From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: Closing a privilege escalation Date: Wed, 25 Apr 2018 13:09:19 -0400 Message-ID: References: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1524676106 19897 195.159.176.226 (25 Apr 2018 17:08:26 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 25 Apr 2018 17:08:26 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Apr 25 19:08:22 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fBNu0-00055y-Ju for ged-emacs-devel@m.gmane.org; Wed, 25 Apr 2018 19:08:20 +0200 Original-Received: from localhost ([::1]:38225 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fBNw7-0001Qt-DK for ged-emacs-devel@m.gmane.org; Wed, 25 Apr 2018 13:10:31 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:58811) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fBNvE-0001PJ-1U for emacs-devel@gnu.org; Wed, 25 Apr 2018 13:09:36 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fBNv8-0002Sh-Vl for emacs-devel@gnu.org; Wed, 25 Apr 2018 13:09:35 -0400 Original-Received: from [195.159.176.226] (port=33764 helo=blaine.gmane.org) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fBNv8-0002S4-MT for emacs-devel@gnu.org; Wed, 25 Apr 2018 13:09:30 -0400 Original-Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1fBNsx-00042k-P9 for emacs-devel@gnu.org; Wed, 25 Apr 2018 19:07:15 +0200 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 32 Original-X-Complaints-To: usenet@blaine.gmane.org Cancel-Lock: sha1:jO1N4WAVYpAUT4B/Q2B/n51sHu4= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 195.159.176.226 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:224882 Archived-At: > A normal (uncompromised) user account inadvertently installs a malicious > Emacs package that contains exploit code that waits to be run as root. At that point, the account *is* compromised. And this exploit code could just as well not wait to be run as root and instead install a key-logger on `sudo`, after which the attacker can `sudo` to run any code it wants. > This entire class of exploit can be avoided by suitable sudo options > (always_set_home etc), but that doesn't necessarily mean that Emacs > should not do something about it. I think running as UID=0 with $HOME pointing to a directory writable (or containing files writable) by non-root users is fundamentally insecure. More generally $HOME should point to a directory which is only writable by users of higher-or-equal privilege-level. > It seems to me, that "if UID = 0, set user-init-file, user-emacs-directory > etc to those of root" is a simpler solution that the one you propose. We could try and paper over the problem this way, indeed. Rather than (re)set user-init-file and user-emacs-directory, I'd rather reset $HOME altogether (and stash the old value somewhere, so ~root/.emacs can still read that user's ~/.emacs if they *really* want), tho, and emit a warning message while doing it, of course, so the user isn't caught by surprise. Stefan