Dear Emacs developers,
I would like to report a possible abuse one can perform on Emacs's extensibility mechanism, that may lead to privilege escalation.
In short, a malicious actor that can execute code as one of the sudoers (in non-elevated mode), can edit the init file, and add malicious commands to it. Then he needs to wait for that user to invoke the editor in elevated mode - and the plugin that was written before, will be loaded with the root permissions.
The root cause that enables this abuse is basically incomplete separation between regular and elevated execution modes of the editor (using "sudo"). I can suggest possible solutions to this issue, e.g.: applying better permissions to the plugins directories.
1) Add the following ELisp line of code to the init file. It will be loaded on startup and execute the command “touch /stub.file”, when “~/.emacs.d/” is the working directory.
(let ((default-directory "~/.emacs.d/")) (shell-command "touch /stub.file"))
2) Wait for the user to invoke Emacs in elevated mode. The owner of the newly created stub file is root.
* This simple command is just for demonstration - of course much more complicated intentions can be achieved once Emacs is invoked with sudo.
I will be happy to provide more information as needed,