From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.devel Subject: Re: Closing a privilege escalation Date: Wed, 25 Apr 2018 10:55:06 -0700 Organization: UCLA Computer Science Department Message-ID: <89c57a05-b767-23d7-d81f-ee0f1c38c9c2@cs.ucla.edu> References: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Trace: blaine.gmane.org 1524678812 12267 195.159.176.226 (25 Apr 2018 17:53:32 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 25 Apr 2018 17:53:32 +0000 (UTC) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Apr 25 19:53:28 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fBOba-0002zv-As for ged-emacs-devel@m.gmane.org; Wed, 25 Apr 2018 19:53:22 +0200 Original-Received: from localhost ([::1]:38347 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fBOdh-0004Lg-AX for ged-emacs-devel@m.gmane.org; Wed, 25 Apr 2018 13:55:33 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:40220) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fBOdX-0004KO-Ce for emacs-devel@gnu.org; Wed, 25 Apr 2018 13:55:24 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fBOdS-0001Vv-8Y for emacs-devel@gnu.org; Wed, 25 Apr 2018 13:55:23 -0400 Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:38656) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fBOdR-0001UK-V0 for emacs-devel@gnu.org; Wed, 25 Apr 2018 13:55:18 -0400 Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 8486816005F for ; Wed, 25 Apr 2018 10:55:16 -0700 (PDT) Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id F7A_0aQwQvDs for ; Wed, 25 Apr 2018 10:55:15 -0700 (PDT) Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id CEB97160065 for ; Wed, 25 Apr 2018 10:55:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id OOmpbPdfm11c for ; Wed, 25 Apr 2018 10:55:15 -0700 (PDT) Original-Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id B589B16005F for ; Wed, 25 Apr 2018 10:55:15 -0700 (PDT) In-Reply-To: Content-Language: en-US X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 131.179.128.68 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:224885 Archived-At: On 04/25/2018 10:09 AM, Stefan Monnier wrote: > $HOME should point to a directory which is only writable > by users of higher-or-equal privilege-level. It's not just $HOME, though, right? It's also EMACSLOADPATH, EMACSPATH, ESHELL, HISTFILE, or anything else specifying where Emacs should get code or data from or send information to. (Oh, and don't forget my favorite environment variable TZ. :-) If Emacs is serious about not trusting sudo, then every file and directory specified by any of these would need to be vetted. Also, to be safe shouldn't Emacs check ownership and permissions not only of each file and directory, but also of all those files' ancestors? For example, it won't help that /home/whatever is owned by root, if /home itself is owned by baduser. And suppose the user is 'eggert' and the directory /usr/share/emacs/site-lisp (or whatever) is owned by user 'bin' - in that case, how should Emacs determine that 'bin' is a user of "higher-or-equal privilege level"? We do have to be careful of mission creep here. Emacs is supposed to be a user-level application and setup security is supposed to be sudo's job.