Paul Eggert <address@hidden> writes:
> On 11/20/18 1:18 PM, Stefan Monnier wrote:
>> Tramp is not magical: it can do no more nor less than what an attacker
>> could do.
> Sure, if the attacker has control over my keyboard, or over my
> display, or over the Lisp code that I load and execute. That being
> said, Tramp does make attacks easier, so it has been an easy call for
> me to disable it.
Tramp's sudo method needs your credentials. If you don't provide them,
Tramp cannot do anything.
Like calling sudo in a terminal.
It's not exactly like calling sudo in a terminal, because when you
use sudo you generally:
1. perform a one time action and are back at a non-sudo prompt; OR
2. start an interactive superuser session that easy to identify visually
and for which there isn't a programmatic way for other programs
In other words, what bothers me the most about the sudo:: method is
the persistent sudo session that makes me vulnerable to attackers, and
to my elisp developing mistakes. This is why I think a warning makes
sense, or some visual way to identify this vulnerable state.
In contrast, using sudoedit:: should not bring about this vulnerable state.
That being said, if your non-elevated user has already been compromised,
entering sudo credentials into Emacs, where elisp can do whatever, is
probably a very bad idea, regardless of Tramp.