* emacsclient socket ownership
@ 2018-11-01 16:43 Glenn Morris
2018-11-02 15:38 ` Stefan Monnier
0 siblings, 1 reply; 30+ messages in thread
From: Glenn Morris @ 2018-11-01 16:43 UTC (permalink / raw)
To: emacs-devel
Hi,
emacsclient defaults to predictable socket file names in /tmp:
/tmp/emacsUID/server
It checks if the socket is owned by the same user (function socket_status).
If the user is root, however, this check is ignored (master emacsclient
line 1370). Is this not a security issue? Any user can create a socket
/tmp/emacs0/server, and root emacsclient will use it.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-01 16:43 emacsclient socket ownership Glenn Morris
@ 2018-11-02 15:38 ` Stefan Monnier
2018-11-02 16:53 ` Yuri Khan
2018-11-05 1:13 ` Glenn Morris
0 siblings, 2 replies; 30+ messages in thread
From: Stefan Monnier @ 2018-11-02 15:38 UTC (permalink / raw)
To: emacs-devel
> It checks if the socket is owned by the same user (function socket_status).
> If the user is root, however, this check is ignored (master emacsclient
> line 1370). Is this not a security issue? Any user can create a socket
> /tmp/emacs0/server, and root emacsclient will use it.
Sounds like a security issue, yes: root may end up talking to some other
user's Emacs. This seems to date back to
commit 9f637eea618b3b6b764b92405a480c254756f94a
Author: Gerd Moellmann <gerd@gnu.org>
Date: Fri Jan 28 15:02:20 2000 +0000
(socket_status): New function.
(main): if $LOGNAME or $USER exist and differ from our euid, look
for a socket based on the UID associated with the name.
so it's likely meant for the case where you `su` (or `sudo`) and want to
use emacsclient from root but connect to your main (non-root) Emacs server.
Not sure how to reconcile the two. I guess the risk is reduced in
practice for the following reason: server.el should hopefully signal an
error if it can't create&own /tmp/emacsUID/server, so emacsclient only
risks connecting to a wrong Emacs if:
- you forgot to start your Emacs server.
- your Emacs failed to start and you didn't notice it.
- server.el did not check things carefully enough and the attacker
managed to replace your socket with his (e.g. /tmp/emacsUID/ or /tmp is
somehow writable for the attacker).
Stefan
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-02 15:38 ` Stefan Monnier
@ 2018-11-02 16:53 ` Yuri Khan
2018-11-02 18:49 ` Stefan Monnier
2018-11-05 1:13 ` Glenn Morris
1 sibling, 1 reply; 30+ messages in thread
From: Yuri Khan @ 2018-11-02 16:53 UTC (permalink / raw)
To: Stefan Monnier; +Cc: Emacs developers
On Fri, Nov 2, 2018 at 10:39 PM Stefan Monnier <monnier@iro.umontreal.ca> wrote:
>
> > It checks if the socket is owned by the same user (function socket_status).
> > If the user is root, however, this check is ignored (master emacsclient
> > line 1370). Is this not a security issue? Any user can create a socket
> > /tmp/emacs0/server, and root emacsclient will use it.
>
> Sounds like a security issue, yes: root may end up talking to some other
> user's Emacs.
Talking, in and of itself, is not a vulnerability. Can the limited
user’s server.el actually entice the root’s emacsclient to do
something that user would not be able to do?
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-02 16:53 ` Yuri Khan
@ 2018-11-02 18:49 ` Stefan Monnier
2018-11-02 20:08 ` Paul Eggert
0 siblings, 1 reply; 30+ messages in thread
From: Stefan Monnier @ 2018-11-02 18:49 UTC (permalink / raw)
To: emacs-devel
> Talking, in and of itself, is not a vulnerability. Can the limited
> user’s server.el actually entice the root’s emacsclient to do
> something that user would not be able to do?
Right, the problem is not really that the other end of the socket
belongs to another user, but that the other end may be something else
than intended (e.g. it could be some unsuspecting daemon running as
root: the attacker just made the root user send "garbage" to that
daemon which may lead to exploiting a vulnerability in the daemon).
I agree that the problem may not be the most threatening there is if you
consider random attackers trying to exploit vulnerabilities anywhere
they can, but if you consider an attacker aiming at a particular user
and able to adjust its attack based on knowledge of the user's usage
pattern, I'm sure we can come up with scenarios where this problem can
be exploited.
Stefan
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-02 18:49 ` Stefan Monnier
@ 2018-11-02 20:08 ` Paul Eggert
2018-11-02 20:30 ` Stefan Monnier
0 siblings, 1 reply; 30+ messages in thread
From: Paul Eggert @ 2018-11-02 20:08 UTC (permalink / raw)
To: Stefan Monnier, emacs-devel
On 11/2/18 11:49 AM, Stefan Monnier wrote:
> I'm sure we can come up with scenarios where this problem can
> be exploited.
Yes, me too. Let's close the hole. The (minor) convenience here is not
worth the security vulnerability.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-02 20:08 ` Paul Eggert
@ 2018-11-02 20:30 ` Stefan Monnier
2018-11-02 21:06 ` Paul Eggert
0 siblings, 1 reply; 30+ messages in thread
From: Stefan Monnier @ 2018-11-02 20:30 UTC (permalink / raw)
To: Paul Eggert; +Cc: emacs-devel
>> I'm sure we can come up with scenarios where this problem can
>> be exploited.
> Yes, me too. Let's close the hole.
Not sure how, tho: as mentioned, just checking that the socket is owned
by root might not be sufficient (the attacker may have just put
a symlink to some other socket that belongs to root but that really
doesn't expect the kind of data emacsclient sends).
Stefan
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-02 20:30 ` Stefan Monnier
@ 2018-11-02 21:06 ` Paul Eggert
0 siblings, 0 replies; 30+ messages in thread
From: Paul Eggert @ 2018-11-02 21:06 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
On 11/2/18 1:30 PM, Stefan Monnier wrote:
> the attacker may have just put
> a symlink to some other socket that belongs to root but that really
> doesn't expect the kind of data emacsclient sends
We could refuse to follow symlinks, no? If that's not enough there are
more drastic things to try.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-02 15:38 ` Stefan Monnier
2018-11-02 16:53 ` Yuri Khan
@ 2018-11-05 1:13 ` Glenn Morris
2018-11-05 4:46 ` Stefan Monnier
2018-11-05 5:12 ` Paul Eggert
1 sibling, 2 replies; 30+ messages in thread
From: Glenn Morris @ 2018-11-05 1:13 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
Thanks for looking at this. (I wish you'd reply-to-all though...)
Stefan Monnier wrote:
> so it's likely meant for the case where you `su` (or `sudo`) and want to
> use emacsclient from root but connect to your main (non-root) Emacs server.
Tramp methods would seem a better alternative for this.
So I suggest favoring (slight) security over (slighter) convenience, and
eliminating the emacsclient UID 0 exception.
> I guess the risk is reduced in practice for the following reason:
> server.el should hopefully signal an error if it can't create&own
> /tmp/emacsUID/server, so emacsclient only risks connecting to a wrong
> Emacs if:
> - you forgot to start your Emacs server.
> - your Emacs failed to start and you didn't notice it.
> - server.el did not check things carefully enough and the attacker
> managed to replace your socket with his (e.g. /tmp/emacsUID/ or /tmp is
> somehow writable for the attacker).
If you are in the habit of using emasclient -a "", none of the server.el
checks apply. emacsclient will simply start talking to the running
server if it finds one. /tmp is usually world writable.
> Right, the problem is not really that the other end of the socket
> belongs to another user, but that the other end may be something else
> than intended (e.g. it could be some unsuspecting daemon running as root
That's beyond what I was thinking about initially, and would also apply
to non-root users. I was thinking of the case where non-root Emacs eg
runs a keylogger to watch what root types.
BTW is /tmp still the right default location for these sockets, or
should it be eg /run or XDG_RUNTIME_DIR these days?
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-05 1:13 ` Glenn Morris
@ 2018-11-05 4:46 ` Stefan Monnier
2018-11-05 7:26 ` Paul Eggert
2018-11-05 5:12 ` Paul Eggert
1 sibling, 1 reply; 30+ messages in thread
From: Stefan Monnier @ 2018-11-05 4:46 UTC (permalink / raw)
To: Glenn Morris; +Cc: emacs-devel
>> so it's likely meant for the case where you `su` (or `sudo`) and want to
>> use emacsclient from root but connect to your main (non-root) Emacs server.
> Tramp methods would seem a better alternative for this.
I think they cover fairly different use-cases. E.g. this emacsclient
trick is used when root sets his $EDITOR to emacsclient and AFAIK Tramp
isn't an option in that case.
> BTW is /tmp still the right default location for these sockets, or
> should it be eg /run or XDG_RUNTIME_DIR these days?
Good question. /run is not an option for non-root users, I believe.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-05 1:13 ` Glenn Morris
2018-11-05 4:46 ` Stefan Monnier
@ 2018-11-05 5:12 ` Paul Eggert
2018-12-05 18:53 ` Michael Heerdegen
1 sibling, 1 reply; 30+ messages in thread
From: Paul Eggert @ 2018-11-05 5:12 UTC (permalink / raw)
To: Glenn Morris, Stefan Monnier; +Cc: emacs-devel
Glenn Morris wrote:
> BTW is /tmp still the right default location for these sockets, or
> should it be eg /run or XDG_RUNTIME_DIR these days?
XDG_RUNTIME_DIR indeed sounds like it would be better nowadays.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-05 4:46 ` Stefan Monnier
@ 2018-11-05 7:26 ` Paul Eggert
2018-11-06 17:19 ` Daniel Pittman
0 siblings, 1 reply; 30+ messages in thread
From: Paul Eggert @ 2018-11-05 7:26 UTC (permalink / raw)
To: Stefan Monnier, Glenn Morris; +Cc: emacs-devel
Stefan Monnier wrote:
> /run is not an option for non-root users, I believe.
It works for me on Ubuntu 18.04.1 and seems to be used for this sort of thing:
$ ls -ld $XDG_RUNTIME_DIR
drwx------ 11 eggert eggert 260 Nov 4 23:21 /run/user/1000
$ mkdir $XDG_RUNTIME_DIR/emacs
$ ls -l $XDG_RUNTIME_DIR
total 0
srw-rw-rw- 1 eggert eggert 0 Nov 4 08:32 bus
drwx------ 3 eggert eggert 60 Nov 4 08:32 dbus-1
drwx------ 2 eggert eggert 60 Nov 4 23:18 dconf
drwxr-xr-x 2 eggert eggert 40 Nov 4 23:21 emacs
drwx--x--x 2 eggert eggert 60 Nov 4 08:32 gdm
drwx------ 3 eggert eggert 60 Nov 4 08:32 gnome-shell
drwx------ 2 eggert eggert 140 Nov 4 08:32 gnupg
dr-x------ 2 eggert eggert 0 Nov 4 08:32 gvfs
drwx------ 2 eggert eggert 120 Nov 4 08:43 keyring
drwx------ 2 eggert eggert 80 Nov 4 08:32 pulse
drwxr-xr-x 2 eggert eggert 80 Nov 4 08:32 systemd
-rw------- 1 eggert eggert 0 Nov 4 08:33 update-notifier.pid
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-05 7:26 ` Paul Eggert
@ 2018-11-06 17:19 ` Daniel Pittman
2018-11-06 17:54 ` Stefan Monnier
2018-11-06 18:17 ` Paul Eggert
0 siblings, 2 replies; 30+ messages in thread
From: Daniel Pittman @ 2018-11-06 17:19 UTC (permalink / raw)
To: eggert; +Cc: rgm, monnier, emacs-devel
[-- Attachment #1: Type: text/plain, Size: 1222 bytes --]
On Mon, Nov 5, 2018 at 2:27 AM Paul Eggert <eggert@cs.ucla.edu> wrote:
> Stefan Monnier wrote:
> > /run is not an option for non-root users, I believe.
>
> It works for me on Ubuntu 18.04.1 and seems to be used for this sort of
> thing:
There is no /run on macOS, and I'm pretty sure at least OpenBSD have
rejected the idea.
Would not a better choice be to locate the socket at
${HOME}/.emacs.d/${something} instead? That avoids the need to make it
globally accessible in the first place.
I'd also note that root can bypass file permissions, and it isn't exactly a
complex protocol to implement ... but also that root can simply change
userid to the appropriate value at will, and access it, should they wish.
At heart, I don't think this is really a security issue, so much as that
root is the ultimate force for bypassing all protection in the Unix world.
Without going to something akin to SELinux, or some similar MAC
system, there isn't any way to prevent root accessing any socket, by
design.
So, the very best case would be that emacsclient makes this check as a
convenience to prevent surprises to the user, and would not materially
improve the security of the system against users with root permissions.
[-- Attachment #2: Type: text/html, Size: 1591 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-06 17:19 ` Daniel Pittman
@ 2018-11-06 17:54 ` Stefan Monnier
2018-11-06 18:17 ` Paul Eggert
1 sibling, 0 replies; 30+ messages in thread
From: Stefan Monnier @ 2018-11-06 17:54 UTC (permalink / raw)
To: emacs-devel
> There is no /run on macOS, and I'm pretty sure at least OpenBSD have
> rejected the idea.
It's OK: we can use OS-specific filenames.
And we'd want to preserve compatibility between old emacsclient and new
server.el and vice versa.
> Would not a better choice be to locate the socket at
> ${HOME}/.emacs.d/${something} instead?
That's another option, indeed.
IIRC it tends to work poorly when $HOME is on a network file system.
> At heart, I don't think this is really a security issue, so much as that
> root is the ultimate force for bypassing all protection in the Unix world.
> Without going to something akin to SELinux, or some similar MAC
> system, there isn't any way to prevent root accessing any socket, by
> design.
The problem is not Emacs trying to prevent root's emacsclient from
connecting, but root's emacsclient trying to avoid connecting
inadvertently to an attacker's socket.
Stefan
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-06 17:19 ` Daniel Pittman
2018-11-06 17:54 ` Stefan Monnier
@ 2018-11-06 18:17 ` Paul Eggert
2018-11-13 18:21 ` Glenn Morris
1 sibling, 1 reply; 30+ messages in thread
From: Paul Eggert @ 2018-11-06 18:17 UTC (permalink / raw)
To: Daniel Pittman; +Cc: rgm, monnier, emacs-devel
On 11/6/18 9:19 AM, Daniel Pittman wrote:
> On Mon, Nov 5, 2018 at 2:27 AM Paul Eggert <eggert@cs.ucla.edu
> <mailto:eggert@cs.ucla.edu>> wrote:
>
> Stefan Monnier wrote:
> > /run is not an option for non-root users, I believe.
>
> It works for me on Ubuntu 18.04.1 and seems to be used for this
> sort of thing:
>
>
> There is no /run on macOS, and I'm pretty sure at least OpenBSD have
> rejected the idea.
That's OK. Emacs can use /run if available, and fall back on the current
approach (with /tmp) otherwise.
>
> Would not a better choice be to locate the socket at
> ${HOME}/.emacs.d/${something} instead? That avoids the need to make
> it globally accessible in the first place.
/run is better because it does not survive reboot, and avoids security
and availability issues on networked filesystems.
> there isn't any way to prevent root accessing any socket, by design.
Of course, but that's not the issue. The concern here is whether a
non-root user can trick a root program into doing stuff that root
doesn't really want to do.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-06 18:17 ` Paul Eggert
@ 2018-11-13 18:21 ` Glenn Morris
2018-11-13 19:25 ` Eli Zaretskii
0 siblings, 1 reply; 30+ messages in thread
From: Glenn Morris @ 2018-11-13 18:21 UTC (permalink / raw)
To: Paul Eggert; +Cc: Daniel Pittman, monnier, emacs-devel
Since discussion seems to have stalled I have gone ahead and removed the
root exception (in master; I think it should be in emacs-26). I have
opened bugs 33366 and 33367 for related topics that were mentioned, I
suggest any future followups go there.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-13 18:21 ` Glenn Morris
@ 2018-11-13 19:25 ` Eli Zaretskii
0 siblings, 0 replies; 30+ messages in thread
From: Eli Zaretskii @ 2018-11-13 19:25 UTC (permalink / raw)
To: Glenn Morris; +Cc: slippycheeze, eggert, monnier, emacs-devel
> From: Glenn Morris <rgm@gnu.org>
> Date: Tue, 13 Nov 2018 13:21:48 -0500
> Cc: Daniel Pittman <slippycheeze@google.com>, monnier@iro.umontreal.ca,
> emacs-devel@gnu.org
>
>
> Since discussion seems to have stalled I have gone ahead and removed the
> root exception (in master; I think it should be in emacs-26).
No, please don't make this change on the release branch.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-11-05 5:12 ` Paul Eggert
@ 2018-12-05 18:53 ` Michael Heerdegen
2018-12-05 19:38 ` Glenn Morris
2018-12-06 0:49 ` Paul Eggert
0 siblings, 2 replies; 30+ messages in thread
From: Michael Heerdegen @ 2018-12-05 18:53 UTC (permalink / raw)
To: Paul Eggert; +Cc: Glenn Morris, Stefan Monnier, emacs-devel
Paul Eggert <eggert@cs.ucla.edu> writes:
> XDG_RUNTIME_DIR indeed sounds like it would be better nowadays.
What has got installed seems to prevent me to start a server from an
Emacs started with gksu unless I change server-socket-dir in .emacs of
that user:
signal(file-error ("Creating directory" "Permission denied"
"/run/user/1000/emacs"))
files--ensure-directory("/run/user/1000/emacs")
make-directory("/run/user/1000/emacs" t)
server-ensure-safe-dir("/run/user/1000/emacs")
server-start(nil inhibit-prompt)
Internet searching seems to indicate that XDG_RUNTIME_DIR is not always
set by such tools. Is XDG_RUNTIME_DIR really a good choice?
Thanks,
Michael
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-12-05 18:53 ` Michael Heerdegen
@ 2018-12-05 19:38 ` Glenn Morris
2018-12-05 19:46 ` Eli Zaretskii
` (2 more replies)
2018-12-06 0:49 ` Paul Eggert
1 sibling, 3 replies; 30+ messages in thread
From: Glenn Morris @ 2018-12-05 19:38 UTC (permalink / raw)
To: Michael Heerdegen; +Cc: Paul Eggert, Stefan Monnier, emacs-devel
Michael Heerdegen wrote:
> What has got installed seems to prevent me to start a server from an
> Emacs started with gksu unless I change server-socket-dir in .emacs of
> that user:
>
> signal(file-error ("Creating directory" "Permission denied"
> "/run/user/1000/emacs"))
> files--ensure-directory("/run/user/1000/emacs")
> make-directory("/run/user/1000/emacs" t)
> server-ensure-safe-dir("/run/user/1000/emacs")
> server-start(nil inhibit-prompt)
>
> Internet searching seems to indicate that XDG_RUNTIME_DIR is not always
> set by such tools.
Maybe you need to use gksu -l, though you might then have X auth issues.
> Is XDG_RUNTIME_DIR really a good choice?
It is the right directory to use for these things, yes.
Running a modern graphical application as another user is a complicated
business. I wouldn't do it personally.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-12-05 19:38 ` Glenn Morris
@ 2018-12-05 19:46 ` Eli Zaretskii
2018-12-05 20:02 ` Glenn Morris
2018-12-05 20:33 ` Glenn Morris
2018-12-05 20:58 ` Michael Heerdegen
2 siblings, 1 reply; 30+ messages in thread
From: Eli Zaretskii @ 2018-12-05 19:46 UTC (permalink / raw)
To: Glenn Morris; +Cc: michael_heerdegen, eggert, monnier, emacs-devel
> From: Glenn Morris <rgm@gnu.org>
> Date: Wed, 05 Dec 2018 14:38:19 -0500
> Cc: Paul Eggert <eggert@cs.ucla.edu>, Stefan Monnier <monnier@iro.umontreal.ca>,
> emacs-devel@gnu.org
>
> > Is XDG_RUNTIME_DIR really a good choice?
>
> It is the right directory to use for these things, yes.
Maybe we should have a defcustom for those who don't want
XDG_RUNTIME_DIR to be used, even if it exists. Or maybe we should
check it for being writable before using it, and otherwise fall back
on TMPDIR, as before.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-12-05 19:46 ` Eli Zaretskii
@ 2018-12-05 20:02 ` Glenn Morris
2018-12-05 20:19 ` Eli Zaretskii
0 siblings, 1 reply; 30+ messages in thread
From: Glenn Morris @ 2018-12-05 20:02 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: michael_heerdegen, eggert, monnier, emacs-devel
Eli Zaretskii wrote:
> Maybe we should have a defcustom for those who don't want
> XDG_RUNTIME_DIR to be used, even if it exists.
emacsclient can't know about defcustoms.
> Or maybe we should check it for being writable before using it, and
> otherwise fall back on TMPDIR, as before.
I don't think Emacs should work around user environments that are bogus
in this way.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-12-05 20:02 ` Glenn Morris
@ 2018-12-05 20:19 ` Eli Zaretskii
2018-12-06 0:36 ` Paul Eggert
0 siblings, 1 reply; 30+ messages in thread
From: Eli Zaretskii @ 2018-12-05 20:19 UTC (permalink / raw)
To: Glenn Morris; +Cc: michael_heerdegen, eggert, monnier, emacs-devel
> From: Glenn Morris <rgm@gnu.org>
> Cc: michael_heerdegen@web.de, eggert@cs.ucla.edu, monnier@iro.umontreal.ca, emacs-devel@gnu.org
> Date: Wed, 05 Dec 2018 15:02:24 -0500
>
> Eli Zaretskii wrote:
>
> > Maybe we should have a defcustom for those who don't want
> > XDG_RUNTIME_DIR to be used, even if it exists.
>
> emacsclient can't know about defcustoms.
emacsclient could have a command-line option for that.
> > Or maybe we should check it for being writable before using it, and
> > otherwise fall back on TMPDIR, as before.
>
> I don't think Emacs should work around user environments that are bogus
> in this way.
It's for letting users get back pre-27 behavior. They could want it
for any number of reasons.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-12-05 19:38 ` Glenn Morris
2018-12-05 19:46 ` Eli Zaretskii
@ 2018-12-05 20:33 ` Glenn Morris
2018-12-05 20:58 ` Michael Heerdegen
2 siblings, 0 replies; 30+ messages in thread
From: Glenn Morris @ 2018-12-05 20:33 UTC (permalink / raw)
To: Michael Heerdegen; +Cc: Paul Eggert, Stefan Monnier, emacs-devel
PS this is the same (non-Emacs) issue as https://debbugs.gnu.org/32413 .
You would have the same issue with dbus-related features of Emacs.
See also https://bugs.debian.org/766464 etc.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-12-05 19:38 ` Glenn Morris
2018-12-05 19:46 ` Eli Zaretskii
2018-12-05 20:33 ` Glenn Morris
@ 2018-12-05 20:58 ` Michael Heerdegen
2 siblings, 0 replies; 30+ messages in thread
From: Michael Heerdegen @ 2018-12-05 20:58 UTC (permalink / raw)
To: Glenn Morris; +Cc: Paul Eggert, Stefan Monnier, emacs-devel
Glenn Morris <rgm@gnu.org> writes:
> Maybe you need to use gksu -l, though you might then have X auth
> issues.
If you mean that emacs then doesn't start - yes, I have this little
issue then.
> Running a modern graphical application as another user is a
> complicated business. I wouldn't do it personally.
Well, I used to start another separate xsession for other users, but
that already stopped working some time ago. Thanks to the switch to
systemd or something like this, when I finish one session, the other X
session immediately crashes.
I guess I only have some years left to work with my computer in a
reasonable way...not the fault of Emacs, of cause.
Michael.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-12-05 20:19 ` Eli Zaretskii
@ 2018-12-06 0:36 ` Paul Eggert
2018-12-06 6:37 ` Eli Zaretskii
0 siblings, 1 reply; 30+ messages in thread
From: Paul Eggert @ 2018-12-06 0:36 UTC (permalink / raw)
To: Eli Zaretskii, Glenn Morris; +Cc: michael_heerdegen, monnier, emacs-devel
On 12/5/18 12:19 PM, Eli Zaretskii wrote:
> emacsclient could have a command-line option for that.
emacsclient already has the '-s SOCKET' option. Plus, you can set
XDG_RUNTIME_DIR (or unset it) in the environment before invoking
emacsclient. As far as I can see, this should let users avoid the
problems Michael describes. (And if I'm wrong, what further emacsclient
option would be useful?)
> It's for letting users get back pre-27 behavior. They could want it
> for any number of reasons.
Unsetting XDG_RUNTIME_DIR should get the pre-27 behavior in emacsclient.
PS. One really should know what one is doing to be playing with this
stuff (due to security reasons), and unless I'm missing something the
people who know what they're doing should be able to get the behavior
they want by using the knobs that are already in master.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-12-05 18:53 ` Michael Heerdegen
2018-12-05 19:38 ` Glenn Morris
@ 2018-12-06 0:49 ` Paul Eggert
1 sibling, 0 replies; 30+ messages in thread
From: Paul Eggert @ 2018-12-06 0:49 UTC (permalink / raw)
To: Michael Heerdegen; +Cc: Glenn Morris, Stefan Monnier, emacs-devel
gksu has been removed from Debian and other GNU/Linux distributions for
maintenance and security reasons (see
<https://jeremy.bicha.net/2018/03/21/gksu-is-dead/>), so I'd rather
focus on any other tools having similar problems. That being said, you
should be able to work around the gksu issue by setting (or unsetting)
XDG_RUNTIME_DIR in gksu's subsidiary environment before invoking Emacs
(not that I recommend using gksu at all...).
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-12-06 0:36 ` Paul Eggert
@ 2018-12-06 6:37 ` Eli Zaretskii
2018-12-06 19:08 ` Paul Eggert
0 siblings, 1 reply; 30+ messages in thread
From: Eli Zaretskii @ 2018-12-06 6:37 UTC (permalink / raw)
To: Paul Eggert; +Cc: michael_heerdegen, rgm, monnier, emacs-devel
> Cc: michael_heerdegen@web.de, monnier@iro.umontreal.ca, emacs-devel@gnu.org
> From: Paul Eggert <eggert@cs.ucla.edu>
> Date: Wed, 5 Dec 2018 16:36:59 -0800
>
> On 12/5/18 12:19 PM, Eli Zaretskii wrote:
> > emacsclient could have a command-line option for that.
>
> emacsclient already has the '-s SOCKET' option. Plus, you can set
> XDG_RUNTIME_DIR (or unset it) in the environment before invoking
> emacsclient. As far as I can see, this should let users avoid the
> problems Michael describes. (And if I'm wrong, what further emacsclient
> option would be useful?)
>
> > It's for letting users get back pre-27 behavior. They could want it
> > for any number of reasons.
> Unsetting XDG_RUNTIME_DIR should get the pre-27 behavior in emacsclient.
How about mentioning these in NEWS, then? Maybe in the manual as
well?
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-12-06 6:37 ` Eli Zaretskii
@ 2018-12-06 19:08 ` Paul Eggert
2018-12-06 19:18 ` Eli Zaretskii
2018-12-06 20:26 ` Glenn Morris
0 siblings, 2 replies; 30+ messages in thread
From: Paul Eggert @ 2018-12-06 19:08 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: michael_heerdegen, rgm, monnier, emacs-devel
[-- Attachment #1: Type: text/plain, Size: 151 bytes --]
On 12/5/18 10:37 PM, Eli Zaretskii wrote:
> How about mentioning these in NEWS, then? Maybe in the manual as
> well?
Sure I installed the attached.
[-- Attachment #2: 0001-Mention-unsetting-XDG_RUNTIME_DIR-in-doc.patch --]
[-- Type: text/x-patch, Size: 1662 bytes --]
From 2f613d37554660ca7119d4b0a6d5553b55807102 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 6 Dec 2018 11:07:18 -0800
Subject: [PATCH] Mention unsetting XDG_RUNTIME_DIR in doc.
---
doc/misc/efaq.texi | 5 ++++-
etc/NEWS | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/doc/misc/efaq.texi b/doc/misc/efaq.texi
index d457267c24..19770455f1 100644
--- a/doc/misc/efaq.texi
+++ b/doc/misc/efaq.texi
@@ -2009,7 +2009,10 @@ Using an already running Emacs process
@file{server} in a well-known directory, typically
@file{$XDG_RUNTIME_DIR/emacs} if Emacs is running under an X Window System
desktop and @file{$TMPDIR/emacs@var{userid}} otherwise. See the variable
-@code{server-socket-dir}.
+@code{server-socket-dir}. Traditionally, Emacs used
+@file{$TMPDIR/emacs@var{userid}} even when running under an X desktop;
+if you prefer this traditional (and less-secure) behavior, unset
+@env{XDG_RUNTIME_DIR} before invoking Emacs and @samp{emacsclient}.
To get your news reader, mail reader, etc., to invoke
@samp{emacsclient}, try setting the environment variable @code{EDITOR}
diff --git a/etc/NEWS b/etc/NEWS
index 60cba9ed46..e7f2d606f8 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -133,6 +133,8 @@ to apply.
as the directory for client/server sockets, if Emacs is running
under an X Window System desktop that sets the XDG_RUNTIME_DIR
environment variable to indicate where session sockets should go.
+To get the old and less-secure behavior, unset XDG_RUNTIME_DIR before
+invoking emacs and emacsclient.
---
*** When run by root, emacsclient no longer connects to non-root sockets.
--
2.19.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-12-06 19:08 ` Paul Eggert
@ 2018-12-06 19:18 ` Eli Zaretskii
2018-12-06 20:26 ` Glenn Morris
1 sibling, 0 replies; 30+ messages in thread
From: Eli Zaretskii @ 2018-12-06 19:18 UTC (permalink / raw)
To: Paul Eggert; +Cc: michael_heerdegen, rgm, monnier, emacs-devel
> Cc: rgm@gnu.org, michael_heerdegen@web.de, monnier@iro.umontreal.ca,
> emacs-devel@gnu.org
> From: Paul Eggert <eggert@cs.ucla.edu>
> Date: Thu, 6 Dec 2018 11:08:33 -0800
>
> On 12/5/18 10:37 PM, Eli Zaretskii wrote:
> > How about mentioning these in NEWS, then? Maybe in the manual as
> > well?
>
> Sure I installed the attached.
Thanks.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-12-06 19:08 ` Paul Eggert
2018-12-06 19:18 ` Eli Zaretskii
@ 2018-12-06 20:26 ` Glenn Morris
2018-12-06 21:01 ` Paul Eggert
1 sibling, 1 reply; 30+ messages in thread
From: Glenn Morris @ 2018-12-06 20:26 UTC (permalink / raw)
To: Paul Eggert; +Cc: michael_heerdegen, Eli Zaretskii, monnier, emacs-devel
Paul Eggert wrote:
> Subject: [PATCH] Mention unsetting XDG_RUNTIME_DIR in doc.
XDG_RUNTIME_DIR isn't specific to Emacs, so the Emacs docs should not
suggest unsetting it, because this will affect external processes that
Emacs spawns. It would be better to refer to EMACS_SOCKET_NAME.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: emacsclient socket ownership
2018-12-06 20:26 ` Glenn Morris
@ 2018-12-06 21:01 ` Paul Eggert
0 siblings, 0 replies; 30+ messages in thread
From: Paul Eggert @ 2018-12-06 21:01 UTC (permalink / raw)
To: Glenn Morris; +Cc: michael_heerdegen, Eli Zaretskii, monnier, emacs-devel
[-- Attachment #1: Type: text/plain, Size: 140 bytes --]
On 12/6/18 12:26 PM, Glenn Morris wrote:
> It would be better to refer to EMACS_SOCKET_NAME.
Sure, that's easy. I installed the attached.
[-- Attachment #2: 0001-Mention-EMACS_SOCKET_NAME-not-XDG_RUNTIME_DIR.patch --]
[-- Type: text/x-patch, Size: 1995 bytes --]
From 0e8e5da1e8da0752fc02bf590a17697af4c0afd3 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 6 Dec 2018 12:59:42 -0800
Subject: [PATCH] Mention EMACS_SOCKET_NAME, not XDG_RUNTIME_DIR.
---
doc/misc/efaq.texi | 8 ++++++--
etc/NEWS | 4 ++--
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/doc/misc/efaq.texi b/doc/misc/efaq.texi
index 19770455f1..18a857f7dc 100644
--- a/doc/misc/efaq.texi
+++ b/doc/misc/efaq.texi
@@ -2011,8 +2011,12 @@ Using an already running Emacs process
desktop and @file{$TMPDIR/emacs@var{userid}} otherwise. See the variable
@code{server-socket-dir}. Traditionally, Emacs used
@file{$TMPDIR/emacs@var{userid}} even when running under an X desktop;
-if you prefer this traditional (and less-secure) behavior, unset
-@env{XDG_RUNTIME_DIR} before invoking Emacs and @samp{emacsclient}.
+if you prefer this traditional (and less-secure) behavior, you
+can set the environment variable @env{EMACS_SOCKET_NAME} to
+@samp{$TMPDIR/emacs@var{userid}/server} before invoking Emacs and
+@samp{emacsclient}, although it will be your responsibility to create
+the directory @samp{$TMPDIR/emacs@var{userid}} with appropriate
+ownership and permissions.
To get your news reader, mail reader, etc., to invoke
@samp{emacsclient}, try setting the environment variable @code{EDITOR}
diff --git a/etc/NEWS b/etc/NEWS
index e7f2d606f8..cad44f9233 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -133,8 +133,8 @@ to apply.
as the directory for client/server sockets, if Emacs is running
under an X Window System desktop that sets the XDG_RUNTIME_DIR
environment variable to indicate where session sockets should go.
-To get the old and less-secure behavior, unset XDG_RUNTIME_DIR before
-invoking emacs and emacsclient.
+To get the old, less-secure behavior, you can set the
+EMACS_SOCKET_NAME environment variable to an appropriate value.
---
*** When run by root, emacsclient no longer connects to non-root sockets.
--
2.19.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
end of thread, other threads:[~2018-12-06 21:01 UTC | newest]
Thread overview: 30+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-11-01 16:43 emacsclient socket ownership Glenn Morris
2018-11-02 15:38 ` Stefan Monnier
2018-11-02 16:53 ` Yuri Khan
2018-11-02 18:49 ` Stefan Monnier
2018-11-02 20:08 ` Paul Eggert
2018-11-02 20:30 ` Stefan Monnier
2018-11-02 21:06 ` Paul Eggert
2018-11-05 1:13 ` Glenn Morris
2018-11-05 4:46 ` Stefan Monnier
2018-11-05 7:26 ` Paul Eggert
2018-11-06 17:19 ` Daniel Pittman
2018-11-06 17:54 ` Stefan Monnier
2018-11-06 18:17 ` Paul Eggert
2018-11-13 18:21 ` Glenn Morris
2018-11-13 19:25 ` Eli Zaretskii
2018-11-05 5:12 ` Paul Eggert
2018-12-05 18:53 ` Michael Heerdegen
2018-12-05 19:38 ` Glenn Morris
2018-12-05 19:46 ` Eli Zaretskii
2018-12-05 20:02 ` Glenn Morris
2018-12-05 20:19 ` Eli Zaretskii
2018-12-06 0:36 ` Paul Eggert
2018-12-06 6:37 ` Eli Zaretskii
2018-12-06 19:08 ` Paul Eggert
2018-12-06 19:18 ` Eli Zaretskii
2018-12-06 20:26 ` Glenn Morris
2018-12-06 21:01 ` Paul Eggert
2018-12-05 20:33 ` Glenn Morris
2018-12-05 20:58 ` Michael Heerdegen
2018-12-06 0:49 ` Paul Eggert
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.