all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#48676: Arbitrary code execution in Org export macros
@ 2021-05-26 15:52 Glenn Morris
  2021-05-26 17:07 ` Timothy
                   ` (6 more replies)
  0 siblings, 7 replies; 12+ messages in thread
From: Glenn Morris @ 2021-05-26 15:52 UTC (permalink / raw)
  To: 48676

Package: emacs,org-mode
Version: 28.0.50
Severity: important
Tags: security

emacs -Q hello.org, where hello.org contains:

#+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
Hello. {{{hello}}}

Then:
M-x org-export-dispatch
t A

-> now /tmp/HELLO exist, with no prompting.

This seems contrary to normal Emacs practice for risky local variables,
and to the section "Code Evaluation and Security Issues" in the Org manual
(which does not mention macros).






^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#48676: Arbitrary code execution in Org export macros
  2021-05-26 15:52 bug#48676: Arbitrary code execution in Org export macros Glenn Morris
@ 2021-05-26 17:07 ` Timothy
  2021-05-26 17:07 ` Timothy
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 12+ messages in thread
From: Timothy @ 2021-05-26 17:07 UTC (permalink / raw)
  To: Glenn Morris; +Cc: 48676


Thanks for reporting this.

Glenn Morris <rgm@gnu.org> writes:

> This seems contrary to normal Emacs practice for risky local variables,

Hmm, correct me if I'm wrong but the issue with risky local variables is
that they affect Emacs before the user sees them in the file? If this is
an important distinction, it means this particular type of concern does
not apply to Org #+macro statements, as they are not executed when the
user opens the file.

That said, if one were making say an automated Org file exporter or
something, I could see this being problematic. Perhaps a var set to
allow macros by default could be a good idea.

> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).

Looks like this should be updated regardless of the above.

--
Timothy





^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: bug#48676: Arbitrary code execution in Org export macros
  2021-05-26 15:52 bug#48676: Arbitrary code execution in Org export macros Glenn Morris
  2021-05-26 17:07 ` Timothy
@ 2021-05-26 17:07 ` Timothy
  2021-05-26 18:00   ` Tom Gillespie
  2021-05-26 18:00   ` Tom Gillespie
  2021-05-26 23:01 ` Tim Cross
                   ` (4 subsequent siblings)
  6 siblings, 2 replies; 12+ messages in thread
From: Timothy @ 2021-05-26 17:07 UTC (permalink / raw)
  To: Glenn Morris; +Cc: 48676, emacs-orgmode


Thanks for reporting this.

Glenn Morris <rgm@gnu.org> writes:

> This seems contrary to normal Emacs practice for risky local variables,

Hmm, correct me if I'm wrong but the issue with risky local variables is
that they affect Emacs before the user sees them in the file? If this is
an important distinction, it means this particular type of concern does
not apply to Org #+macro statements, as they are not executed when the
user opens the file.

That said, if one were making say an automated Org file exporter or
something, I could see this being problematic. Perhaps a var set to
allow macros by default could be a good idea.

> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).

Looks like this should be updated regardless of the above.

--
Timothy


^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#48676: Arbitrary code execution in Org export macros
  2021-05-26 17:07 ` Timothy
  2021-05-26 18:00   ` Tom Gillespie
@ 2021-05-26 18:00   ` Tom Gillespie
  1 sibling, 0 replies; 12+ messages in thread
From: Tom Gillespie @ 2021-05-26 18:00 UTC (permalink / raw)
  To: Timothy; +Cc: rgm, 48676

Hi Glenn,
     The definition for local variables doesn't cover things like org
macros, though the spirit of the policy is something worth keeping in
mind. Running M-x org-export-dispatch and hitting two keys means that
the user has to do something to trigger code execution, much like they
would have to intentionally accept certain risky local variables.

That said, the fact that many org operations can run arbitrary code is
definitely something that needs clearer documentation. It might make
sense to add a setting to detect closures that appear in org files to
ask for permission before running, but it likely should not be on by
default.

For a fairly extensive discussion of code execution in org see this
thread from Nov 2020.
https://orgmode.org/list/robi94$ma$1@ciao.gmane.io/#t
Best,
Tom





^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#48676: Arbitrary code execution in Org export macros
  2021-05-26 17:07 ` Timothy
@ 2021-05-26 18:00   ` Tom Gillespie
  2021-05-26 18:00   ` Tom Gillespie
  1 sibling, 0 replies; 12+ messages in thread
From: Tom Gillespie @ 2021-05-26 18:00 UTC (permalink / raw)
  To: Timothy; +Cc: rgm, 48676

Hi Glenn,
     The definition for local variables doesn't cover things like org
macros, though the spirit of the policy is something worth keeping in
mind. Running M-x org-export-dispatch and hitting two keys means that
the user has to do something to trigger code execution, much like they
would have to intentionally accept certain risky local variables.

That said, the fact that many org operations can run arbitrary code is
definitely something that needs clearer documentation. It might make
sense to add a setting to detect closures that appear in org files to
ask for permission before running, but it likely should not be on by
default.

For a fairly extensive discussion of code execution in org see this
thread from Nov 2020.
https://orgmode.org/list/robi94$ma$1@ciao.gmane.io/#t
Best,
Tom




^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: bug#48676: Arbitrary code execution in Org export macros
  2021-05-26 15:52 bug#48676: Arbitrary code execution in Org export macros Glenn Morris
  2021-05-26 17:07 ` Timothy
  2021-05-26 17:07 ` Timothy
@ 2021-05-26 23:01 ` Tim Cross
  2021-05-27  2:54 ` Greg Minshall
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 12+ messages in thread
From: Tim Cross @ 2021-05-26 23:01 UTC (permalink / raw)
  To: emacs-orgmode


Glenn Morris <rgm@gnu.org> writes:

> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).

I'm not quite sure if this is the same as the concern with risky local
file variables. The big difference is that with the local file
variables, without the default behaviour of asking for permission to
evaluate, the code would be evaluated simply by loading the file. With
the org file, nothing is evaluated when you load the file. The user has
to actively request for evaluation (via export or tangling).

I would agree the org manual should make it very clear that exporting
and tangling can result in macro evaluation, which could involve
evaluation of arbitrary code and the risks that can introduce. 

-- 
Tim Cross


^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#48676: Arbitrary code execution in Org export macros
  2021-05-26 15:52 bug#48676: Arbitrary code execution in Org export macros Glenn Morris
                   ` (2 preceding siblings ...)
  2021-05-26 23:01 ` Tim Cross
@ 2021-05-27  2:54 ` Greg Minshall
  2021-05-27  7:02 ` Rafael Ramirez Morales
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 12+ messages in thread
From: Greg Minshall @ 2021-05-27  2:54 UTC (permalink / raw)
  To: Glenn Morris; +Cc: 48676

Glenn,

thanks for the report.

i guess my take is that macro-evaluation, and that of other forms,
should be subject to the same restrictions as that of source block
evaluation.  i.e., prompting for permission to execute, subject to
=org-confirm-babel-evaluate= (or, more specific variables).

cheers, Greg

> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
> 
> emacs -Q hello.org, where hello.org contains:
> 
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
> 
> Then:
> M-x org-export-dispatch
> t A
> 
> -> now /tmp/HELLO exist, with no prompting.
> 
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).





^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#48676: Arbitrary code execution in Org export macros
  2021-05-26 15:52 bug#48676: Arbitrary code execution in Org export macros Glenn Morris
                   ` (4 preceding siblings ...)
  2021-05-27  7:02 ` Rafael Ramirez Morales
@ 2021-05-27  7:02 ` Rafael Ramirez Morales
  2022-06-21  0:37 ` Mike Kupfer
  6 siblings, 0 replies; 12+ messages in thread
From: Rafael Ramirez Morales @ 2021-05-27  7:02 UTC (permalink / raw)
  To: Glenn Morris; +Cc: 48676

[-- Attachment #1: Type: text/plain, Size: 750 bytes --]

Just a couple of questions:
who is the owner of the HELLO file?
OR
who is the owner of the "touch" process?

Is the owner the unprivileged user or the "emacs" system?

Thanks.

On Wed, 26 May 2021 at 17:53, Glenn Morris <rgm@gnu.org> wrote:

> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
>
>

[-- Attachment #2: Type: text/html, Size: 1370 bytes --]

^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#48676: Arbitrary code execution in Org export macros
  2021-05-26 15:52 bug#48676: Arbitrary code execution in Org export macros Glenn Morris
                   ` (3 preceding siblings ...)
  2021-05-27  2:54 ` Greg Minshall
@ 2021-05-27  7:02 ` Rafael Ramirez Morales
  2021-05-27 12:55   ` Tim Cross
  2021-05-27  7:02 ` Rafael Ramirez Morales
  2022-06-21  0:37 ` Mike Kupfer
  6 siblings, 1 reply; 12+ messages in thread
From: Rafael Ramirez Morales @ 2021-05-27  7:02 UTC (permalink / raw)
  To: Glenn Morris; +Cc: 48676

[-- Attachment #1: Type: text/plain, Size: 750 bytes --]

Just a couple of questions:
who is the owner of the HELLO file?
OR
who is the owner of the "touch" process?

Is the owner the unprivileged user or the "emacs" system?

Thanks.

On Wed, 26 May 2021 at 17:53, Glenn Morris <rgm@gnu.org> wrote:

> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
>
>

[-- Attachment #2: Type: text/html, Size: 1370 bytes --]

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: bug#48676: Arbitrary code execution in Org export macros
  2021-05-27  7:02 ` Rafael Ramirez Morales
@ 2021-05-27 12:55   ` Tim Cross
  2021-05-27 13:35     ` Rafael Ramirez Morales
  0 siblings, 1 reply; 12+ messages in thread
From: Tim Cross @ 2021-05-27 12:55 UTC (permalink / raw)
  To: emacs-orgmode


Rafael Ramirez Morales <rafael.ramirezmorales@gmail.com> writes:

> Just a couple of questions:
> who is the owner of the HELLO file?
> OR
> who is the owner of the "touch" process?
>
> Is the owner the unprivileged user or the "emacs" system?
>
> Thanks.
>

Not clear exactly what your asking. The process which will execute the
'touch' will be a sub-process of the process running Emacs. This will
typically be the user who executes Emacs and willl have the same
permissions and access rights as the user running Emacs. There is no
'emacs' system and the privileges will be the same as the user who runs
Emacs. This is assuming a 'normal' installation, not some unusual setup
which uses setuid or similar to alter the way Emacs runs or the
ownership of files in a directory etc. 


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: bug#48676: Arbitrary code execution in Org export macros
  2021-05-27 12:55   ` Tim Cross
@ 2021-05-27 13:35     ` Rafael Ramirez Morales
  0 siblings, 0 replies; 12+ messages in thread
From: Rafael Ramirez Morales @ 2021-05-27 13:35 UTC (permalink / raw)
  To: Tim Cross; +Cc: emacs-orgmode

[-- Attachment #1: Type: text/plain, Size: 1081 bytes --]

Thanks, you managed to understand my question. I was wondeing if there was
a risk of privilege escalation. Fortunately that seems not to be the case.


El jue., 27 may. 2021 15:13, Tim Cross <theophilusx@gmail.com> escribió:

>
> Rafael Ramirez Morales <rafael.ramirezmorales@gmail.com> writes:
>
> > Just a couple of questions:
> > who is the owner of the HELLO file?
> > OR
> > who is the owner of the "touch" process?
> >
> > Is the owner the unprivileged user or the "emacs" system?
> >
> > Thanks.
> >
>
> Not clear exactly what your asking. The process which will execute the
> 'touch' will be a sub-process of the process running Emacs. This will
> typically be the user who executes Emacs and willl have the same
> permissions and access rights as the user running Emacs. There is no
> 'emacs' system and the privileges will be the same as the user who runs
> Emacs. This is assuming a 'normal' installation, not some unusual setup
> which uses setuid or similar to alter the way Emacs runs or the
> ownership of files in a directory etc.
>
>

[-- Attachment #2: Type: text/html, Size: 1594 bytes --]

^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#48676: Arbitrary code execution in Org export macros
  2021-05-26 15:52 bug#48676: Arbitrary code execution in Org export macros Glenn Morris
                   ` (5 preceding siblings ...)
  2021-05-27  7:02 ` Rafael Ramirez Morales
@ 2022-06-21  0:37 ` Mike Kupfer
  6 siblings, 0 replies; 12+ messages in thread
From: Mike Kupfer @ 2022-06-21  0:37 UTC (permalink / raw)
  To: 48676

I just verified that this issue is still present in Emacs master
(4ae315f7c3).

mike





^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2022-06-21  0:37 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-05-26 15:52 bug#48676: Arbitrary code execution in Org export macros Glenn Morris
2021-05-26 17:07 ` Timothy
2021-05-26 17:07 ` Timothy
2021-05-26 18:00   ` Tom Gillespie
2021-05-26 18:00   ` Tom Gillespie
2021-05-26 23:01 ` Tim Cross
2021-05-27  2:54 ` Greg Minshall
2021-05-27  7:02 ` Rafael Ramirez Morales
2021-05-27 12:55   ` Tim Cross
2021-05-27 13:35     ` Rafael Ramirez Morales
2021-05-27  7:02 ` Rafael Ramirez Morales
2022-06-21  0:37 ` Mike Kupfer

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.