emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sudo:: method in tramp possible security issue

From: Stefan Monnier
Subject: Re: sudo:: method in tramp possible security issue
Date: Tue, 20 Nov 2018 16:44:03 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) 
>> Tramp is not magical: it can do no more nor less than what an attacker
>> could do.
> Sure, if the attacker has control over my keyboard, or over my display, or
> over the Lisp code that I load and execute.  That being said, Tramp does make
> attacks easier, so it has been an easy call for me to disable it.

I don't see in which way you think it makes attacks easier.
Are you thinking if things like file-local variables which may point
to a file like "/sudo:..."?

I'd expect that in most such cases such vars pointing to arbitrary files
would be a risk even without the sudo method, so I'd hope we'd plug
those quickly enough (and yes, the sudo method would make such attacks
worse, indeed).


        Stefan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]