[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when startin
bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on demand
Fri, 5 Nov 2021 11:38:48 -0700
(Cc'ing Paul Eggert, who can probably answer more confidently than me.)
On 11/5/2021 11:05 AM, Ulrich Mueller wrote:
Can someone please explain to me how an exploit on the _client_ side
would look like?
When starting the server, I can believe that there may be some surface
for a symlink attack. But once the daemon is running? What is the
security issue for the client checking TMPDIR?
I'm not an expert on this kind of attack, but my understanding is that
it could go something like this:
1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil
2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'
3. User runs `emacsclient --alternate-editor=""'
4. emacsclient doesn't see a socket in XDG_RUNTIME_DIR, checks TMPDIR
5. emacsclient connects to evil-daemon
The evil-daemon probably can't get access to the user's files, but might
be able to trick a user into entering some secret. I'll let others chime
in too though, since like I said, I'm not an expert.
If I'm wrong and this isn't an a problem, then I agree that all we need
to do here is silence the warning.