|
From: | Jim Porter |
Subject: | Re: emacsclient startup messages |
Date: | Sat, 30 Oct 2021 12:47:29 -0700 |
On 10/30/2021 12:16 PM, Jim Porter wrote:
On 10/30/2021 10:39 AM, Ulrich Mueller wrote:There can be situations where there is an XDG environment for the client but not for the daemon.Right, the patch in bug#33847 should handle that case correctly, but I'm pretty sure the current implementation opens users who spawn the Emacs daemon on-demand to symlink attacks. That's due to the code needing to check both XDG_RUNTIME_DIR and TMPDIR before being sure there's no daemon to connect to.I can think of two ways to avoid this issue:
[snip]
2) If XDG_RUNTIME_DIR and ALTERNATE_EDITOR/--alternate-editor are both set, never check TMPDIR. This should let both cases work without requiring users to explicitly set a flag anywhere, but it the lack of explicitness could be more confusing. I think this should work fine in all cases, since users running `emacs --daemon' without XDG probably won't be using ALTERNATE_EDITOR (the daemon should always be running, so there's no need for an alternate editor).
I posted a patch for method (2) to bug#51327 here: <https://lists.gnu.org/archive/html/bug-gnu-emacs/2021-10/msg02638.html>.
[Prev in Thread] | Current Thread | [Next in Thread] |