bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#28618: Emacs Security Issue

From: Glenn Morris
Subject: bug#28618: Emacs Security Issue
Date: Wed, 27 Sep 2017 13:24:41 -0400
User-agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) 
Dor Azouri wrote:

> I would like to report a possible abuse one can perform on Emacs's
> extensibility mechanism, that may lead to privilege escalation.
>
> In short, a malicious actor that can execute code as one of the sudoers (in
> non-elevated mode), can edit the init file, and add malicious commands to
> it. Then he needs to wait for that user to invoke the editor in elevated
> mode - and the plugin that was written before, will be loaded with the root
> permissions.

If an attacker has comprised a user account that can run "sudo arbitrary
command", then that's just the same as having compromised the root
account, and so worrying about this on the individual application level
doesn't seem to make sense. Eg they could replace "sudo" with a keylogger.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]