From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: Closing a privilege escalation Date: Fri, 27 Apr 2018 07:26:19 +1000 Message-ID: References: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="000000000000e0ec6e056ac709dc" X-Trace: blaine.gmane.org 1524777932 31448 195.159.176.226 (26 Apr 2018 21:25:32 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 26 Apr 2018 21:25:32 +0000 (UTC) Cc: Lars Ingebrigtsen , Emacs developers To: rms@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Apr 26 23:25:28 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fBoON-00085W-UH for ged-emacs-devel@m.gmane.org; Thu, 26 Apr 2018 23:25:28 +0200 Original-Received: from localhost ([::1]:44530 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fBoQU-0008Na-S7 for ged-emacs-devel@m.gmane.org; Thu, 26 Apr 2018 17:27:38 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:43174) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fBoPh-0008Kw-GQ for emacs-devel@gnu.org; Thu, 26 Apr 2018 17:26:51 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fBoPZ-0008BI-En for emacs-devel@gnu.org; Thu, 26 Apr 2018 17:26:49 -0400 Original-Received: from mail-oi0-x22e.google.com ([2607:f8b0:4003:c06::22e]:43435) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fBoPF-00085g-Ff; Thu, 26 Apr 2018 17:26:21 -0400 Original-Received: by mail-oi0-x22e.google.com with SMTP id p62-v6so25470243oie.10; Thu, 26 Apr 2018 14:26:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Ypgpv7kxHDIksr4UHJbMhHiPhUIG7uG56f9YplwCfcE=; b=WNCAx6Aq/OpTD4rHuo9MfvyS6UFkS59cZ+xrHuyIAQUhtmOxnSyBkOSVlVH1Qbtq3a 4IdXWk/VchQFGSasig2PLIA7q2KYsY8hIYkvu5NzFepLODsrUiTflKnGvzBrBvw9QdiG a3ugDtoyzla2PUYx8+5oQZ/VnWhbb33ZC3+sp/eWE5kvEzpfkOiELlTkHJpgnWwgDk2U MgfDhgzKXYm3yajR9tJJCeHHWmzANBpqhotZriq/cAX9MR3pJK32YXbxP9uJWSCovWfx ej++BEJkL+sHe8R+KvEnZWoNJZvIYS/3s5KYy2i2GjIWSm95JKc8Y8egYghiI9dg65tk Y03w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Ypgpv7kxHDIksr4UHJbMhHiPhUIG7uG56f9YplwCfcE=; b=YOSShBMwguNeOP7IfYPHqMkZ8vY+u3TsTH05tUz52mUlzziPiyE1igB2gwfZfOqSOG RnY2EdttXPtCqqllGNMmBFnSjr569BHK3BDOPa4XQULIX5tECLReUMMKoD9z81PYQSOC xUxrFTw//xJ7Dgi0Ayw0NMa5HlHTAZ+KmyJbR+6KoVMT7MXX1HxWKjZi4LQG89Mp/i0B +4biULLq4mZfDAKTE0swLmCzP2js+6brfeTAk9K2p50DU0dK+2MWdGSO0SNhQafmckeH oIGKcEjBkObeHw+4vsmK640EqzfAxTZuSuToA/IrVYnDrPehm0LU1gLUcYomE+jrkiLj j52A== X-Gm-Message-State: ALQs6tAc7AXb5RiIPKf1x1KcBj1jmx84rJz/UB4Q9uIz9FzFI4goZfl1 Qp6LSy6RcbIRCfQHGGy5ZdIju1yiANI7Ccb9CJo8iQ== X-Google-Smtp-Source: AB8JxZrJ412rBCVpvrP7zycRwMwPfgQt3f0atq9H4xm0j4k2DUvMs+IzehCzcpbd2TGm0GndBXbVeHKvwcRblYskmQ4= X-Received: by 2002:aca:917:: with SMTP id 23-v6mr7911336oij.119.1524777980323; Thu, 26 Apr 2018 14:26:20 -0700 (PDT) Original-Received: by 10.201.22.206 with HTTP; Thu, 26 Apr 2018 14:26:19 -0700 (PDT) In-Reply-To: X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4003:c06::22e X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:224915 Archived-At: --000000000000e0ec6e056ac709dc Content-Type: text/plain; charset="UTF-8" Agree. I don't think this is an issue emacs can address. It is really about how sudo is configured. On many systems, users with the 'admin' privilege can run sudo to execute any command, including sudo su - root. Once you have root, game over - e.g. I can easily edit .emacs of any user and there is little emacs can do to detect that (unless you want to go the over kill route of requiring a gpg key at startup to allow emacs to read an encrypted .emacs or similar). As Lars points out, once you have root, you can just as easily compromise some other part of the system or install a key logger or even a modified version of emacs itself. On 27 April 2018 at 07:05, Richard Stallman wrote: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > > I thought the discussion concluded that a sudo user can do anything > > (like put stuff in root's ~/.bashrc), and that this isn't something > that > > Emacs should worry about. > > A sudo-capable user can do all sorts of bad things while sudoing, > but that's not what we are talkin about. > Here the issue is what malicious code can do, while that user is NOT > sudoing, > to arrange to take advantage later. One way is by editing .emacs > so that it will do something bad next time the user runs Emacs under sudo. > > Unfortunately, it seems there are many ways the code could do that, > which do not work by editing .emacs. So trying to block that avenue > is ineffective. > > -- > Dr Richard Stallman > President, Free Software Foundation (https://gnu.org, https://fsf.org) > Internet Hall-of-Famer (https://internethalloffame.org) > Skype: No way! See https://stallman.org/skype.html. > > > -- regards, Tim -- Tim Cross --000000000000e0ec6e056ac709dc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Agree. I don't think this is an issue emacs can addres= s. It is really about how sudo is configured. On many systems, users with t= he 'admin' privilege can run sudo to execute any command, including= sudo su - root. Once you have root, game over - e.g. I can easily edit .em= acs of any user and there is little emacs can do to detect that (unless you= want to go the over kill route of requiring a gpg key at startup to allow = emacs to read an encrypted .emacs or similar). As Lars points out, once you= have root, you can just as easily compromise some other part of the system= or install a key logger or even a modified version of emacs itself.=C2=A0<= /div>

On 27 April = 2018 at 07:05, Richard Stallman <rms@gnu.org> wrote:
[[[ To any NSA and FBI agents reading= my email: please consider=C2=A0 =C2=A0 ]]]
[[[ whether defending the US Constitution against all enemies,=C2=A0 =C2=A0= =C2=A0]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]<= br>
=C2=A0 > I thought the discussion concluded that= a sudo user can do anything
=C2=A0 > (like put stuff in root's ~/.bashrc), and that this isn'= ;t something that
=C2=A0 > Emacs should worry about.

A sudo-capable user can do all sorts of bad things while sudoing, but that's not what we are talkin about.
Here the issue is what malicious code can do, while that user is NOT sudoin= g,
to arrange to take advantage later.=C2=A0 One way is by editing .emacs
so that it will do something bad next time the user runs Emacs under sudo.<= br>
Unfortunately, it seems there are many ways the code could do that,
which do not work by editing .emacs.=C2=A0 So trying to block that avenue is ineffective.

--
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Skype: No way! See https://stallman.org/skype.html.





--
=
regards,

Tim

--
Tim Cross

--000000000000e0ec6e056ac709dc--