From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eshel Yaron Newsgroups: gmane.emacs.devel Subject: Re: Emacs Arbitrary Code Execution and How to Avoid It Date: Wed, 11 Dec 2024 09:35:25 +0100 Message-ID: References: <878qswfya2.fsf@librehacker.com> <87v7vzh4l1.fsf@stebalien.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="19303"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: Richard Stallman , Jean Louis , steven@stebalien.com, christopher@librehacker.com, emacs-devel@gnu.org To: Daniel Radetsky Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Dec 11 09:36:29 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1tLICr-0004tG-Ps for ged-emacs-devel@m.gmane-mx.org; Wed, 11 Dec 2024 09:36:29 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tLIBz-0002lE-EH; Wed, 11 Dec 2024 03:35:35 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tLIBw-0002kz-1i for emacs-devel@gnu.org; Wed, 11 Dec 2024 03:35:33 -0500 Original-Received: from mail.eshelyaron.com ([107.175.124.16] helo=eshelyaron.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tLIBu-0005FY-BT; Wed, 11 Dec 2024 03:35:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=eshelyaron.com; s=mail; t=1733906128; bh=iKYNimcH/DhokuCoQ3x/YxW8pBs1xI7lwjFj8KCR+GA=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=WXBICQzoKGQpOGYjaMUKZO+KB3iSuw6VDxv30EPi5UREDnCBAJ0TyUE1jIKRaiUkm NlhBrqtQroSEFiLzJgNp7Q5qgi6JEkdDntkyC8RywBBLCxRMgTJlOLP+HAanukpAxL RLgMGchfK9/vnA3fl53jSoEJk4PRRCLWUXtjZD824P1WSqCeSIgYMbh+10QRBgbKCs o97sdKJHwv8zb+pALf2Ay9NSsV55TX63j5+TTV2zSg0ALhShkhJD5xJYa9JgLha09G nu+mo5o6V6bUOw5SIcdNkz0PaVLtwUpE2BJHRJB6n0Ck5s/rK401Cn+TgAqwmuEJfa Nr6T2L6pGZVhw== In-Reply-To: (Daniel Radetsky's message of "Tue, 10 Dec 2024 10:03:52 -0800") Received-SPF: pass client-ip=107.175.124.16; envelope-from=me@eshelyaron.com; helo=eshelyaron.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:326332 Archived-At: Hi, Daniel Radetsky writes: > On Fri, Dec 06, 2024 at 11:23:20PM -0500, Richard Stallman wrote: >> [[[ To any NSA and FBI agents reading my email: please consider ]]] >> [[[ whether defending the US Constitution against all enemies, ]]] >> [[[ foreign or domestic, requires you to follow Snowden's example. ]]] >> >> > I get it, though similar concepts are in many editors. As you said, >> > "if flymake is enabled" which means that user enabling flymake should >> > get informed of it. >> >> I firmly disagree. For Emacs to spontaneously execute code in files >> that users did not say should be executed is simply unaccetable. > > As I understand it, the issue is that the user has already > said "execute elisp code in any elisp-mode files," and that > it is common for the user to have said this. That's not quite right. Users do not say "execute arbitrary ELisp in any elisp-mode buffer". They often say something like "diagnose issues (e.g. with Flymake) in all such buffers". The fact that this feature involves arbitrary code execution is a security defect, not a necessity. Moreover, Emacs never mentions (in the docs, warnings, or otherwise) that using this feature comes with the risk of arbitrary code execution. > This is why the reporter mentioned that popular emacs distros like > doom enable this behavior by default. I don't believe there was any > suggestion that vanilla emacs allowed this. Not exactly: even in "vanilla" emacs -Q, macro expansion is unsafe, and important features rely on macro expansion. emacs -Q is only safer in the sense that it doesn't enable these important features automatically. But they remain important for anybody that actually wants to use Emacs to edit ELisp. >> Warning users that this may happen is not sufficient -- we need to >> _fix_ the problem. > > If the user has already asked emacs to execute elisp, the > only thing that could IMO count as a fix is to _prevent_ > them from doing this. Or at least to require that they > reconfirm that this is what they want when emacs wants to > execute the elisp, like with disabled commands. Emacs could (and should) facilitate safe macro expansion, so features that require macro expansion could carry on without exposing the user to such hazards. Safe macro expansion means restricting the set of things that macros can do (sandboxing), such as denying network access. For example, SWI-Prolog has a nice safe mode for executing untrusted code, see https://www.swi-prolog.org/pldoc/doc/_SWI_/library/sandbox.pl Best, Eshel