From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Michael Albinus Newsgroups: gmane.emacs.devel Subject: Re: How do I report security issue? Date: Sun, 11 Jul 2021 13:26:53 +0200 Message-ID: <875yxhdrb6.fsf@gmx.de> References: <58d23d65-a7de-cc89-de47-22776316a330@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="29802"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Cc: emacs-devel@gnu.org To: Kenneth Wyatt Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Jul 11 13:28:01 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1m2Xcv-0007Z0-NH for ged-emacs-devel@m.gmane-mx.org; Sun, 11 Jul 2021 13:28:01 +0200 Original-Received: from localhost ([::1]:45168 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m2Xcu-0007oj-8C for ged-emacs-devel@m.gmane-mx.org; Sun, 11 Jul 2021 07:28:00 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:54946) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m2Xby-00079u-OW for emacs-devel@gnu.org; Sun, 11 Jul 2021 07:27:02 -0400 Original-Received: from mout.gmx.net ([212.227.15.18]:43035) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m2Xbw-000454-T3 for emacs-devel@gnu.org; Sun, 11 Jul 2021 07:27:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1626002815; bh=Z4BeaYpvdSIB76wuhtt4IeVG7jpy6RJEJtXWrCOeroc=; h=X-UI-Sender-Class:From:To:Cc:Subject:References:Date:In-Reply-To; b=KAWg6dex0rUD7u7LOkqgVCyD8+uiP/aOaPkI59aYZ0+0TM/nJ+obQQraTG1/sZ+hs ySSeKOU/93u3K5qD7ZLugsjr2LPOPevEgJxOwbJIR3UrfPRmJeon7ag8bLMUM5+qBo j9e75ycOgd3/2VokbXM/147PM8f/i+QPJ4qFgOYU= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Original-Received: from gandalf.gmx.de ([212.91.242.237]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1M8QWA-1m6vK30lxA-004PmA; Sun, 11 Jul 2021 13:26:55 +0200 In-Reply-To: <58d23d65-a7de-cc89-de47-22776316a330@gmail.com> (Kenneth Wyatt's message of "Sun, 11 Jul 2021 19:18:00 +1000") X-Provags-ID: V03:K1:DisZDhXefSAvYSSIG+42s2/uN7C1IQ3ZICt8YDbFyQr8cCFg8M8 Xifk6qdWvsHwIoL8IyBBrxhyCUjTFh8QKj7qXNv0y2oBckgsdAJFYH5cpXk1HW8/LJCOLiS 8GWU89iLUZoKh1TJvRfqWPmqY7tc6O25ga3a3BgN4cW3BbvTZAGLKwlJPshS7jiaamCwZq2 44RSHGt6WRv9yh0HNzNSw== X-UI-Out-Filterresults: notjunk:1;V03:K0:eTMXihjZ/Aw=:aFdzKy+ckQdTumH2oKQiRp tlvMXE7b88UGVK1oZb9EUWARojMDJM7pIFW8Iir7GRn+LVedGeisZ7Vdsj1ko34h8CUltF6D4 3txENDZeO+ELsPcputgYxfBXHmQr8/pKahAG23SnvPXzZjQ2pfKqJv5oitCHT1OL0R8gtJmIN 4FtWUHvvwtZ+0j8WeY8U2ZwU2FBi8mOhTaJuRnrFJBzIPh2Kbz7Jovqbg+AH7tgVT6269SN/N 9mxRGoJAQpdadsrvywSZfY+QUGe4+99WV1MN2CnLurPCC7j1fyclMYEBY9i0C2bdiFF4yahwq YvJrFRm/UirB70ld3Tc6FBy6BpJqAIPgQYcpn/20i3BT78a0psCsNZBZP2R7ooTekzWhBagmP 2g0G2DD1B/WbhjeqlXBomNDB0LbFKM5249FFINrcxkukTCAa0mkE6GJ3LD4GH/gjMYP8+OWx0 HjvUm3qnUyQO1EJb99V03tfjAexSqmV3G6amjKJL40IdSivk02A3U57cztfb47xJ0OntvRwtT HgzlmBpgHvi3bN57YcLAMeO7nsdcuWpGcTj/o9kVBnC7Zbw7zphJc9hyzdwTe0OtBYCFVLxjZ 7+A+rAj8nLYg6r+Q3i/JA8ukUikzZpMt22ckj3HwyfVFdEgtzVbs6xPzFvEGsHfFZE/xwjDWF 5vFFsYsquMahKS6mRgzCcdcR57zQhug7n7p3Rb9kRU/PZMqNF5ZV/JWATj0ycEeEKndHN5tZd FqvO0JKgOW3q9O3o0eCuXTP6Kjwy8PKJQ5auhR5yOjK6Nye/Cu58bOVJ2WenD/Rj626+RK1n Received-SPF: pass client-ip=212.227.15.18; envelope-from=michael.albinus@gmx.de; helo=mout.gmx.net X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:271177 Archived-At: Kenneth Wyatt writes: > Hi guys, Hi Kenneth, > I found a very simple way to get sudo/root shell in Emacs without > passing a password check for launching the shell. While it does rely > on actions by a user who does know the sudo password, once these > actions are taken, an unattended terminal can be used to gain full > sudo shell session with (from what I can tell) no timeout on one's > ability to do so. > > Unsure exactly where to report this as the public bugtracker seems > inappropriate even if reporting it seems unlikely to result in > widespread in-the-wild use. > > It's totally possible this is also "as intended" behaviour, but that > seems unlikely, and if it is, I think changing the default behaviour > would be the responsible thing to do. I'm sure I'm not the first > person to discover this, but an admittedly cursory search didn't turn > up discussion online. > > Could someone direct me where to report the replication steps in a > responsible manner? I suppose you mean Tramp's sudo method. Yes, this has been discussed already. We made some counter measures: - For sudo (and doas) methods, there is a session timeout of 300 seconds. That is, after that time of inactivity you must enter the password, again. This behaviour is similar to a sudo call in a shell. - If you are still concerned, there is the Tramp sudoedit method. This does not keep an open session running in the background. For further discussion of Tramp problems, I might be the person to contact, 'cos I'm the Tramp maintainer. If you do not mean Tramp, I recommend to contact one of the Emacs maintainers directly. These are Eli Zaretskii and Lars Ingebrigtsen . > Thanks so much, > > Kenneth Best regards, Michael.