all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* How do I report security issue?
@ 2021-07-11  9:18 Kenneth Wyatt
  2021-07-11 11:26 ` Michael Albinus
  0 siblings, 1 reply; 2+ messages in thread
From: Kenneth Wyatt @ 2021-07-11  9:18 UTC (permalink / raw)
  To: emacs-devel

Hi guys,

I found a very simple way to get sudo/root shell in Emacs without 
passing a password check for launching the shell. While it does rely on 
actions by a user who does know the sudo password, once these actions 
are taken, an unattended terminal can be used to gain full sudo shell 
session with (from what I can tell) no timeout on one's ability to do so.

Unsure exactly where to report this as the public bugtracker seems 
inappropriate even if reporting it seems unlikely to result in 
widespread in-the-wild use.

It's totally possible this is also "as intended" behaviour, but that 
seems unlikely, and if it is, I think changing the default behaviour 
would be the responsible thing to do. I'm sure I'm not the first person 
to discover this, but an admittedly cursory search didn't turn up 
discussion online.

Could someone direct me where to report the replication steps in a 
responsible manner?

Thanks so much,

Kenneth





^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: How do I report security issue?
  2021-07-11  9:18 How do I report security issue? Kenneth Wyatt
@ 2021-07-11 11:26 ` Michael Albinus
  0 siblings, 0 replies; 2+ messages in thread
From: Michael Albinus @ 2021-07-11 11:26 UTC (permalink / raw)
  To: Kenneth Wyatt; +Cc: emacs-devel

Kenneth Wyatt <soy.el.gato.negro@gmail.com> writes:

> Hi guys,

Hi Kenneth,

> I found a very simple way to get sudo/root shell in Emacs without
> passing a password check for launching the shell. While it does rely
> on actions by a user who does know the sudo password, once these
> actions are taken, an unattended terminal can be used to gain full
> sudo shell session with (from what I can tell) no timeout on one's
> ability to do so.
>
> Unsure exactly where to report this as the public bugtracker seems
> inappropriate even if reporting it seems unlikely to result in
> widespread in-the-wild use.
>
> It's totally possible this is also "as intended" behaviour, but that
> seems unlikely, and if it is, I think changing the default behaviour
> would be the responsible thing to do. I'm sure I'm not the first
> person to discover this, but an admittedly cursory search didn't turn
> up discussion online.
>
> Could someone direct me where to report the replication steps in a
> responsible manner?

I suppose you mean Tramp's sudo method. Yes, this has been discussed
already. We made some counter measures:

- For sudo (and doas) methods, there is a session timeout of 300
  seconds. That is, after that time of inactivity you must enter the
  password, again. This behaviour is similar to a sudo call in a shell.

- If you are still concerned, there is the Tramp sudoedit method. This
  does not keep an open session running in the background.

For further discussion of Tramp problems, I might be the person to
contact, 'cos I'm the Tramp maintainer.

If you do not mean Tramp, I recommend to contact one of the Emacs
maintainers directly. These are Eli Zaretskii <eliz@gnu.org> and Lars
Ingebrigtsen  <larsi@gnus.org>.

> Thanks so much,
>
> Kenneth

Best regards, Michael.



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-07-11 11:26 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-07-11  9:18 How do I report security issue? Kenneth Wyatt
2021-07-11 11:26 ` Michael Albinus

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.