bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when startin

From: Jim Porter
Subject: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on demand
Date: Fri, 5 Nov 2021 11:38:48 -0700 
(Cc'ing Paul Eggert, who can probably answer more confidently than me.)

On 11/5/2021 11:05 AM, Ulrich Mueller wrote:

Can someone please explain to me how an exploit on the _client_ side
would look like?

When starting the server, I can believe that there may be some surface
for a symlink attack. But once the daemon is running? What is the
security issue for the client checking TMPDIR?
I'm not an expert on this kind of attack, but my understanding is that it could go something like this: 

 1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil
 2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'
 3. User runs `emacsclient --alternate-editor=""'
 4. emacsclient doesn't see a socket in XDG_RUNTIME_DIR, checks TMPDIR
 5. emacsclient connects to evil-daemon
The evil-daemon probably can't get access to the user's files, but might be able to trick a user into entering some secret. I'll let others chime in too though, since like I said, I'm not an expert.
If I'm wrong and this isn't an a problem, then I agree that all we need to do here is silence the warning.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]