:18 PM, Stefan Monnier wrote:
>> Tramp is not magical: it can do no more nor less than what an attacker
>> could do.
>
> Sure, if the attacker has control over my keyboard, or over my
> display, or over the Lisp code that I load and execute. That being
> said, Tramp does make attacks easier, so it has been an easy call for
> me to disable it.

Tramp's sudo method needs your credentials. If you don't provide them,
Tramp cannot do anything.

Like calling sudo in a terminal.

Best regards, Michael.



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-20 21:14                         ` Paul Eggert
  2018-11-20 21:18                           ` Stefan Monnier
@ 2018-11-20 22:16                           ` Michael Albinus
  1 sibling, 0 replies; 21+ messages in thread
From: Michael Albinus @ 2018-11-20 22:16 UTC (permalink / raw)
  To: Paul Eggert
  Cc: Eli Zaretskii, João Távora, Stefan Monnier, emacs-devel

Paul Eggert <eggert@cs.ucla.edu> writes:

> Is there a simple way to configure Emacs so that it does not use this
> sudo (or sudoedit) feature of Tramp? If not, perhaps there should be
> one.

Remove the corresponding entries from tramp-methods. Something like

(setq tramp-methods (delete (assoc "sudo" tramp-methods) tramp-methods))

Same for "su", and "sudoedit" (once it is added to Tramp). However,
"sudoedit" is intented to just read a file, and save the respective
buffer. No interactive shell under the hood, no backup files, no remote
processes - nothing else but file reading and buffer saving. The idea is
to use a proper emacsclient call for this.

> I long ago put (setq tramp-mode nil) into my ~/.emacs file because of
> security concerns, so I wouldn't need to selectively disable sudo
> myself. But perhaps others who are less concerned about security (but
> still somewhat concerned) might want it.
>
> Come to think of it, if 'emacs -Q' enables Tramp by default then
> perhaps I should stop using 'emacs -Q'....

Tramp manifests itself via autoloads. They are still active when running
'emacs -Q'.

Tramp does already some actions when it detects that emacs has started
with "-Q". For example, it doesn't read the persistency file
"~/.emacs.d/tramp". We could extend this mechanism.

Best regards, Michael.



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-20 22:06                               ` Michael Albinus
@ 2018-11-20 22:27                                 ` João Távora
  2018-11-20 23:12                                   ` Stefan Monnier
  2018-11-21  7:41                                   ` Michael Albinus
  0 siblings, 2 replies; 21+ messages in thread
From: João Távora @ 2018-11-20 22:27 UTC (permalink / raw)
  To: Michael Albinus; +Cc: Eli Zaretskii, Paul Eggert, Stefan Monnier, emacs-devel

[-- Attachment #1: Type: text/plain, Size: 1546 bytes --]

On Tue, Nov 20, 2018 at 10:06 PM Michael Albinus <michael.albinus@gmx.de>
wrote:

> Paul Eggert <eggert@cs.ucla.edu> writes:
>
> > On 11/20/18 1:18 PM, Stefan Monnier wrote:
> >> Tramp is not magical: it can do no more nor less than what an attacker
> >> could do.
> >
> > Sure, if the attacker has control over my keyboard, or over my
> > display, or over the Lisp code that I load and execute. That being
> > said, Tramp does make attacks easier, so it has been an easy call for
> > me to disable it.
>
> Tramp's sudo method needs your credentials. If you don't provide them,
> Tramp cannot do anything.
>
> Like calling sudo in a terminal.


It's not exactly like calling sudo in a terminal, because when you
use sudo you generally:

1. perform a one time action and are back at a non-sudo prompt; OR
2. start an interactive superuser session that easy to identify visually
   and for which there isn't a programmatic way for other programs
   to interfere

In other words, what bothers me the most about the sudo:: method is
the persistent sudo session that makes me vulnerable to attackers, and
to my elisp developing mistakes.  This is why I think a warning makes
sense, or some visual way to identify this vulnerable state.

In contrast, using sudoedit:: should not bring about this vulnerable state.

That being said, if your non-elevated user has already been compromised,
entering sudo credentials into Emacs, where elisp can do whatever, is
probably a very bad idea, regardless of Tramp.

João

[-- Attachment #2: Type: text/html, Size: 2189 bytes --]

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-20 14:13                       ` sudo:: method in tramp possible security issue João Távora
  2018-11-20 21:14                         ` Paul Eggert
@ 2018-11-20 22:30                         ` Michael Albinus
  2018-11-20 22:54                           ` João Távora
  1 sibling, 1 reply; 21+ messages in thread
From: Michael Albinus @ 2018-11-20 22:30 UTC (permalink / raw)
  To: João Távora; +Cc: Eli Zaretskii, Stefan Monnier, emacs-devel

João Távora <joaotavora@gmail.com> writes:

> Hello emacs-devel, 

Hi João,

> The off-list discussion below is about TRAMP's usage of 
> the /sudo:: method, which surprised me very much recently 
> because I discovered that it lets any elisp run arbitrary shell 
> commands with root permissions while the buffer editing a file 
> with /sudo:: is live.  
>
> So in theory you could write malicious elisp code to lay there
> hoping to hijack a users system on their first file of 
> /sudo::/etc/apt/sources.list, for example. Supposing all the user 
> wanted is to edit that file, starting a full "elisp sudo server" for 
> the duration of the buffer is clearly overkill and unnecessarily 
> dangerous for most users.

It isn't overkill. The implementation in Tramp depends on the file name
handler concept, which requires to implement 70 basic functions. How
would it be possible to implement `file-attributes', for example, w/o an
interactive shell with root permissions?

> For me this is a very serious security hole, but apparently
> it's part of the contract of the /sudo:: method.
>
> I am arguing for:
>
> 1. A sudoedit method that works like `sudo -e`

Agreed. It shall basically implement just `insert-file-contents' and
`write-region'. (If possible, I haven't started to investigate in detail).

> 2. A one-time stern warning the first time that the user uses /sudo:: 
> to explain the security implications to new users.

Here I'm not convinced. I agree that it must be said more prominent in
the Tramp manual, that an interactive session with root permissions is
running in the background, but I believe it would be too bossy to tell
users they shall not use "/sudo::". It is like telling something like
this to users, who call sudo in a terminal. Are there such warnings,
somewhere?

> Michael and I are converging on some possibilities, but I
> think it's a good idea to have the rest of emacs-devel speak
> their mind.
>
> Thanks,
> João

Best regards, Michael.



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-20 22:30                         ` Michael Albinus
@ 2018-11-20 22:54                           ` João Távora
  2018-11-21  7:49                             ` Michael Albinus
  0 siblings, 1 reply; 21+ messages in thread
From: João Távora @ 2018-11-20 22:54 UTC (permalink / raw)
  To: Michael Albinus; +Cc: Eli Zaretskii, Stefan Monnier, emacs-devel

[-- Attachment #1: Type: text/plain, Size: 1488 bytes --]

On Tue, Nov 20, 2018 at 10:30 PM Michael Albinus <michael.albinus@gmx.de>
wrote:

>
> It isn't overkill. The implementation in Tramp depends on the file name
> handler concept, which requires to implement 70 basic functions. How
> would it be possible to implement `file-attributes', for example, w/o an
> interactive shell with root permissions?
>

Sorry, I meant overkill for most **uses**.  By which I mean 100%
of uses that **I** have ever had for /sudo::, which is to quickly
edit a system file. Of course there are other uses that other
users might want.


> Here I'm not convinced. I agree that it must be said more prominent in
> the Tramp manual, that an interactive session with root permissions is
> running in the background, but I believe it would be too bossy to tell
> users they shall not use "/sudo::". It is like telling something like
> this to users, who call sudo in a terminal. Are there such warnings,
> somewhere?
>

I've explained that I don't think it is the same to run sudo in a
terminal and inside emacs.  And I'm not suggesting "/sudo::
considered dangerous, thou shalt not use it!", just a one time
summary explanation of what is about to happen.

Alternatively, how would you feel about adding something to
the mode-line clearly showing that there is an ongoing
superuser session going on?

For me, mentioning it in the manual isn't very useful, because
few people read the manual, fine as it may be :-)

João Távora

[-- Attachment #2: Type: text/html, Size: 2196 bytes --]

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-20 22:27                                 ` João Távora
@ 2018-11-20 23:12                                   ` Stefan Monnier
  2018-11-21  7:41                                   ` Michael Albinus
  1 sibling, 0 replies; 21+ messages in thread
From: Stefan Monnier @ 2018-11-20 23:12 UTC (permalink / raw)
  To: João Távora
  Cc: Eli Zaretskii, Paul Eggert, Michael Albinus, emacs-devel

> In other words, what bothers me the most about the sudo:: method is
> the persistent sudo session that makes me vulnerable to attackers, and
> to my elisp developing mistakes.  This is why I think a warning makes
> sense, or some visual way to identify this vulnerable state.

I guess it all depends on the sudo setup:

Can you run a shell via sudo?  On those machines where I can do that,
I typically do "sudo zsh" and then live happily in my root shell.
But even you don't, after you've used sudo, there's a time window
during which sudo won't ask for your password and during which an
attacker could run "sudo sh" via start-process, regardless of Tramp.

If you can't run a shell via sudo, then Tramp's sudo method won't work
anyway.


        Stefan



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-20 22:27                                 ` João Távora
  2018-11-20 23:12                                   ` Stefan Monnier
@ 2018-11-21  7:41                                   ` Michael Albinus
  2018-11-21 12:26                                     ` Michael Albinus
                                                       ` (2 more replies)
  1 sibling, 3 replies; 21+ messages in thread
From: Michael Albinus @ 2018-11-21  7:41 UTC (permalink / raw)
  To: João Távora
  Cc: Eli Zaretskii, Paul Eggert, Stefan Monnier, emacs-devel

João Távora <joaotavora@gmail.com> writes:

>     Tramp's sudo method needs your credentials. If you don't provide
>     them, Tramp cannot do anything.
>
>     Like calling sudo in a terminal.
>
> It's not exactly like calling sudo in a terminal, because when you
> use sudo you generally:
>
> 1. perform a one time action and are back at a non-sudo prompt; OR
> 2. start an interactive superuser session that easy to identify
> visually 
>    and for which there isn't a programmatic way for other programs 
>    to interfere
>
> In other words, what bothers me the most about the sudo:: method is 
> the persistent sudo session that makes me vulnerable to attackers, and
> to my elisp developing mistakes.  This is why I think a warning makes 
> sense, or some visual way to identify this vulnerable state.

There is already a "visual way to identify this state". It is called
tramp-theme, a GNU ELPA package.

This is documented in the Tramp manual, see (info "(tramp) Frequently Asked Questions")
Again, nobody reads the manual :-(

The command `tramp-cleanup-connection' closes any background session for
a Tramp connection, including removing cached passwords. Maybe we shall
call this for sudo/su methods automatically after a given timeout, like
the password expiration for sudo in a terminal. 5 minutes seem to be a
sensible value to me.

> João

Best regards, Michael.



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-20 22:54                           ` João Távora
@ 2018-11-21  7:49                             ` Michael Albinus
  0 siblings, 0 replies; 21+ messages in thread
From: Michael Albinus @ 2018-11-21  7:49 UTC (permalink / raw)
  To: João Távora; +Cc: Eli Zaretskii, Stefan Monnier, emacs-devel

João Távora <joaotavora@gmail.com> writes:

> Alternatively, how would you feel about adding something to 
> the mode-line clearly showing that there is an ongoing 
> superuser session going on?

As said the other mail, this is provided by the GNU ELPA package
tramp-theme. When writing this package I decided against making it the
default, because people are very idiosyncratic about the modeline.

> For me, mentioning it in the manual isn't very useful, because
> few people read the manual, fine as it may be :-)

Maintaining Tramp for ~15 years, I'm often feeling that writing
something into the manual is superfluous. For almost every explanation
there, I still get request to repeat the description in the mailing list
/ on stackexchange / you name it.

> João Távora

Best regards, Michael.



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-21  7:41                                   ` Michael Albinus
@ 2018-11-21 12:26                                     ` Michael Albinus
  2018-11-21 12:44                                     ` Filipp Gunbin
  2018-11-21 14:44                                     ` John Shahid
  2 siblings, 0 replies; 21+ messages in thread
From: Michael Albinus @ 2018-11-21 12:26 UTC (permalink / raw)
  To: João Távora
  Cc: Eli Zaretskii, Paul Eggert, Stefan Monnier, emacs-devel

Michael Albinus <michael.albinus@gmx.de> writes:

> The command `tramp-cleanup-connection' closes any background session for
> a Tramp connection, including removing cached passwords. Maybe we shall
> call this for sudo/su methods automatically after a given timeout, like
> the password expiration for sudo in a terminal. 5 minutes seem to be a
> sensible value to me.

I give it a try. I've pushed a change to the master branch, which
expires sudo and doas background sessions after 5 minutes. Check the
Tramp manual for details.

Let's see how it goes.

>> João

Best regards, Michael.



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-21  7:41                                   ` Michael Albinus
  2018-11-21 12:26                                     ` Michael Albinus
@ 2018-11-21 12:44                                     ` Filipp Gunbin
  2018-11-21 12:51                                       ` Michael Albinus
  2018-11-21 14:44                                     ` John Shahid
  2 siblings, 1 reply; 21+ messages in thread
From: Filipp Gunbin @ 2018-11-21 12:44 UTC (permalink / raw)
  To: Michael Albinus
  Cc: Eli Zaretskii, Paul Eggert, emacs-devel, João Távora,
	Stefan Monnier

On 21/11/2018 08:41 +0100, Michael Albinus wrote:

> Maybe we shall call this for sudo/su methods automatically after a
> given timeout, like the password expiration for sudo in a terminal. 5
> minutes seem to be a sensible value to me.

Yes, that'd be nice (for root).

Filipp



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-21 12:44                                     ` Filipp Gunbin
@ 2018-11-21 12:51                                       ` Michael Albinus
  0 siblings, 0 replies; 21+ messages in thread
From: Michael Albinus @ 2018-11-21 12:51 UTC (permalink / raw)
  To: Filipp Gunbin
  Cc: Eli Zaretskii, Paul Eggert, emacs-devel, João Távora,
	Stefan Monnier

Filipp Gunbin <fgunbin@fastmail.fm> writes:

Hi Filipp,

>> Maybe we shall call this for sudo/su methods automatically after a
>> given timeout, like the password expiration for sudo in a terminal. 5
>> minutes seem to be a sensible value to me.
>
> Yes, that'd be nice (for root).

I have just committed a patch to master, which does it for all "sudo"
connections. If you want it only for root, you could configure it as
such. See the Tramp manual.

> Filipp

Best regards, Michael.



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-21  7:41                                   ` Michael Albinus
  2018-11-21 12:26                                     ` Michael Albinus
  2018-11-21 12:44                                     ` Filipp Gunbin
@ 2018-11-21 14:44                                     ` John Shahid
  2018-11-21 14:52                                       ` Michael Albinus
  2 siblings, 1 reply; 21+ messages in thread
From: John Shahid @ 2018-11-21 14:44 UTC (permalink / raw)
  To: Michael Albinus
  Cc: Eli Zaretskii, Paul Eggert, emacs-devel, João Távora,
	Stefan Monnier


Michael Albinus <michael.albinus@gmx.de> writes:

> The command `tramp-cleanup-connection' closes any background session for
> a Tramp connection, including removing cached passwords. Maybe we shall
> call this for sudo/su methods automatically after a given timeout, like
> the password expiration for sudo in a terminal. 5 minutes seem to be a
> sensible value to me.

Warning, I am not familiar with the internals of tramp, so please
forgive my following comment if it doesn't make sense.

Is there a reason for doing a manual expiration instead of relying on
the default sudo behavior.  If tramp start a new sudo shell for example
to get file attributes, then sudo can take care of caching the password
or asking for it after the configured timeout.  That would consolidate
the configuration in one place (i.e. /etc/sudoers for the timeout) as
well as let users manage the cache (e.g. sudo -k when the user logs out)
the same way they do today.



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-21 14:44                                     ` John Shahid
@ 2018-11-21 14:52                                       ` Michael Albinus
  2018-11-21 14:55                                         ` John Shahid
  0 siblings, 1 reply; 21+ messages in thread
From: Michael Albinus @ 2018-11-21 14:52 UTC (permalink / raw)
  To: John Shahid
  Cc: Eli Zaretskii, Paul Eggert, emacs-devel, João Távora,
	Stefan Monnier

John Shahid <jvshahid@gmail.com> writes:

Hi John,

> Is there a reason for doing a manual expiration instead of relying on
> the default sudo behavior.  If tramp start a new sudo shell for example
> to get file attributes, then sudo can take care of caching the password
> or asking for it after the configured timeout.  That would consolidate
> the configuration in one place (i.e. /etc/sudoers for the timeout) as
> well as let users manage the cache (e.g. sudo -k when the user logs out)
> the same way they do today.

The point is that Tramp (until now) keeps a session open forever. Tramp
doesn't "start a new sudo shell for example to get file attributes".
Therefore, there's no chance that sudo could ask for a password,
again. That's why the new mechanism interrupts the session after the
session timeout, and opening a new one depends on sudo's mechanism for
cached passwords.

Best regards, Michael.



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-21 14:52                                       ` Michael Albinus
@ 2018-11-21 14:55                                         ` John Shahid
  2018-11-21 15:07                                           ` Michael Albinus
  0 siblings, 1 reply; 21+ messages in thread
From: John Shahid @ 2018-11-21 14:55 UTC (permalink / raw)
  To: Michael Albinus
  Cc: Eli Zaretskii, Paul Eggert, emacs-devel, João Távora,
	Stefan Monnier


Michael Albinus <michael.albinus@gmx.de> writes:

> John Shahid <jvshahid@gmail.com> writes:
>
> Hi John,
>
>> Is there a reason for doing a manual expiration instead of relying on
>> the default sudo behavior.  If tramp start a new sudo shell for example
>> to get file attributes, then sudo can take care of caching the password
>> or asking for it after the configured timeout.  That would consolidate
>> the configuration in one place (i.e. /etc/sudoers for the timeout) as
>> well as let users manage the cache (e.g. sudo -k when the user logs out)
>> the same way they do today.
>
> The point is that Tramp (until now) keeps a session open forever. Tramp
> doesn't "start a new sudo shell for example to get file attributes".
> Therefore, there's no chance that sudo could ask for a password,
> again. That's why the new mechanism interrupts the session after the
> session timeout, and opening a new one depends on sudo's mechanism for
> cached passwords.

That was the essence of my question.  What is stopping us from starting
a new session as needed instead of keeping one around forever ?



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: sudo:: method in tramp possible security issue
  2018-11-21 14:55                                         ` John Shahid
@ 2018-11-21 15:07                                           ` Michael Albinus
  0 siblings, 0 replies; 21+ messages in thread
From: Michael Albinus @ 2018-11-21 15:07 UTC (permalink / raw)
  To: John Shahid
  Cc: Eli Zaretskii, Paul Eggert, emacs-devel, João Távora,
	Stefan Monnier

John Shahid <jvshahid@gmail.com> writes:

Hi John,

> That was the essence of my question.  What is stopping us from starting
> a new session as needed instead of keeping one around forever ?

Performance. Opening a new sudo session every single information bit
would be awful slow.

We could set a command timeout for the sudo invocation, but nobody
guarantees that it happens while data are transferred.

Best regards, Michael.



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Tramp sudoedit method (was: sudo:: method in tramp possible security issue)
       [not found]           ` <87ftvwyxh7.fsf@gmx.de>
@ 2018-12-16 15:24             ` Michael Albinus
  0 siblings, 0 replies; 21+ messages in thread
From: Michael Albinus @ 2018-12-16 15:24 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: Eli Zaretskii, João Távora, emacs-devel

Michael Albinus <michael.albinus@gmx.de> writes:

Hi,

>>> Right, but would it run emacs-lisp code with elevated privileges?
>>> Can't we just make a sudoedit method that just invokes the sudoedit
>>> program or "sudo -e"?  This is what I thought sudo:: did in the first place.
>>
>> All of Tramp basically works by starting an `sh` process (via ssh, sudo,
>> you name it) and then sending it commands to retrieve meta-info about
>> files, contents of file, etc...
>
> Right. But maybe we could offer a Tramp method "sudoedit", which behaves
> differently. If somebody opens "C-x C-f /sudoedit::/etc/passwd", Tramp
> starts in the background the process "env EDITOR=emacsclient sudoedit
> /etc/passwd" (plus fiddling with `server-start', password handling, and
> alike). Nothing else but just editing the file, and saving it, would be
> possible.
>
> Don't know what it means for implementation, because visiting a file is
> more than just calling `insert-file-contents'. Handlers for all the
> other magic file operations should return proper results, w/o running a
> shell under root permissions.

I gave it a try. I could make `insert-file-contents' and `write-region'
run based on emacsclient, but it wasn't mature enough. So I have
implemented the "sudoedit" method by applying a respective sudo call for
everything. It isn't using the sudoedit command any longer, but I kept
the method name, because it behaves similar. If it confuses people too
much, we could change the name.

Contrary to the "sudo" method, it is applicable only to the local host,
and it cannot be used in multi-hop methods. Furthermore, it has a worse
performance than "sudo", especially for large directories like "/etc",
visited with `dired'. Maybe this could be improved by a native
implementation of `directory-files-and-attributes' and `insert-directory'.

But it keeps the security promise, not to run a shell in the background
with other user credentials, which could be attacked by malicious code.

Pushed to master. What do people think?

>>         Stefan

Best regards, Michael.



^ permalink raw reply	[flat|nested] 21+ messages in thread

end of thread, other threads:[~2018-12-16 15:24 UTC | newest]

Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <CALDnm52oYOV_kPWZH62ub8seM4uug-GH68ywgXGJfDAbG7_4Xg@mail.gmail.com>
     [not found] ` <87ftvwdcdw.fsf@gmx.de>
     [not found]   ` <CALDnm51fhzD48-40-t04KU9S19Lz8_sf8Y=pKZbnSHR+tbCgTQ@mail.gmail.com>
     [not found]     ` <87bm6kdb68.fsf@gmx.de>
     [not found]       ` <CALDnm53tX4vFz4CH=P27_dUt=9dXWMrE7xdTz3iZuqybsndygg@mail.gmail.com>
     [not found]         ` <jwvmuq4zqsz.fsf-monnier+emacs@gnu.org>
     [not found]           ` <CALDnm52moQthtMvSEw2ELWjZg3yJ8jypG=TBLgSsdr6R8ru0Aw@mail.gmail.com>
     [not found]             ` <87bm6kyxc3.fsf@gmx.de>
     [not found]               ` <CALDnm5211UDT_pW-HzgnRb5dQtnCZSgN+GRGHYM1hPVAjBWavA@mail.gmail.com>
     [not found]                 ` <87k1l83yd3.fsf@gmx.de>
     [not found]                   ` <CALDnm52KU0wNd3Sd-7m78JrPcLsiNuZ8hQxcTs3PgDNG7+0a0g@mail.gmail.com>
     [not found]                     ` <87o9ajvost.fsf@gmx.de>
2018-11-20 14:13                       ` sudo:: method in tramp possible security issue João Távora
2018-11-20 21:14                         ` Paul Eggert
2018-11-20 21:18                           ` Stefan Monnier
2018-11-20 21:25                             ` Paul Eggert
2018-11-20 21:44                               ` Stefan Monnier
2018-11-20 22:06                               ` Michael Albinus
2018-11-20 22:27                                 ` João Távora
2018-11-20 23:12                                   ` Stefan Monnier
2018-11-21  7:41                                   ` Michael Albinus
2018-11-21 12:26                                     ` Michael Albinus
2018-11-21 12:44                                     ` Filipp Gunbin
2018-11-21 12:51                                       ` Michael Albinus
2018-11-21 14:44                                     ` John Shahid
2018-11-21 14:52                                       ` Michael Albinus
2018-11-21 14:55                                         ` John Shahid
2018-11-21 15:07                                           ` Michael Albinus
2018-11-20 22:16                           ` Michael Albinus
2018-11-20 22:30                         ` Michael Albinus
2018-11-20 22:54                           ` João Távora
2018-11-21  7:49                             ` Michael Albinus
     [not found]           ` <87ftvwyxh7.fsf@gmx.de>
2018-12-16 15:24             ` Tramp sudoedit method (was: sudo:: method in tramp possible security issue) Michael Albinus

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).