all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Qiantan Hong <qhong@mit.edu>
To: "emacs-devel@gnu.org" <emacs-devel@gnu.org>
Subject: Access control in Emacs?
Date: Tue, 14 Sep 2021 12:49:27 +0000	[thread overview]
Message-ID: <FF611A69-0749-4CB0-88F2-BA18CEF756C9@mit.edu> (raw)

As I’m experimenting making Emacs a collaborative “OS” (using crdt.el),
I inevitably encountered this classical OS question.
I’m adding more powerful features to crdt.el including buffer local variable
synchronizations and arbitrary remote command/function call,
however, it seems like they need to be accompanied by some access control
mechanism to be used “reasonably safely”.

Now I’m not sure about how to achieve that, there’re several ways I can see:
1. Really makes Emacs a multi-user OS. Add access control checks to 
all essential C primitives (which check against a current-user dynamic variable).
I don’t know how hard or intrusive it is. Does it worth it?

2. Another obvious thing I can do without touching massive amount of C code
is to add advice to interesting functions/primitives from Elisp side.

However I think this is bad security design comparing to 1 because it can
possibly open lots of loop holes, especially privilege promotion.
Suppose we don’t want Ben Bitdiddle to read our FS, we may add an
advice to insert-file-contents that check against an ACL (which excludes Ben).
However, if Ben has access to some other Lisp command that call some
C function that in turn calls insert-file-contents from C, the advice is never
invoked and this is easy privilege promotion.
We can only wish that we wrote a set of access control rules that have some
“closure” property, however given that lots of Emacs command are complex
and “intelligent”, I don’t think this is manageable.

I’m also not sure if extensive usage of advices is bad in a package supposedly
providing some fundamental feature.
I’m current using lots of advice already, to create “mock” buffer process object
that proxy I/O to a process on remote Emacs.

3. Or we can claim access control is for suckers. Trust your friends.

Thoughts?


Best,
Qiantan


             reply	other threads:[~2021-09-14 12:49 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-14 12:49 Qiantan Hong [this message]
2021-09-14 14:09 ` Access control in Emacs? Phil Sainty
2021-09-14 14:28 ` dick
2021-09-14 15:05   ` Qiantan Hong
2021-09-14 15:52     ` dick
2021-09-14 16:02       ` Stefan Kangas
2021-09-14 14:49 ` Stefan Monnier
2021-09-15 20:11   ` Richard Stallman
2021-09-15 20:21   ` Robin Tarsiger
2021-09-14 18:13 ` Christine Lemmer-Webber
2021-09-14 19:59   ` tomas
2021-09-15 23:16   ` Qiantan Hong
2021-09-16  2:16     ` Christine Lemmer-Webber
2021-09-18  0:29       ` Richard Stallman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=FF611A69-0749-4CB0-88F2-BA18CEF756C9@mit.edu \
    --to=qhong@mit.edu \
    --cc=emacs-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.