From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: =?UTF-8?B?Sm/Do28gVMOhdm9yYQ==?= Newsgroups: gmane.emacs.devel Subject: Re: sudo:: method in tramp possible security issue Date: Tue, 20 Nov 2018 22:27:01 +0000 Message-ID: References: <87ftvwdcdw.fsf@gmx.de> <87bm6kdb68.fsf@gmx.de> <87bm6kyxc3.fsf@gmx.de> <87k1l83yd3.fsf@gmx.de> <87o9ajvost.fsf@gmx.de> <87198cbf-4e47-b094-8a06-7406114e86db@cs.ucla.edu> <888b347f-80f3-dbc2-9e88-74be3375b599@cs.ucla.edu> <878t1n2yll.fsf@gmx.de> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="0000000000009aa525057b2022ac" X-Trace: blaine.gmane.org 1542752759 27198 195.159.176.226 (20 Nov 2018 22:25:59 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Tue, 20 Nov 2018 22:25:59 +0000 (UTC) Cc: Eli Zaretskii , Paul Eggert , Stefan Monnier , emacs-devel To: Michael Albinus Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Nov 20 23:25:55 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gPESw-0006xl-Ot for ged-emacs-devel@m.gmane.org; Tue, 20 Nov 2018 23:25:54 +0100 Original-Received: from localhost ([::1]:36293 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gPEV3-00006t-7j for ged-emacs-devel@m.gmane.org; Tue, 20 Nov 2018 17:28:05 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:44370) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gPEUF-00005l-Gn for emacs-devel@gnu.org; Tue, 20 Nov 2018 17:27:17 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gPEUE-0004cn-GQ for emacs-devel@gnu.org; Tue, 20 Nov 2018 17:27:15 -0500 Original-Received: from mail-qt1-x833.google.com ([2607:f8b0:4864:20::833]:45987) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gPEUE-0004bF-9V; Tue, 20 Nov 2018 17:27:14 -0500 Original-Received: by mail-qt1-x833.google.com with SMTP id e5so1860294qtr.12; Tue, 20 Nov 2018 14:27:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9hgalFb3Jra27HnBP7uBH+SQECN3Nj8L7Y1fuANFQCQ=; b=WCEKbbT3VFKrwn/xMxp5lT8tc95fcbxjkHBDsm1QhIKkoBHs+0fd0Cje0JUP3Vh64d 8UgdfB4DIdX1wmSHbl/Rmc8Z6qFBGex/MWIGVbLP5M0YEjjj4w1lpjTYid1CwtI+bLZE n6vmFIWEO85Wl7IbYBGOL9d4/EUXeN3vc62Hdihf+aKq+JZaofM5uUX6cJP+ioJrEq4o OTYP5G3cVmWcNfzxnz8VzvblZh1HNk0R7cy+rpEgu5ly4p2auXzTpqfqQW4dfASpemBO B+S5fN6B0olHO6m/B8SU5rrgaz2vyIJOW8IAihReTyhn6l3JJHGp83ZpK5HZ+S1O93yv LGbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9hgalFb3Jra27HnBP7uBH+SQECN3Nj8L7Y1fuANFQCQ=; b=jey3JCUB9i4gpH89k72e0yRi1iKaXOpZEikuQbvTxE6JiGGgJbLBTHJbGUuxCKZQwR bEWdD3MqzCNLtjlGANlqubahcbiz4+biDm9ZMcuAfJSubzuY1M+MvLkOJpaGNtZwAF3v /4vzT7630SsAgmVbD09zWRUn53Ia+Llj7yy0A9ILJfMkxrGot1jLzid1srBonPBrEyhb WNH7jh/lojHFVeXT7GJ8Xn3QQ8TayNzt3L1twFV7bCVcXcc97okZi8WUEZKkqoD4l+QC WnGA6O6900gmQwjjW26ELbbqI/Lu1pOrUKwDmUDtsVhliEtZyvTTIsSP/MUdWXc+Zhzr 4yqQ== X-Gm-Message-State: AA+aEWYCZDDy8tYHUw25eRuECpfSqocLUjyj6yid3wYcDpTy8I+LvAot Y+yZlUrHkv+Rz95RyiQaoKJJgGlVpJzxF5CDvWc= X-Google-Smtp-Source: AFSGD/Wd854ZB/pKdQPyhl4N9cOvXtOjfeyLkRybUA1bgnly+866zP9MQ+j20YrMGG8mvGzR4UsDe3eOGEI81hOTqr4= X-Received: by 2002:a0c:b919:: with SMTP id u25mr3732390qvf.104.1542752833282; Tue, 20 Nov 2018 14:27:13 -0800 (PST) In-Reply-To: <878t1n2yll.fsf@gmx.de> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::833 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:231263 Archived-At: --0000000000009aa525057b2022ac Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Nov 20, 2018 at 10:06 PM Michael Albinus wrote: > Paul Eggert writes: > > > On 11/20/18 1:18 PM, Stefan Monnier wrote: > >> Tramp is not magical: it can do no more nor less than what an attacker > >> could do. > > > > Sure, if the attacker has control over my keyboard, or over my > > display, or over the Lisp code that I load and execute. That being > > said, Tramp does make attacks easier, so it has been an easy call for > > me to disable it. > > Tramp's sudo method needs your credentials. If you don't provide them, > Tramp cannot do anything. > > Like calling sudo in a terminal. It's not exactly like calling sudo in a terminal, because when you use sudo you generally: 1. perform a one time action and are back at a non-sudo prompt; OR 2. start an interactive superuser session that easy to identify visually and for which there isn't a programmatic way for other programs to interfere In other words, what bothers me the most about the sudo:: method is the persistent sudo session that makes me vulnerable to attackers, and to my elisp developing mistakes. This is why I think a warning makes sense, or some visual way to identify this vulnerable state. In contrast, using sudoedit:: should not bring about this vulnerable state. That being said, if your non-elevated user has already been compromised, entering sudo credentials into Emacs, where elisp can do whatever, is probably a very bad idea, regardless of Tramp. Jo=C3=A3o --0000000000009aa525057b2022ac Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Nov 20, 2018 at 10:06 PM Michael Albinus <michael.albinus@gmx.de> wrote:<= br>
Paul Egg= ert <eggert@cs.u= cla.edu> writes:

> On 11/20/18 1:18 PM, Stefan Monnier wrote:
>> Tramp is not magical: it can do no more nor less than what an atta= cker
>> could do.
>
> Sure, if the attacker has control over my keyboard, or over my
> display, or over the Lisp code that I load and execute. That being
> said, Tramp does make attacks easier, so it has been an easy call for<= br> > me to disable it.

Tramp's sudo method needs your credentials. If you don't provide th= em,
Tramp cannot do anything.

Like calling sudo in a terminal.

It's n= ot exactly like calling sudo in a terminal, because when you
use = sudo you generally:

1. perform a one time action a= nd are back at a non-sudo prompt; OR
2. start an interactive = superuser session that easy to identify visually
=C2=A0=C2= =A0 and for which there isn't a programmatic way for other programs
=C2=A0=C2=A0 to interfere

In other wor= ds, what bothers me the most about the sudo:: method is
the = persistent sudo session that makes me vulnerable to attackers, and
to my elisp developing mistakes.=C2=A0 This is why I think a warning make= s
sense, or some visual way to identify this vulnerable stat= e.

In contrast, using sudoedit:: should not bring = about this vulnerable state.

That being said, if y= our non-elevated user has already been compromised,
entering sudo= credentials into Emacs, where elisp can do whatever, is
pro= bably a very bad idea, regardless of Tramp.

Jo=C3= =A3o


--0000000000009aa525057b2022ac--