From: Eshel Yaron <me@eshelyaron.com>
To: Daniel Radetsky <dradetsky@gmail.com>
Cc: Richard Stallman <rms@gnu.org>, Jean Louis <bugs@gnu.support>,
steven@stebalien.com, christopher@librehacker.com,
emacs-devel@gnu.org
Subject: Re: Emacs Arbitrary Code Execution and How to Avoid It
Date: Wed, 11 Dec 2024 09:35:25 +0100 [thread overview]
Message-ID: <m17c868vn6.fsf@macbookpro.home> (raw)
In-Reply-To: <hieyeh2wog3c3lp5inmjj3f7xihvumazxbr4xlourwhixuvsae@56ertl6mprml> (Daniel Radetsky's message of "Tue, 10 Dec 2024 10:03:52 -0800")
Hi,
Daniel Radetsky <dradetsky@gmail.com> writes:
> On Fri, Dec 06, 2024 at 11:23:20PM -0500, Richard Stallman wrote:
>> [[[ To any NSA and FBI agents reading my email: please consider ]]]
>> [[[ whether defending the US Constitution against all enemies, ]]]
>> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>>
>> > I get it, though similar concepts are in many editors. As you said,
>> > "if flymake is enabled" which means that user enabling flymake should
>> > get informed of it.
>>
>> I firmly disagree. For Emacs to spontaneously execute code in files
>> that users did not say should be executed is simply unaccetable.
>
> As I understand it, the issue is that the user has already
> said "execute elisp code in any elisp-mode files," and that
> it is common for the user to have said this.
That's not quite right. Users do not say "execute arbitrary ELisp in
any elisp-mode buffer". They often say something like "diagnose issues
(e.g. with Flymake) in all such buffers". The fact that this feature
involves arbitrary code execution is a security defect, not a necessity.
Moreover, Emacs never mentions (in the docs, warnings, or otherwise)
that using this feature comes with the risk of arbitrary code execution.
> This is why the reporter mentioned that popular emacs distros like
> doom enable this behavior by default. I don't believe there was any
> suggestion that vanilla emacs allowed this.
Not exactly: even in "vanilla" emacs -Q, macro expansion is unsafe, and
important features rely on macro expansion. emacs -Q is only safer in
the sense that it doesn't enable these important features automatically.
But they remain important for anybody that actually wants to use Emacs
to edit ELisp.
>> Warning users that this may happen is not sufficient -- we need to
>> _fix_ the problem.
>
> If the user has already asked emacs to execute elisp, the
> only thing that could IMO count as a fix is to _prevent_
> them from doing this. Or at least to require that they
> reconfirm that this is what they want when emacs wants to
> execute the elisp, like with disabled commands.
Emacs could (and should) facilitate safe macro expansion, so features
that require macro expansion could carry on without exposing the user to
such hazards.
Safe macro expansion means restricting the set of things that macros can
do (sandboxing), such as denying network access.
For example, SWI-Prolog has a nice safe mode for executing untrusted
code, see https://www.swi-prolog.org/pldoc/doc/_SWI_/library/sandbox.pl
Best,
Eshel
next prev parent reply other threads:[~2024-12-11 8:35 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-03 17:53 Emacs Arbitrary Code Execution and How to Avoid It Christopher Howard
2024-12-03 19:20 ` Gerd Möllmann
2024-12-03 20:25 ` Eshel Yaron
2024-12-08 5:10 ` Richard Stallman
2024-12-06 4:47 ` Richard Stallman
2024-12-06 8:30 ` Eli Zaretskii
2024-12-09 4:57 ` Richard Stallman
2024-12-09 13:59 ` Eli Zaretskii
2024-12-04 9:39 ` Jean Louis
2024-12-04 15:04 ` Steven Allen
2024-12-04 17:02 ` Jean Louis
2024-12-04 17:23 ` Christopher Howard
2024-12-07 4:23 ` Richard Stallman
2024-12-10 18:03 ` Daniel Radetsky
2024-12-11 8:35 ` Eshel Yaron [this message]
2024-12-11 9:25 ` Jean Louis
2024-12-11 9:37 ` Daniel Radetsky
2024-12-11 10:38 ` Jean Louis
2024-12-11 10:42 ` tomas
2024-12-11 12:50 ` Daniel Radetsky
2024-12-11 13:10 ` tomas
2024-12-12 4:48 ` Richard Stallman
2024-12-12 7:39 ` Jean Louis
2024-12-06 4:47 ` Richard Stallman
2024-12-06 5:30 ` Jim Porter
2024-12-06 8:32 ` Eli Zaretskii
2024-12-06 8:29 ` Eli Zaretskii
2024-12-06 16:51 ` Philip Kaludercic
2024-12-08 5:15 ` Richard Stallman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m17c868vn6.fsf@macbookpro.home \
--to=me@eshelyaron.com \
--cc=bugs@gnu.support \
--cc=christopher@librehacker.com \
--cc=dradetsky@gmail.com \
--cc=emacs-devel@gnu.org \
--cc=rms@gnu.org \
--cc=steven@stebalien.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).