From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Michael Albinus Newsgroups: gmane.emacs.devel Subject: Re: sudo:: method in tramp possible security issue Date: Tue, 20 Nov 2018 23:30:18 +0100 Message-ID: <87zhu31ix1.fsf@gmx.de> References: <87ftvwdcdw.fsf@gmx.de> <87bm6kdb68.fsf@gmx.de> <87bm6kyxc3.fsf@gmx.de> <87k1l83yd3.fsf@gmx.de> <87o9ajvost.fsf@gmx.de> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: blaine.gmane.org 1542752959 10262 195.159.176.226 (20 Nov 2018 22:29:19 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Tue, 20 Nov 2018 22:29:19 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1.90 (gnu/linux) Cc: Eli Zaretskii , Stefan Monnier , emacs-devel To: =?utf-8?B?Sm/Do28gVMOhdm9yYQ==?= Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Nov 20 23:29:14 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gPEWA-0002YY-I0 for ged-emacs-devel@m.gmane.org; Tue, 20 Nov 2018 23:29:14 +0100 Original-Received: from localhost ([::1]:36306 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gPEYG-0002FM-Ox for ged-emacs-devel@m.gmane.org; Tue, 20 Nov 2018 17:31:24 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46662) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gPEXP-0002Eh-K6 for emacs-devel@gnu.org; Tue, 20 Nov 2018 17:30:32 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gPEXK-0002Es-AF for emacs-devel@gnu.org; Tue, 20 Nov 2018 17:30:31 -0500 Original-Received: from mout.gmx.net ([212.227.15.18]:47953) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gPEXJ-0002DD-UQ; Tue, 20 Nov 2018 17:30:26 -0500 Original-Received: from detlef.gmx.de ([212.91.249.116]) by mail.gmx.com (mrgmx003 [212.227.17.190]) with ESMTPSA (Nemesis) id 0Mfn40-1g2E001fqW-00N7FS; Tue, 20 Nov 2018 23:30:20 +0100 In-Reply-To: (=?utf-8?Q?=22Jo=C3=A3o_T=C3=A1vora=22's?= message of "Tue, 20 Nov 2018 14:13:32 +0000") X-Provags-ID: V03:K1:4wbSSG0cd5gFhDnHpCebhoxmukpyZD2qViHRI+Bj3iVlB6zNdsJ bvqQwW3vDpH9e0/U+B7ZCaDm+yyA0lioGAoqbyzDFqlo3OZi7yvx2VFc4a9f3/wxbipEu8/ 5SFxSkAjIcMZuTWTtHcJ8K8pfGtnspCuhZ0Wy+cTv0hW+sohCoAM9ZvgT+3YFZTj1/I4x6+ ZNqgCXsqmv5CWfyiksfYg== X-UI-Out-Filterresults: notjunk:1;V03:K0:8k+ZPFNgYnA=:VwH4xs5JVbSPa9+0dqCORb HOr2to4+lfoChti7oJ/zlfCKsGFrKaFJQSP153Y2wQaMwUMxWQLF5mqy7/aLNof4Alr/mrCSC HkEfEY6Amw9mQpNaA2aMb1a6nW8EZ7ZXZyeSVq1eGBdw2shOayNxdIarcBbAepTRRroLt1D8e 9kFNM2bxHBpXiLOxwWFozl8OJBhj8twaznImaABzy/WWLzoB1k+8u9qlF7WVHuG3vbR++1nHi /widyuErSn9fmSe7l7huGucggN51SuNa/687NvMFH1gPKB5HNOw4hJ9ESj5dLr9bdYpcpoLg7 s4xHj9fK5tRxwkq7gMnmfO5QtGkWOjDwrLCMw6OyzRbLHkDV3k/GFYe3Xdi2hSjjM/LQTvj5b MP2LGOe5jDLYBGfz1MnA7W9Ww6PHyGWi8UcrM3DDoRJt6Yv6QrCUxXchDrZ6kT7ov0TqHCqBU AUtFDW4z/QiPPrYLZtIMesMoAalDfHW/xxR9dZWA5iuV9KPZb1n7WakZDiQYdnoUCNhMQ66MX PXnobeZIezGxGnjFRSmZthbXmATmP5tuPtYnMewcNUfKn3jvYP1jY2UgLjrAtTO1poqJXRGkA W2OruIGUIdl1MoPL5Y6gk9jHiBWWpgaFJ1ibTWVPAM1NLp9F2YhIJafgMz/rCtqpDgR6mFUtN GZ5xjggwNFMdKByBbWMmhhHe4RLKtyynGAmOdvi/wBTXaxJIn5wKv8aYTYCB2PJjfURDQRJs2 NBX1SJU/l1AnSho4smSbXrcTcZ8B3OXrFaOk1XERodPdH42ZVtrGn5dLUwKiAh3IHQFLSaLY X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 212.227.15.18 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:231264 Archived-At: Jo=C3=A3o T=C3=A1vora writes: > Hello emacs-devel,=20 Hi Jo=C3=A3o, > The off-list discussion below is about TRAMP's usage of=20 > the /sudo:: method, which surprised me very much recently=20 > because I discovered that it lets any elisp run arbitrary shell=20 > commands with root permissions while the buffer editing a file=20 > with /sudo:: is live.=20=20 > > So in theory you could write malicious elisp code to lay there > hoping to hijack a users system on their first file of=20 > /sudo::/etc/apt/sources.list, for example. Supposing all the user=20 > wanted is to edit that file, starting a full "elisp sudo server" for=20 > the duration of the buffer is clearly overkill and unnecessarily=20 > dangerous for most users. It isn't overkill. The implementation in Tramp depends on the file name handler concept, which requires to implement 70 basic functions. How would it be possible to implement `file-attributes', for example, w/o an interactive shell with root permissions? > For me this is a very serious security hole, but apparently > it's part of the contract of the /sudo:: method. > > I am arguing for: > > 1. A sudoedit method that works like `sudo -e` Agreed. It shall basically implement just `insert-file-contents' and `write-region'. (If possible, I haven't started to investigate in detail). > 2. A one-time stern warning the first time that the user uses /sudo::=20 > to explain the security implications to new users. Here I'm not convinced. I agree that it must be said more prominent in the Tramp manual, that an interactive session with root permissions is running in the background, but I believe it would be too bossy to tell users they shall not use "/sudo::". It is like telling something like this to users, who call sudo in a terminal. Are there such warnings, somewhere? > Michael and I are converging on some possibilities, but I > think it's a good idea to have the rest of emacs-devel speak > their mind. > > Thanks, > Jo=C3=A3o Best regards, Michael.