Re: sudo:: method in tramp possible security issue

["João Távora" <joaotavora@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3548 bytes --]

Hello emacs-devel,

The off-list discussion below is about TRAMP's usage of
the /sudo:: method, which surprised me very much recently
because I discovered that it lets any elisp run arbitrary shell
commands with root permissions while the buffer editing a file
with /sudo:: is live.

So in theory you could write malicious elisp code to lay there
hoping to hijack a users system on their first file of
/sudo::/etc/apt/sources.list, for example. Supposing all the user
wanted is to edit that file, starting a full "elisp sudo server" for
the duration of the buffer is clearly overkill and unnecessarily
dangerous for most users.

For me this is a very serious security hole, but apparently
it's part of the contract of the /sudo:: method.

I am arguing for:

1. A sudoedit method that works like `sudo -e`

2. A one-time stern warning the first time that the user uses /sudo::
to explain the security implications to new users.

Michael and I are converging on some possibilities, but I
think it's a good idea to have the rest of emacs-devel speak
their mind.

[Michael you have my new in-line replies below, too]

Thanks,
João


On Tue, Nov 20, 2018 at 1:53 PM Michael Albinus <michael.albinus@gmx.de>
wrote:

> João Távora <joaotavora@gmail.com> writes:
>
> >     For the time being, the Tramp manual says:
> >
> >     --8<---------------cut here---------------start------------->8---
> >     ‘sudo’
> >
> >          Similar to ‘su’ method, ‘sudo’ uses ‘sudo’.  ‘sudo’ must have
> >          sufficient rights to start a shell.
> >     --8<---------------cut here---------------end--------------->8---
> >
> >     It says already that a shell is used, but perhaps we shall
> >     emphasize it more. As I said: manuals are unread ...
> >
> > Very true, and this is why I am suggesting an in-your-face warning.
>
> That would be bossy. People would start to modify the code in order to
> bypass this.
>

Perhaps I didn't explain myself. I'm talking about a one-time thing, like
the warnings for a disabled command. Something that you can answer
"I understand the risks: never ask for this again".

Once sudoedit is offered by Tramp, I expect a respective recommendation
> for Emacs.
>

OK. I believe this is not quite enough. But I'm talking for myself. I think
we should indeed raise the matter publicly.


> > And I don't agree it's like sudo -i, because I don't think there is an
> > easy way for non-root code running before the sudo -i session to
> > inject itself into the root session, or is there? Certainly not as
> > easy as writing some trivial elisp.
>
> Everybody is able to write such code. A simple `shell-command' with
> "sudo" might suffice to run any command with root permissions. Or use
> the interactive `shell', and call "sudo -i" there. Nothing you need
> Tramp for.
>

I was just arguing that the comparison between "sudo -i", meant to be
run in a shell and tramp's launching of a "sudo shell" isn't adequate,
because
there's no easy way for some unprivileged code to stay around
and wait for an opportunity to hijack your interactive "sudo -i"


>
> > /Sudoedit:: would be a really good addition. It would replace all the
> > usage I and quite possibly many others have ever had of /sudo::.
>
> Agreed. If it is possible to implement as proposed.
>
> (Please write the bug report about, in order to discuss it with greater
> audience. Or start a discussion at the emacs-devel ML.)
>

I just did that.

[-- Attachment #2: Type: text/html, Size: 5127 bytes --]