[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when startin

From: Ulrich Mueller
Subject: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on demand
Date: Fri, 05 Nov 2021 20:02:43 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)

>>>>> On Fri, 05 Nov 2021, Jim Porter wrote:

> (Cc'ing Paul Eggert, who can probably answer more confidently than me.)
> On 11/5/2021 11:05 AM, Ulrich Mueller wrote:
>> Can someone please explain to me how an exploit on the _client_ side
>> would look like?

>> When starting the server, I can believe that there may be some
>> surface for a symlink attack. But once the daemon is running? What is
>> the security issue for the client checking TMPDIR?

> I'm not an expert on this kind of attack, but my understanding is that
> it could go something like this:

>  1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil
>  2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'

Right, and IIUC this must be carefully timed to exploit some race
condition between permission checking and creating the socket. I am not
an expert on this either.

>  3. User runs `emacsclient --alternate-editor=""'
>  4. emacsclient doesn't see a socket in XDG_RUNTIME_DIR, checks TMPDIR
>  5. emacsclient connects to evil-daemon

Note that after locating the socket, emacsclient will double check for
sane permissions. That is, correct user id and _no_ write permission for
either group or others. That's why I think that there's little attack
surface on the client side, once the socket has been created.

> The evil-daemon probably can't get access to the user's files, but
> might be able to trick a user into entering some secret. I'll let
> others chime in too though, since like I said, I'm not an expert.

> If I'm wrong and this isn't an a problem, then I agree that all we
> need to do here is silence the warning.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]