From: Richard Stallman <rms@gnu.org>
Cc: halley@play-bow.org
Subject: Re: expressions
Date: Wed, 08 Jan 2003 03:00:04 -0500 [thread overview]
Message-ID: <E18WB88-0004iV-00@fencepost.gnu.org> (raw)
In-Reply-To: <20030107115325.GA475@think.thunk.org> (message from Theodore Ts'o on Tue, 7 Jan 2003 06:53:26 -0500)
Although granted adding the ability to server.el to evaluate arbitrary
LISP expression becomes a security disaster, even without that, users
who have enable-local-variables set to t and who run server.el are in
trouble --- since an attacker can ask emacs to open an arbitrary file
created by the attacker, and the local variables in the file can
contain arbitrary lisp expressions.
That's true, but enable-local-variables is nil by default.
So this change would really make the problem considerably more
likely.
(BTW, Note that one way of dealing with the temp cleaner problem would
be to have the emacsserver binary periodically wake up every so often,
and try touching the containing directory and socket. If they have
disappeared, the binary could recreate them.)
I thin the current code has the same problem--it makes no attempt
to cope if you clean /tmp. I guess it would be nice to add this
facility to try to cope.
I was worried about whether clearing /tmp might fail to delete
subdirs. ISTR there was such a problem in the past. Maybe not now.
Another thought --- if we're willing to bag backwards compatibility
altogether, a friend recently pointed me at the existence of another
package, gnuserv/gnuclient, which does most of what I had wanted.
I think there are problems getting papers for that.
I don't remember the details, though. Maybe we could implement
whatever security feature it has. How does that work?
next prev parent reply other threads:[~2003-01-08 8:00 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <E18UCGO-0002vU-00@snap.thunk.org>
2003-01-05 18:34 ` expressions Richard Stallman
2003-01-05 19:55 ` expressions Bob Halley
2003-01-06 0:49 ` expressions Kim F. Storm
2003-01-06 1:55 ` expressions Bob Halley
2003-01-06 20:06 ` expressions chad
2003-01-06 20:32 ` expressions Bob Halley
2003-01-07 10:11 ` expressions Kim F. Storm
2003-01-07 19:23 ` expressions Luc Teirlinck
2003-01-11 19:48 ` expressions Stefan Monnier
2003-01-07 10:14 ` expressions Kai Großjohann
2003-01-06 17:13 ` expressions Richard Stallman
2003-01-06 20:37 ` expressions Bob Halley
2003-01-08 21:00 ` expressions Andreas Schwab
2003-01-07 11:53 ` expressions Theodore Ts'o
2003-01-08 8:00 ` Richard Stallman [this message]
2003-01-11 19:47 ` expressions Stefan Monnier
2003-01-08 13:50 ` Suggested enhancement: allow emacsclient to send arbitrary LISP expressions Kim F. Storm
2003-01-09 23:13 ` Richard Stallman
2003-01-13 21:08 ` Theodore Ts'o
2003-01-14 18:55 ` Richard Stallman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E18WB88-0004iV-00@fencepost.gnu.org \
--to=rms@gnu.org \
--cc=halley@play-bow.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).