[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when startin
bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on demand
Fri, 05 Nov 2021 20:02:43 +0100
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
>>>>> On Fri, 05 Nov 2021, Jim Porter wrote:
> (Cc'ing Paul Eggert, who can probably answer more confidently than me.)
> On 11/5/2021 11:05 AM, Ulrich Mueller wrote:
>> Can someone please explain to me how an exploit on the _client_ side
>> would look like?
>> When starting the server, I can believe that there may be some
>> surface for a symlink attack. But once the daemon is running? What is
>> the security issue for the client checking TMPDIR?
> I'm not an expert on this kind of attack, but my understanding is that
> it could go something like this:
> 1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil
> 2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'
Right, and IIUC this must be carefully timed to exploit some race
condition between permission checking and creating the socket. I am not
an expert on this either.
> 3. User runs `emacsclient --alternate-editor=""'
> 4. emacsclient doesn't see a socket in XDG_RUNTIME_DIR, checks TMPDIR
> 5. emacsclient connects to evil-daemon
Note that after locating the socket, emacsclient will double check for
sane permissions. That is, correct user id and _no_ write permission for
either group or others. That's why I think that there's little attack
surface on the client side, once the socket has been created.
> The evil-daemon probably can't get access to the user's files, but
> might be able to trick a user into entering some secret. I'll let
> others chime in too though, since like I said, I'm not an expert.
> If I'm wrong and this isn't an a problem, then I agree that all we
> need to do here is silence the warning.