[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when startin

From: Ulrich Mueller
Subject: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on demand
Date: Thu, 11 Nov 2021 14:04:05 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)

>>>>> On Fri, 05 Nov 2021, Ulrich Mueller wrote:

>>>>> On Fri, 05 Nov 2021, Jim Porter wrote:
>> I'm not an expert on this kind of attack, but my understanding is that
>> it could go something like this:

>> 1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil
>> 2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'

> Right, and IIUC this must be carefully timed to exploit some race
> condition between permission checking and creating the socket. I am
> not an expert on this either.

Thinking about it some more, when you always start the daemon with
XDG_RUNTIME_DIR present, there won't be a /tmp/emacs1000/server (at
least not one with correct user and permissions), and I don't believe
that a symlink attack would be possible.

OTOH, when you start the daemon without XDG_RUNTIME_DIR, then the socket
will be created in /tmp, but in that case you'd want the client to find
it there.

>> 3. User runs `emacsclient --alternate-editor=""'
>> 4. emacsclient doesn't see a socket in XDG_RUNTIME_DIR, checks TMPDIR
>> 5. emacsclient connects to evil-daemon

See above, unless the daemon was started without XDG*, there won't be
any socket in TMPDIR.

> Note that after locating the socket, emacsclient will double check for
> sane permissions. That is, correct user id and _no_ write permission for
> either group or others. That's why I think that there's little attack
> surface on the client side, once the socket has been created.

>> The evil-daemon probably can't get access to the user's files, but
>> might be able to trick a user into entering some secret. I'll let
>> others chime in too though, since like I said, I'm not an expert.

>> If I'm wrong and this isn't an a problem, then I agree that all we
>> need to do here is silence the warning.

The core issue is that /run/user/${UID}/ is transient and will disappear
after logout. So if you start an Emacs daemon then its process will
persist after logout, but its socket file will be gone and it will no
longer be possible to connect. This may not be a security issue, but it
may cause loss of data.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]