From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Robin Tarsiger Newsgroups: gmane.emacs.devel Subject: Re: Access control in Emacs? Date: Wed, 15 Sep 2021 15:21:34 -0500 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="12505"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Sep 15 22:22:59 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mQbQo-00030k-H9 for ged-emacs-devel@m.gmane-mx.org; Wed, 15 Sep 2021 22:22:59 +0200 Original-Received: from localhost ([::1]:56350 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mQbQn-0000Jo-2B for ged-emacs-devel@m.gmane-mx.org; Wed, 15 Sep 2021 16:22:57 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58550) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mQbPZ-00084t-Gy for emacs-devel@gnu.org; Wed, 15 Sep 2021 16:21:41 -0400 Original-Received: from out3-smtp.messagingengine.com ([66.111.4.27]:50809) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mQbPX-0005nu-IM for emacs-devel@gnu.org; Wed, 15 Sep 2021 16:21:41 -0400 Original-Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 134D75C0161 for ; Wed, 15 Sep 2021 16:21:36 -0400 (EDT) Original-Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Wed, 15 Sep 2021 16:21:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dasyatidae.com; h=to:references:from:subject:message-id:date:mime-version :in-reply-to:content-type:content-transfer-encoding; s=fm3; bh=x NupMwjyCkaeA6idxtU4sQ+ySaKEoTuanoykGGw5f9I=; b=Kikrvq2fis1+iMBCz YaTtLTWpNixKFOAJj09x648foTjYQFgDDz7LLXl/oBjUwwHOHLbYzLQ+MphIPO7f PlZA5l+KXIvjIDcd1RmtlA7VKxDX9CMKTn6GzK88uTP2Q/muM24otey0tKqK8QNI WN0/QhBQWmVPwCLha8Rtr32Gt/Kg2Md7YMyVyXb24wL9dEmcSqjlUPHgCkDulDjf d2sWRN6l1sMkyRujPzDHqYMQp6aOyXl5hFgqTTGj9Ki+P5rL3YaGyAR0rsfxVjha sSYeSvUdlz5nwmHBjuTnHKZIOH57QU2zm2IDTwRGQdN0aRua/sAOvE1t9KWUnoty jJl8Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=xNupMwjyCkaeA6idxtU4sQ+ySaKEoTuanoykGGw5f 9I=; b=s20FyNrJvS72Mr290w7xviP/EFFTzGOOoxD1ZRnsqL1+F1yu94P6jhXmg +YG6QiLGqDcw4A7V+UWmSfPkfQCIVit/XM93ZCfdJVSqKkGEUti7vUIiaomc9lum Dji2uEd7pHBj+MR4dbkN1h+lfxWONHbFqoD6BEVg98zJIiKnUAUZJ1UcQt69vb+q 1F2wj6uKSY/wJ6uxn01MPrgmWoX7I9DKUpz2xwkRDtmuDLL4saBhbbOova4C+b3H Kvd4GzqrmhMx86MSD5lNqL9VYdyc+BjScA6ts3Ul+Az96Qsgqjqn9DV6FcDXwtXR PNNLUCOprbidFawu8zfGVrJQel2QA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudehvddgtdekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefvfhfhuffkffgfgggjtgfgsehtke ertddtfeejnecuhfhrohhmpeftohgsihhnucfvrghrshhighgvrhcuoehrthhtsegurghs higrthhiuggrvgdrtghomheqnecuggftrfgrthhtvghrnhepvddugfegffeigeekueeufe dvkeffkeehvedvtdegveeltdehhfekfeefgfekgfeknecuvehluhhsthgvrhfuihiivgep tdenucfrrghrrghmpehmrghilhhfrhhomheprhhtthesuggrshihrghtihgurggvrdgtoh hm X-ME-Proxy: Original-Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Wed, 15 Sep 2021 16:21:35 -0400 (EDT) In-Reply-To: Content-Language: en-US-large Received-SPF: pass client-ip=66.111.4.27; envelope-from=rtt@dasyatidae.com; helo=out3-smtp.messagingengine.com X-Spam_score_int: -44 X-Spam_score: -4.5 X-Spam_bar: ---- X-Spam_report: (-4.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.698, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:274776 Archived-At: Stefan Monnier wrote: >> I’m adding more powerful features to crdt.el including buffer local variable >> synchronizations and arbitrary remote command/function call, > > Given the way Emacs is designed/structured this is a recipe for big > gaping security holes. It can be OK to allow such things for *very* > specific cases (a few specific well understood variables), but even such > a "whitelist" is a problem because it requires careful and > long term maintenance. For the buffer-local variables specifically, we do already have safe-local-variable-p which might cover a number of cases---and that's already used for loading variables from untrusted files. That said, that mechanism is still dangerous on an absolute scale and has had security holes in the past (one of which I PoC'd and reported myself decades ago, though I can't find it now). Remote commands would be even more dangerously tricky to get right, especially in the absence of ground-up infrastructure for it. -RTT