From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.devel Subject: Re: [PATCH] Add shell-quasiquote. Date: Wed, 21 Oct 2015 20:35:45 -0700 Organization: UCLA Computer Science Department Message-ID: <56285991.5040004@cs.ucla.edu> References: <87si59wj42.fsf@T420.taylan> <878u6znii9.fsf@T420.taylan> <877fmjj9p6.fsf@fencepost.gnu.org> <87zizfm2dq.fsf@T420.taylan> <871tcr7yvq.fsf@fastmail.com> <87mvvfm0bd.fsf@T420.taylan> <56250803.5080601@cs.ucla.edu> <87a8ren5ys.fsf@T420.taylan> <56259BB1.3070908@cs.ucla.edu> <878u6ykmvt.fsf@T420.taylan> <56266A24.6060004@cs.ucla.edu> <87r3kpihx0.fsf@T420.taylan> <5626783B.8020906@cs.ucla.edu> <87a8rdigs9.fsf@T420.taylan> <56268407.6060601@cs.ucla.edu> <87k2qhgyk1.fsf@T420.taylan> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------060509010609020403030205" X-Trace: ger.gmane.org 1445484996 28941 80.91.229.3 (22 Oct 2015 03:36:36 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 22 Oct 2015 03:36:36 +0000 (UTC) Cc: emacs-devel@gnu.org To: =?UTF-8?Q?Taylan_Ulrich_Bay=c4=b1rl=c4=b1/Kammer?= Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Oct 22 05:36:19 2015 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Zp6fi-00069b-DY for ged-emacs-devel@m.gmane.org; Thu, 22 Oct 2015 05:36:10 +0200 Original-Received: from localhost ([::1]:55495 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zp6fh-00039e-Q5 for ged-emacs-devel@m.gmane.org; Wed, 21 Oct 2015 23:36:09 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:59176) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zp6fS-00038e-8Y for emacs-devel@gnu.org; Wed, 21 Oct 2015 23:35:55 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zp6fN-0005vw-0J for emacs-devel@gnu.org; Wed, 21 Oct 2015 23:35:54 -0400 Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:47438) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zp6fM-0005vs-Ky for emacs-devel@gnu.org; Wed, 21 Oct 2015 23:35:48 -0400 Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 4DAE51601AA; Wed, 21 Oct 2015 20:35:47 -0700 (PDT) Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id FSZX0q228gal; Wed, 21 Oct 2015 20:35:45 -0700 (PDT) Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id E204F160D51; Wed, 21 Oct 2015 20:35:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 5-dmrg4IzOsd; Wed, 21 Oct 2015 20:35:45 -0700 (PDT) Original-Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id C50B01601AA; Wed, 21 Oct 2015 20:35:45 -0700 (PDT) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 In-Reply-To: <87k2qhgyk1.fsf@T420.taylan> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 131.179.128.68 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:192340 Archived-At: This is a multi-part message in MIME format. --------------060509010609020403030205 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable On 10/20/2015 11:55 AM, Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer wrote: > Paul Eggert writes: > >> >Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer wrote: >>>> >>>I must have missed it then, because all I remember are the cases = (1) >>>>> >>> >of running /bin/if (which is trivial and is not a realistic ex= ample), >>>>> >>> >and (2) of installations with nonstandard shells (a problem th= at >>>>> >>> >shqq--quote-string does not fix). It has been a long thread; q= uite >>>>> >>> >possibly I missed something. >>> >>Yeah, you missed the part about risk of code injection.:-) >> > >> >Code injection occurs because of (2), right? So it's not a risk that >> >shqq--quote-string would put much of a dent in. > Sorry, no, that's not the problem. > > > So after four days of incredibly tiresome repetition, people still don'= t > understand the basic issue. That's right, we don't. At least, I don't, and your recent responses=20 haven't clarified things for me. That being said, I guessed as to what=20 you're driving at, and installed the attached patch into the Emacs=20 master. Although the new documentation section is pretty sketchy,=20 perhaps it can be fleshed out by people who have more time to worry=20 about this sort of thing. --------------060509010609020403030205 Content-Type: text/x-patch; name="0001-New-lispref-section-Security-Considerations.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-New-lispref-section-Security-Considerations.patch" >From 71de784f1a14200b83049e359a9b009eddbceb94 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Wed, 21 Oct 2015 20:22:34 -0700 Subject: [PATCH 1/2] =?UTF-8?q?New=20lispref=20section=20=E2=80=9CSecurity?= =?UTF-8?q?=20Considerations=E2=80=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This attempts to document some of the issues recently discussed on emacs-devel, and to indicate other such issues. The section could be a lot longer. * doc/lispref/os.texi (Security Considerations): New node. * doc/lispref/elisp.texi (Top): * doc/lispref/processes.texi (Shell Arguments): * lisp/subr.el (shell-quote-argument): * src/callproc.c (syms_of_callproc): Reference it. --- doc/lispref/elisp.texi | 1 + doc/lispref/os.texi | 104 +++++++++++++++++++++++++++++++++++++++++++++ doc/lispref/processes.texi | 2 +- lisp/subr.el | 3 +- src/callproc.c | 2 +- 5 files changed, 109 insertions(+), 3 deletions(-) diff --git a/doc/lispref/elisp.texi b/doc/lispref/elisp.texi index 5ca518e..2d3548f 100644 --- a/doc/lispref/elisp.texi +++ b/doc/lispref/elisp.texi @@ -1487,6 +1487,7 @@ Top * Desktop Notifications:: Desktop notifications. * File Notifications:: File notifications. * Dynamic Libraries:: On-demand loading of support libraries. +* Security Considerations:: Running Emacs in an unfriendly environment. Starting Up Emacs diff --git a/doc/lispref/os.texi b/doc/lispref/os.texi index 204055d..1925bd5 100644 --- a/doc/lispref/os.texi +++ b/doc/lispref/os.texi @@ -37,6 +37,7 @@ System Interface * Desktop Notifications:: Desktop notifications. * File Notifications:: File notifications. * Dynamic Libraries:: On-demand loading of support libraries. +* Security Considerations:: Running Emacs in an unfriendly environment. @end menu @node Starting Up @@ -2760,3 +2761,106 @@ Dynamic Libraries This variable is ignored if the given @var{library} is statically linked into Emacs. @end defvar + +@node Security Considerations +@section Security Considerations +@cindex security +@cindex hardening + +Like any application, Emacs can be run in a secure environment, where +the operating system enforces rules about access and the like. With +some care, Emacs-based applications can also be part of a security +perimeter that checks such rules. Although the default settings for +Emacs work well for a typical software development environment, they +may require adjustment in environments containing untrusted users that +may include attackers. Here is a compendium of security issues that +may be helpful if you are developing such applications. It is by no +means complete; it is intended to give you an idea of the security +issues involved, rather than to be a security checklist. + +@table @asis +@item Access control +Although Emacs normally respects access permissions of the underlying +operating system, in some cases it handles accesses specially. For +example, file names can have handlers that treat the files specially, +with their own access checking. @xref{Magic File Names}. Also, a +buffer can be read-only even if the corresponding file is writeable, +and vice versa, which can result in messages such as @samp{File passwd +is write-protected; try to save anyway? (yes or no)}. @xref{Read Only +Buffers}. + +@item Authentication +Emacs has several functions that deal with passwords, e.g., +@code{password-read}. Although these functions do not attempt to +broadcast passwords to the world, their implementations are not proof +against determined attackers with access to Emacs internals. For +example, even if Elisp code attempts to scrub a password from +its memory after using it, remnants of the password may still reside +in the garbage-collected free list. + +@item Code injection +Emacs can send commands to many other applications, and applications +should take care that strings sent as operands of these commands are +not misinterpreted as directives. For example, when sending a shell +command to rename a file @var{a} to @var{b}, do not simply use the +string @code{mv @var{a} @var{b}}, because either file name might start +with @samp{-}, or might contain shell metacharacters like @samp{;}. +Although functions like @code{shell-quote-argument} can help avoid +this sort of problem, they are not panaceas; for example, on a POSIX +platform @code{shell-quote-argument} quotes shell metacharacters but +not leading @samp{-}. @xref{Shell Arguments}. + +@item Coding systems +Emacs attempts to infer the coding systems of the files and network +connections it accesses. If it makes a mistake, or if the other +parties to the network connection disagree with Emacs's deductions, +the resulting system could be unreliable. Also, even when it infers +correctly, Emacs often can use bytes that other programs cannot. For +example, although to Emacs the NUL (all bits zero) byte is just a +character like any other, many other applications treat it as a string +terminator and mishandle strings or files containing NUL bytes. + +@item Environment and configuration variables +POSIX specifies several environment variables that can affect how +Emacs behaves. Any environment variable whose name consists entirely +of uppercase ASCII letters, digits, and the underscore may affect the +internal behavior of Emacs. Emacs uses several such variables, e.g., +@env{EMACSLOADPATH}. @xref{Library Search}. On some platforms some +environment variables (e.g., @env{PATH}, @env{POSIXLY_CORRECT}, +@env{SHELL}, @env{TMPDIR}) need to have properly-configured values in +order to get standard behavior for any utility Emacs might invoke. +Even seemingly-benign variables like @env{TZ} may have security +implications. + +Emacs has customization and other variables with similar +considerations. For example, if the variable @code{shell-file-name} +specifies a shell with nonstandard behavior, an Emacs-based +application may misbehave. + +@item Installation +When Emacs is installed, if the installation directory hierarchy can +be modified by untrusted users, the application cannot be trusted. +This applies also to the directory hierarchies of the programs that +Emacs uses, and of the files that Emacs reads and writes. + +@item Network access +Emacs often accesses the network, and you may want to configure it to +avoid network accesses that it would normally do. For example, unless +you set @code{tramp-mode} to @code{nil}, file names using a certain +syntax are interpreted as being network files, and are retrieved +across the network. @xref{Top, The Tramp Manual,, tramp, The Tramp +Manual}. + +@item Race conditions +Emacs applications have the same sort of race-condition issues that +other applications do. For example, even when +@code{(file-readable-p "foo.txt")} returns @code{t}, it could be that +@file{foo.txt} is unreadable because some other program changed the +file's permissions between the call to @code{file-readable-p} and now. + +@item Resource limits +When Emacs exhausts memory or other operating system resources, its +behavior can be less reliable, in that computations that ordinarily +run to completion may abort back to the top level. This may cause +Emacs to neglect operations that it normally would have done. +@end table diff --git a/doc/lispref/processes.texi b/doc/lispref/processes.texi index 196cb7c..0ce696a 100644 --- a/doc/lispref/processes.texi +++ b/doc/lispref/processes.texi @@ -180,7 +180,7 @@ Shell Arguments Precisely what this function does depends on your operating system. The function is designed to work with the syntax of your system's standard shell; if you use an unusual shell, you will need to redefine this -function. +function. @xref{Security Considerations}. @example ;; @r{This example shows the behavior on GNU and Unix systems.} diff --git a/lisp/subr.el b/lisp/subr.el index c903ee3..ea926ae 100644 --- a/lisp/subr.el +++ b/lisp/subr.el @@ -2714,7 +2714,8 @@ shell-quote-argument "Quote ARGUMENT for passing as argument to an inferior shell. This function is designed to work with the syntax of your system's -standard shell, and might produce incorrect results with unusual shells." +standard shell, and might produce incorrect results with unusual shells. +See Info node `(elisp)Security Considerations'." (cond ((eq system-type 'ms-dos) ;; Quote using double quotes, but escape any existing quotes in diff --git a/src/callproc.c b/src/callproc.c index eafd621..bb21c35 100644 --- a/src/callproc.c +++ b/src/callproc.c @@ -1660,7 +1660,7 @@ syms_of_callproc (void) DEFVAR_LISP ("shell-file-name", Vshell_file_name, doc: /* File name to load inferior shells from. Initialized from the SHELL environment variable, or to a system-dependent -default if SHELL is not set. */); +default if SHELL is unset. See Info node `(elisp)Security Considerations'. */); DEFVAR_LISP ("exec-path", Vexec_path, doc: /* List of directories to search programs to run in subprocesses. -- 2.1.0 --------------060509010609020403030205--