[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sudo:: method in tramp possible security issue

From: João Távora
Subject: Re: sudo:: method in tramp possible security issue
Date: Tue, 20 Nov 2018 22:27:01 +0000

On Tue, Nov 20, 2018 at 10:06 PM Michael Albinus <address@hidden> wrote:
Paul Eggert <address@hidden> writes:

> On 11/20/18 1:18 PM, Stefan Monnier wrote:
>> Tramp is not magical: it can do no more nor less than what an attacker
>> could do.
> Sure, if the attacker has control over my keyboard, or over my
> display, or over the Lisp code that I load and execute. That being
> said, Tramp does make attacks easier, so it has been an easy call for
> me to disable it.

Tramp's sudo method needs your credentials. If you don't provide them,
Tramp cannot do anything.

Like calling sudo in a terminal.

It's not exactly like calling sudo in a terminal, because when you
use sudo you generally:

1. perform a one time action and are back at a non-sudo prompt; OR
2. start an interactive superuser session that easy to identify visually
   and for which there isn't a programmatic way for other programs
   to interfere

In other words, what bothers me the most about the sudo:: method is
the persistent sudo session that makes me vulnerable to attackers, and
to my elisp developing mistakes.  This is why I think a warning makes
sense, or some visual way to identify this vulnerable state.

In contrast, using sudoedit:: should not bring about this vulnerable state.

That being said, if your non-elevated user has already been compromised,
entering sudo credentials into Emacs, where elisp can do whatever, is
probably a very bad idea, regardless of Tramp.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]