Closing a privilege escalation

Closing a privilege escalation

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

With some arguments, emacs started inside sudo will run the user's own
.emacs file rather than root's.  This creates a known vulnerability
for privilege escalation.

I propose a feature to fix the vulnerability:

  For sudo-authorized users, require .emacs (and other Emacs startup
  files and directories) to be owned by root.

This won't be a big hassle for them, since
these users can sudo to edit their root-owned files.

Do people see any problem with this?

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Skype: No way! See https://stallman.org/skype.html.

Re: Closing a privilege escalation

[Noam Postavsky]

On 24 April 2018 at 21:09, Richard Stallman <rms@gnu.org> wrote:

> With some arguments, emacs started inside sudo will run the user's own
> .emacs file rather than root's.  This creates a known vulnerability
> for privilege escalation.
>
> I propose a feature to fix the vulnerability:
>
>   For sudo-authorized users, require .emacs (and other Emacs startup
>   files and directories) to be owned by root.

Can you explain what you mean by "sudo-authorized users" exactly? I
would have expected the fix to be

  When running Emacs as root, require .emacs (etc) to be writable only by root.

Re: Closing a privilege escalation

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > Can you explain what you mean by "sudo-authorized users" exactly?

It means, users that are allowed to use sudo.

    > When running Emacs as root, require .emacs (etc) to be writable only by root.

That is a slightly stricter criterion than the one I proposed, which
was owned by root.  The slightly stricter criterion might be a little
better.  But it is basically the same thing.

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Skype: No way! See https://stallman.org/skype.html.

Re: Closing a privilege escalation

[Lars Ingebrigtsen]

Richard Stallman <rms@gnu.org> writes:

> With some arguments, emacs started inside sudo will run the user's own
> .emacs file rather than root's.  This creates a known vulnerability
> for privilege escalation.

Is this about bug#28618?  I think this issue was discussed
comprehensively there.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: Closing a privilege escalation

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > > With some arguments, emacs started inside sudo will run the user's own
  > > .emacs file rather than root's.  This creates a known vulnerability
  > > for privilege escalation.

  > Is this about bug#28618?  I think this issue was discussed
  > comprehensively there.

The discussion reached the conclusion that the problem is real, even
with recent GNU/Linux systems.  We have not fixed it.

I'm proposing a solution that I think will be adequate.  Does
anyone have comments about this solution?

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Skype: No way! See https://stallman.org/skype.html.

Re: Closing a privilege escalation

[Lars Ingebrigtsen]

Richard Stallman <rms@gnu.org> writes:

> The discussion reached the conclusion that the problem is real, even
> with recent GNU/Linux systems.  We have not fixed it.

I thought the discussion concluded that a sudo user can do anything
(like put stuff in root's ~/.bashrc), and that this isn't something that
Emacs should worry about.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: Closing a privilege escalation

[Lars Ingebrigtsen]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Richard Stallman <rms@gnu.org> writes:
>
>> The discussion reached the conclusion that the problem is real, even
>> with recent GNU/Linux systems.  We have not fixed it.
>
> I thought the discussion concluded that a sudo user can do anything
> (like put stuff in root's ~/.bashrc), and that this isn't something that
> Emacs should worry about.

Oh, I see: The sploit here is that somebody has access to a user's
account, but doesn't know what the user's password is?  So they place
something in the user's .emacs file that'll be run after the user does a
sudo and then starts Emacs as root?

Sounds kinda cumbersome when the attacker could just install a keylogger
for the user and so on...

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: Closing a privilege escalation

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > I thought the discussion concluded that a sudo user can do anything
  > (like put stuff in root's ~/.bashrc), and that this isn't something that
  > Emacs should worry about.

A sudo-capable user can do all sorts of bad things while sudoing,
but that's not what we are talkin about.
Here the issue is what malicious code can do, while that user is NOT sudoing,
to arrange to take advantage later.  One way is by editing .emacs
so that it will do something bad next time the user runs Emacs under sudo.

Unfortunately, it seems there are many ways the code could do that,
which do not work by editing .emacs.  So trying to block that avenue
is ineffective.

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Skype: No way! See https://stallman.org/skype.html.

Re: Closing a privilege escalation

[Tim Cross]

[-- Attachment #1: Type: text/plain, Size: 1870 bytes --]

Agree. I don't think this is an issue emacs can address. It is really about
how sudo is configured. On many systems, users with the 'admin' privilege
can run sudo to execute any command, including sudo su - root. Once you
have root, game over - e.g. I can easily edit .emacs of any user and there
is little emacs can do to detect that (unless you want to go the over kill
route of requiring a gpg key at startup to allow emacs to read an encrypted
.emacs or similar). As Lars points out, once you have root, you can just as
easily compromise some other part of the system or install a key logger or
even a modified version of emacs itself.

On 27 April 2018 at 07:05, Richard Stallman <rms@gnu.org> wrote:

> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>   > I thought the discussion concluded that a sudo user can do anything
>   > (like put stuff in root's ~/.bashrc), and that this isn't something
> that
>   > Emacs should worry about.
>
> A sudo-capable user can do all sorts of bad things while sudoing,
> but that's not what we are talkin about.
> Here the issue is what malicious code can do, while that user is NOT
> sudoing,
> to arrange to take advantage later.  One way is by editing .emacs
> so that it will do something bad next time the user runs Emacs under sudo.
>
> Unfortunately, it seems there are many ways the code could do that,
> which do not work by editing .emacs.  So trying to block that avenue
> is ineffective.
>
> --
> Dr Richard Stallman
> President, Free Software Foundation (https://gnu.org, https://fsf.org)
> Internet Hall-of-Famer (https://internethalloffame.org)
> Skype: No way! See https://stallman.org/skype.html.
>
>
>


-- 
regards,

Tim

--
Tim Cross

[-- Attachment #2: Type: text/html, Size: 2865 bytes --]

Re: Closing a privilege escalation

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > On many systems, users with the 'admin' privilege
  > can run sudo to execute any command, including sudo su - root. Once you
  > have root, game over

That's true -- but, as I explained in the previous message, that's not what
this is about.

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Skype: No way! See https://stallman.org/skype.html.

Re: Closing a privilege escalation

[Marcin Borkowski]

On 2018-04-26, at 23:05, Richard Stallman <rms@gnu.org> wrote:

> to arrange to take advantage later.  One way is by editing .emacs
> so that it will do something bad next time the user runs Emacs under sudo.

Out of curiosity: why would anyone run Emacs under sudo?  Shouldn't it
be disabled?  (Possibly, there might be option, called
e.g. --i-explicitly-do-ask-for-troubles, which could enable that.)

Best,

-- 
Marcin Borkowski
http://mbork.pl

Re: Closing a privilege escalation

[Clément Pit-Claudel]

On 2018-04-27 05:50, Marcin Borkowski wrote:
> On 2018-04-26, at 23:05, Richard Stallman <rms@gnu.org> wrote:
> 
>> to arrange to take advantage later.  One way is by editing .emacs
>> so that it will do something bad next time the user runs Emacs under sudo.
> 
> Out of curiosity: why would anyone run Emacs under sudo?  Shouldn't it
> be disabled?  (Possibly, there might be option, called
> e.g. --i-explicitly-do-ask-for-troubles, which could enable that.)

Force of habit, I guess. I know about TRAMP's sudo method and I sometimes use it, but for quick edits I often just use sudo emacs /etc/apt/sources.list, for example.

Re: Closing a privilege escalation

[Davis Herring]

> With some arguments, emacs started inside sudo will run the user's own
> .emacs file rather than root's.  This creates a known vulnerability
> for privilege escalation.

How does .emacs allow additional access?  Anyone who can run emacs as 
root can run anything as root (via M-!, among many many other 
possibilities that cannot be countered by noexec).

>    For sudo-authorized users, require .emacs (and other Emacs startup
>    files and directories) to be owned by root.
> 
> This won't be a big hassle for them, since
> these users can sudo to edit their root-owned files.
>  > Do people see any problem with this?
It could easily be a problem if, say, .emacs is under version control. 
It might also interfere with backup systems, and could be incompatible 
with home directories mounted in special ways (e.g., NFS).

Davis

-- 
This product is sold by volume, not by mass.  If it appears too dense or 
too sparse, it is because mass-energy conversion has occurred during 
shipping.

Re: Closing a privilege escalation

[Glenn Morris]

This was previously discussed in bug#28618.
I think the discussion suffers from lack of a clear example, so let me
try to give one:

A normal (uncompromised) user account inadvertently installs a malicious
Emacs package that contains exploit code that waits to be run as root.

This user then sudos (to root) in such a way that HOME is not reset to
that of root. They then run Emacs, which executes the malicious package
code as root.

This entire class of exploit can be avoided by suitable sudo options
(always_set_home etc), but that doesn't necessarily mean that Emacs
should not do something about it.

It seems to me, that "if UID = 0, set user-init-file, user-emacs-directory
etc to those of root" is a simpler solution that the one you propose.

This effectively enforces the always_set_home feature of sudo in Emacs.
This may annoy some people, but you can't make the behaviour optional,
because then the bad code could disable it. Some might say that people
using sudo without set_home want the behaviour the way it is now, but
maybe we could argue that it is not always a conscious choice.

By the way, what about sudo called from Tramp? Let's suppose the
malicious package subverts the sudo syntax that is built-in to Emacs.
How to defend against that (ie people running sudo within Emacs)?

Re: Closing a privilege escalation

[Stefan Monnier]

> A normal (uncompromised) user account inadvertently installs a malicious
> Emacs package that contains exploit code that waits to be run as root.

At that point, the account *is* compromised.

And this exploit code could just as well not wait to be run as root and
instead install a key-logger on `sudo`, after which the attacker can
`sudo` to run any code it wants.

> This entire class of exploit can be avoided by suitable sudo options
> (always_set_home etc), but that doesn't necessarily mean that Emacs
> should not do something about it.

I think running as UID=0 with $HOME pointing to a directory writable (or
containing files writable) by non-root users is fundamentally insecure.

More generally $HOME should point to a directory which is only writable
by users of higher-or-equal privilege-level.

> It seems to me, that "if UID = 0, set user-init-file, user-emacs-directory
> etc to those of root" is a simpler solution that the one you propose.

We could try and paper over the problem this way, indeed.

Rather than (re)set user-init-file and user-emacs-directory, I'd rather
reset $HOME altogether (and stash the old value somewhere, so
~root/.emacs can still read that user's ~/.emacs if they *really* want),
tho, and emit a warning message while doing it, of course, so the user
isn't caught by surprise.


        Stefan

Re: Closing a privilege escalation

[Stefan Monnier]

> We could try and paper over the problem this way, indeed.

[ Just to be clear: I don't favor that option.  ]

Another option is to exit as soon as we find out that we're running as
root ;-)


        Stefan "who uses Zile for sysadmin edits"

Re: Closing a privilege escalation

[Paul Eggert]

On 04/25/2018 10:09 AM, Stefan Monnier wrote:
> $HOME should point to a directory which is only writable
> by users of higher-or-equal privilege-level.

It's not just $HOME, though, right? It's also EMACSLOADPATH, EMACSPATH, 
ESHELL, HISTFILE, or anything else specifying where Emacs should get 
code or data from or send information to. (Oh, and don't forget my 
favorite environment variable TZ. :-) If Emacs is serious about not 
trusting sudo, then every file and directory specified by any of these 
would need to be vetted.

Also, to be safe shouldn't Emacs check ownership and permissions not 
only of each file and directory, but also of all those files' ancestors? 
For example, it won't help that /home/whatever is owned by root, if 
/home itself is owned by baduser.

And suppose the user is 'eggert' and the directory 
/usr/share/emacs/site-lisp (or whatever) is owned by user 'bin' - in 
that case, how should Emacs determine that 'bin' is a user of 
"higher-or-equal privilege level"?

We do have to be careful of mission creep here. Emacs is supposed to be 
a user-level application and setup security is supposed to be sudo's job.

Re: Closing a privilege escalation

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > And this exploit code could just as well not wait to be run as root and
  > instead install a key-logger on `sudo`, after which the attacker can
  > `sudo` to run any code it wants.

Maybe it is possible to figure out ways to make it impossible to set
up a phony sudo command.  But that would require several new security
features.  I don't know whether such features are possible or not.

It would be worth studying, but it isn't related to Emacs.

So I guess we can forget about trying to solve the rewritten .emacs
problem.

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Skype: No way! See https://stallman.org/skype.html.

Re: Closing a privilege escalation

[Søren Pilgård]

[-- Attachment #1: Type: text/plain, Size: 1661 bytes --]

On Wed, Apr 25, 2018 at 6:47 PM, Glenn Morris <rgm@gnu.org> wrote:

>
> This was previously discussed in bug#28618.
> I think the discussion suffers from lack of a clear example, so let me
> try to give one:
>
> A normal (uncompromised) user account inadvertently installs a malicious
> Emacs package that contains exploit code that waits to be run as root.
>
> This user then sudos (to root) in such a way that HOME is not reset to
> that of root. They then run Emacs, which executes the malicious package
> code as root.
>
> This entire class of exploit can be avoided by suitable sudo options
> (always_set_home etc), but that doesn't necessarily mean that Emacs
> should not do something about it.
>
> It seems to me, that "if UID = 0, set user-init-file, user-emacs-directory
> etc to those of root" is a simpler solution that the one you propose.
>
> This effectively enforces the always_set_home feature of sudo in Emacs.
> This may annoy some people, but you can't make the behaviour optional,
> because then the bad code could disable it. Some might say that people
> using sudo without set_home want the behaviour the way it is now, but
> maybe we could argue that it is not always a conscious choice.
>
> By the way, what about sudo called from Tramp? Let's suppose the
> malicious package subverts the sudo syntax that is built-in to Emacs.
> How to defend against that (ie people running sudo within Emacs)?
>
>
If a clever hacker is able to run code on your computer as your account he
could just install a fake sudo program that snatches the password. And then
modify the path in your .bashrc etc. to execute this script instead of the
build in.

[-- Attachment #2: Type: text/html, Size: 2121 bytes --]