How do I report security issue?

How do I report security issue?

[Kenneth Wyatt]

Hi guys,

I found a very simple way to get sudo/root shell in Emacs without 
passing a password check for launching the shell. While it does rely on 
actions by a user who does know the sudo password, once these actions 
are taken, an unattended terminal can be used to gain full sudo shell 
session with (from what I can tell) no timeout on one's ability to do so.

Unsure exactly where to report this as the public bugtracker seems 
inappropriate even if reporting it seems unlikely to result in 
widespread in-the-wild use.

It's totally possible this is also "as intended" behaviour, but that 
seems unlikely, and if it is, I think changing the default behaviour 
would be the responsible thing to do. I'm sure I'm not the first person 
to discover this, but an admittedly cursory search didn't turn up 
discussion online.

Could someone direct me where to report the replication steps in a 
responsible manner?

Thanks so much,

Kenneth

Re: How do I report security issue?

[Michael Albinus]

Kenneth Wyatt <soy.el.gato.negro@gmail.com> writes:

> Hi guys,

Hi Kenneth,

> I found a very simple way to get sudo/root shell in Emacs without
> passing a password check for launching the shell. While it does rely
> on actions by a user who does know the sudo password, once these
> actions are taken, an unattended terminal can be used to gain full
> sudo shell session with (from what I can tell) no timeout on one's
> ability to do so.
>
> Unsure exactly where to report this as the public bugtracker seems
> inappropriate even if reporting it seems unlikely to result in
> widespread in-the-wild use.
>
> It's totally possible this is also "as intended" behaviour, but that
> seems unlikely, and if it is, I think changing the default behaviour
> would be the responsible thing to do. I'm sure I'm not the first
> person to discover this, but an admittedly cursory search didn't turn
> up discussion online.
>
> Could someone direct me where to report the replication steps in a
> responsible manner?

I suppose you mean Tramp's sudo method. Yes, this has been discussed
already. We made some counter measures:

- For sudo (and doas) methods, there is a session timeout of 300
  seconds. That is, after that time of inactivity you must enter the
  password, again. This behaviour is similar to a sudo call in a shell.

- If you are still concerned, there is the Tramp sudoedit method. This
  does not keep an open session running in the background.

For further discussion of Tramp problems, I might be the person to
contact, 'cos I'm the Tramp maintainer.

If you do not mean Tramp, I recommend to contact one of the Emacs
maintainers directly. These are Eli Zaretskii <eliz@gnu.org> and Lars
Ingebrigtsen  <larsi@gnus.org>.

> Thanks so much,
>
> Kenneth

Best regards, Michael.