From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Glenn Morris Newsgroups: gmane.emacs.devel Subject: Re: Closing a privilege escalation Date: Wed, 25 Apr 2018 12:47:30 -0400 Message-ID: References: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1524674796 27103 195.159.176.226 (25 Apr 2018 16:46:36 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 25 Apr 2018 16:46:36 +0000 (UTC) User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) Cc: emacs-devel@gnu.org To: rms@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Apr 25 18:46:32 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fBNYt-0006yM-Uh for ged-emacs-devel@m.gmane.org; Wed, 25 Apr 2018 18:46:32 +0200 Original-Received: from localhost ([::1]:38098 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fBNb0-0001ZA-Ft for ged-emacs-devel@m.gmane.org; Wed, 25 Apr 2018 12:48:42 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:48683) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fBNZu-0001YJ-4w for emacs-devel@gnu.org; Wed, 25 Apr 2018 12:47:34 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fBNZt-0005mH-Bi for emacs-devel@gnu.org; Wed, 25 Apr 2018 12:47:34 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:35076) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fBNZt-0005mD-8p for emacs-devel@gnu.org; Wed, 25 Apr 2018 12:47:33 -0400 Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1fBNZq-0007xz-FK; Wed, 25 Apr 2018 12:47:30 -0400 X-Spook: Tsunami Warning Center virus Cohiba Mole AVN Conventional X-Ran: e;~!RJYn"W[#@5L+q:T56Ye=H$i?^w:k5n}PK|Vp[.7(0ge:V-OP<4I[BMl0BK5[.\qIyE X-Hue: magenta X-Attribution: GM In-Reply-To: (Richard Stallman's message of "Tue, 24 Apr 2018 21:09:14 -0400") X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:224879 Archived-At: This was previously discussed in bug#28618. I think the discussion suffers from lack of a clear example, so let me try to give one: A normal (uncompromised) user account inadvertently installs a malicious Emacs package that contains exploit code that waits to be run as root. This user then sudos (to root) in such a way that HOME is not reset to that of root. They then run Emacs, which executes the malicious package code as root. This entire class of exploit can be avoided by suitable sudo options (always_set_home etc), but that doesn't necessarily mean that Emacs should not do something about it. It seems to me, that "if UID = 0, set user-init-file, user-emacs-directory etc to those of root" is a simpler solution that the one you propose. This effectively enforces the always_set_home feature of sudo in Emacs. This may annoy some people, but you can't make the behaviour optional, because then the bad code could disable it. Some might say that people using sudo without set_home want the behaviour the way it is now, but maybe we could argue that it is not always a conscious choice. By the way, what about sudo called from Tramp? Let's suppose the malicious package subverts the sudo syntax that is built-in to Emacs. How to defend against that (ie people running sudo within Emacs)?