From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: Emacs RPC security Date: Mon, 25 Apr 2011 14:35:49 -0300 Message-ID: References: <87d3kal0za.fsf@lifelogs.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1303752963 2982 80.91.229.12 (25 Apr 2011 17:36:03 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Mon, 25 Apr 2011 17:36:03 +0000 (UTC) Cc: emacs-devel@gnu.org To: Ted Zlatanov Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Apr 25 19:35:59 2011 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1QEPhU-0004h2-GC for ged-emacs-devel@m.gmane.org; Mon, 25 Apr 2011 19:35:56 +0200 Original-Received: from localhost ([::1]:35361 helo=lists2.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QEPhU-0007hg-4s for ged-emacs-devel@m.gmane.org; Mon, 25 Apr 2011 13:35:56 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:50697) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QEPhR-0007hb-SW for emacs-devel@gnu.org; Mon, 25 Apr 2011 13:35:54 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QEPhR-0004XA-3E for emacs-devel@gnu.org; Mon, 25 Apr 2011 13:35:53 -0400 Original-Received: from fencepost.gnu.org ([140.186.70.10]:47579) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QEPhQ-0004X6-Tq for emacs-devel@gnu.org; Mon, 25 Apr 2011 13:35:53 -0400 Original-Received: from 121-249-126-200.fibertel.com.ar ([200.126.249.121]:37946 helo=ceviche.home) by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1QEPhQ-0004Bz-Ay; Mon, 25 Apr 2011 13:35:52 -0400 Original-Received: by ceviche.home (Postfix, from userid 20848) id DE68C6610E; Mon, 25 Apr 2011 14:35:49 -0300 (ART) In-Reply-To: <87d3kal0za.fsf@lifelogs.com> (Ted Zlatanov's message of "Mon, 25 Apr 2011 12:00:57 -0500") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.10 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:138743 Archived-At: >>> Please, please implement this securely from the start. emacsclient is >>> terribly insecure and we don't need to repeat that. SM> Lars's proposal has nothing to do with the network communication level. > If we're going to provide *RPC*, we should worry about security at all > levels, not just at the transport level. Otherwise it's just "run any > code remotely on an Emacs instance" which doesn't sound as fun, right? Still unrelated to Lars's proposal. The corresponding security problem already exists since Emacs-22. > 1) authentication: the server should be able to verify the client's > identity and the client should be able to verify the server's identity. > This can be accomplished with SSL certificates and GnuTLS or by signing > each message. We currently have that via xauth-style cookies for TCP and via Unix-based access rights for Unix sockets. Using GnuTLS for the TCP connections could be a good idea as well: patches welcome. > 2) authorization: the server should be able to associate each client > identity with only certain functions it can invoke directly. When such a need will arise, we will think about it. In all the cases I've seen until now, the Emacs server is only used by the same user as the client, so there's not much point making the security structure so complicated, right now. Stefan