From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: Dor Azouri Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 27 Sep 2017 15:31:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 28618@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.15065262143422 (code B ref -1); Wed, 27 Sep 2017 15:31:01 +0000 Received: (at submit) by debbugs.gnu.org; 27 Sep 2017 15:30:14 +0000 Received: from localhost ([127.0.0.1]:35157 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxEHt-0000t8-TF for submit@debbugs.gnu.org; Wed, 27 Sep 2017 11:30:14 -0400 Received: from eggs.gnu.org ([208.118.235.92]:48330) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxCpw-00079q-3H for submit@debbugs.gnu.org; Wed, 27 Sep 2017 09:57:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dxCpp-0001wQ-RI for submit@debbugs.gnu.org; Wed, 27 Sep 2017 09:57:10 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,HTML_MESSAGE, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:48299) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dxCpp-0001w9-Of for submit@debbugs.gnu.org; Wed, 27 Sep 2017 09:57:09 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:39258) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxCpl-0000Rx-FR for bug-gnu-emacs@gnu.org; Wed, 27 Sep 2017 09:57:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dxCpf-0001rc-DS for bug-gnu-emacs@gnu.org; Wed, 27 Sep 2017 09:57:05 -0400 Received: from mail-oi0-x22b.google.com ([2607:f8b0:4003:c06::22b]:52936) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dxCpf-0001qF-5C for bug-gnu-emacs@gnu.org; Wed, 27 Sep 2017 09:56:59 -0400 Received: by mail-oi0-x22b.google.com with SMTP id p126so16785314oih.9 for ; Wed, 27 Sep 2017 06:56:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=safebreach-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=vGkgzpi37kj4o3wln05aYrLE4WGp6ypSh5HZU8EwpWw=; b=Q+UpIlToOTAH5/YaNU8car9wO3uqDHb3caeGGuBKkgFFMmqv3Y8Om9U1wm5lmGCTNf y6HARvv4HNhNLPcpRUZkBjGwSYSs10DAfr5uZdsAI3kI7EPtVEJROzkG10rxCs7c9hjq UTFwxEsIqp1s2SfpmZViGA8EEe2aqBgT/eRp29xg4NEYbXpfkj7e2IcEQj4JrxHh1r72 pnv34sH3nZ6tZf1PweJujmVRk5bispLgE4wEOFuQym5guzdnru4AXR9PswmZFw2LNpiq kG7ajgnKf4eg+DpJWWCJddWF4PK/PoCKNHGlmrts6580mx80dgSmeVRhmFAuKgx1qzFw bRTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=vGkgzpi37kj4o3wln05aYrLE4WGp6ypSh5HZU8EwpWw=; b=XqkXVOmuPO5gAt2JQlhZLjg/Ab1jG6I8Kdc7dL9EA7WPuipXz5gSKwZ5Hw7pQltHPo X+TyvGMtmdxTpWJZtemA496oioaEe87vqMlKguQtMWwPkqI7kQi1n9eNENSWJVDnIqWK EBEa2xZVlZxsWZI6OK1X9IVYWEnFKLzoOglzxcskOoIgkn++6WIk11iunCWFgFEHVG0M O32KbGvvAvYusSl4J497rrmUxdqjvPDMhUu6bI4uEe9X9NXW1tUQCC10X6s0jm5auw4w Kbm4bgJ2GXMIDyU9jqsCtaWG71Va9hxXVrB4Ov++Qy8hlY0yEU2mwrP07Rwm6m6uqXwt eB+Q== X-Gm-Message-State: AMCzsaXho9nuYQTYsmIE9ZiWT9Ljqw5b9L83FVpSXCIc91ylf5tGPW9I iBIaW3MtsHJ3MtbTz3gQfe70uNYPHj1x2/UTKErXEoI6 X-Google-Smtp-Source: AOwi7QBj/X46OdbpaKepQHWWUHN40zMda7UjMR4hgQsR85CP4zPiUCAqseK/5fkQaGUeYIf6z3mwjMxAel22DC6u4HE= X-Received: by 10.157.0.136 with SMTP id w8mr817343oti.353.1506520616510; Wed, 27 Sep 2017 06:56:56 -0700 (PDT) MIME-Version: 1.0 From: Dor Azouri Date: Wed, 27 Sep 2017 13:56:46 +0000 Message-ID: Content-Type: multipart/alternative; boundary="94eb2c1c0c3e31bbbc055a2c2ac3" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Mailman-Approved-At: Wed, 27 Sep 2017 11:30:12 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) --94eb2c1c0c3e31bbbc055a2c2ac3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Dear Emacs developers, I would like to report a possible abuse one can perform on Emacs's extensibility mechanism, that may lead to privilege escalation. In short, a malicious actor that can execute code as one of the sudoers (in non-elevated mode), can edit the init file, and add malicious commands to it. Then he needs to wait for that user to invoke the editor in elevated mode - and the plugin that was written before, will be loaded with the root permissions. The root cause that enables this abuse is basically incomplete separation between regular and elevated execution modes of the editor (using "sudo"). I can suggest possible solutions to this issue, e.g.: applying better permissions to the plugins directories. Reproduction steps: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 1) Add the following ELisp line of code to the init file. It will be loaded on startup and execute the command =E2=80=9Ctouch /stub.file=E2=80= =9D, when =E2=80=9C~/.emacs.d/=E2=80=9D is the working directory. *(let ((default-directory "~/.emacs.d/")) (shell-command "touch /stub.file"))* 2) Wait for the user to invoke Emacs in elevated mode. The owner of the newly created stub file is root. * This simple command is just for demonstration - of course much more complicated intentions can be achieved once Emacs is invoked with sudo. I will be happy to provide more information as needed, Dor Azouri --94eb2c1c0c3e31bbbc055a2c2ac3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Dear Emacs developers,

I wou= ld like to report a possible abuse one can perform on Emacs's extensibi= lity mechanism, that may lead to privilege escalation.

=
In short, a malicious actor that can execute code as one of the sudoer= s (in non-elevated mode), can edit the init file, and add malicious command= s to it. Then he needs to wait for that user to invoke the editor in elevat= ed mode - and the plugin that was written before, will be loaded with the r= oot permissions.

The root cause that enables this = abuse is basically incomplete separation between regular and elevated execu= tion modes of the editor (using "sudo"). I can suggest possible s= olutions to this issue, e.g.: applying better permissions to the plugins di= rectories.

Reproduction steps:
=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
1) =C2=A0Add the= following ELisp line of code to the init file. It will be loaded on startu= p and execute the command =E2=80=9Ctouch /stub.file=E2=80=9D, when =E2=80= =9C~/.emacs.d/=E2=80=9D is the working directory.
=C2=A0 =C2=A0 = =C2=A0 =C2=A0 (let ((default-directory "~/.emacs.d/")) (shell-= command "touch /stub.file"))
2) =C2=A0Wait for = the user to invoke Emacs in elevated mode. The owner of the newly created s= tub file is root.

* This simple command is just fo= r demonstration - of course much more complicated intentions can be achieve= d once Emacs is invoked with sudo.

I will be happy= to provide more information as needed,
Dor Azouri
--94eb2c1c0c3e31bbbc055a2c2ac3-- From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: John Wiegley Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 27 Sep 2017 15:45:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Dor Azouri Cc: 28618@debbugs.gnu.org Received: via spool by 28618-submit@debbugs.gnu.org id=B28618.15065270904752 (code B ref 28618); Wed, 27 Sep 2017 15:45:03 +0000 Received: (at 28618) by debbugs.gnu.org; 27 Sep 2017 15:44:50 +0000 Received: from localhost ([127.0.0.1]:35169 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxEW2-0001Ea-IO for submit@debbugs.gnu.org; Wed, 27 Sep 2017 11:44:50 -0400 Received: from mail-pg0-f42.google.com ([74.125.83.42]:54908) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxEW0-0001EL-Ae for 28618@debbugs.gnu.org; Wed, 27 Sep 2017 11:44:49 -0400 Received: by mail-pg0-f42.google.com with SMTP id c137so7979060pga.11 for <28618@debbugs.gnu.org>; Wed, 27 Sep 2017 08:44:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:in-reply-to:date:message-id:references :user-agent:mime-version; bh=fmtIxIDjCQ49lpmfZq9wd1wQ7nnUtz3PpMSvGU+JzaY=; b=LLBEMdmdU7jrKbFBroKFb9zD/2ZQMeuQY5rv5TNNkyZTgqud7gQEDgvOsVpFc1BiUw 21U96u22d0tissDWiakKa/FBPFwoD9AZKFd7opPZM+B/OIu69XxNBi7qNB9EuFQJOlcf dzcC+BGC9txMN7caNCFRdntYz2RV+Im85Ft+UnlYIaiRr8nvcdIGyo/KCG1I4hysR+mo R6eXs3lf1zhByYaJILo4JnQM+OmxKRHNWXYu0j7LTyT2A5jCNr+CUdPO+vKwQr2l4O2A 1BML9OlLcGwXNr1vy+8WTgZdIqj+YzOz1/bQB5ZzVWleabc3oMDTcmuEqpyMOARQW66N 6vuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:date:message-id :references:user-agent:mime-version; bh=fmtIxIDjCQ49lpmfZq9wd1wQ7nnUtz3PpMSvGU+JzaY=; b=WH7x9O1XV91GdVppZUZcS/lBznGg4hGE2UXkxCpYsfRsVH3DbB2D97SatUD1cI4Wkw N81HqyOT7U4F1VpJJGUUdoBc2HtvRpf7TEMpOjSPZJTT0OYd/2gsHqbPdOOFH1L+4AeS 9bI80Y/b7gISN+N/JAUeUw/5uSlkgJKCjORI8E8zXgyEu3uzpDEb1kAc2sY6RHvY+Lx2 rB+R7hLq/8M2ECq7ZjqbJb5ua61iKtpdogEnRppVJkRkq3wYvEWt/hXqWowKxi0ESfsz hhu6ki9N7yfQlY59It01PZK+mUZTEfN6prTJiCGw/aKAac82rvb6/VW+6jD6DddosC5T oqGQ== X-Gm-Message-State: AHPjjUhSzSWDB0KeiE6LiTaWZWjp4sCrhxc447iXLW5FU30uVzaNfHfT U+9vqMiVeh2YPF+tCoFs9oTeYyT4 X-Google-Smtp-Source: AOwi7QCVVez+R82gFN46sAbo+tIul8k85PuidZ4OPA1sJVvQtiJ7mbGonchHsgbVmvmbV3JzZ/DXqA== X-Received: by 10.99.121.135 with SMTP id u129mr1664746pgc.74.1506527082189; Wed, 27 Sep 2017 08:44:42 -0700 (PDT) Received: from Vulcan.local (76-234-69-149.lightspeed.frokca.sbcglobal.net. [76.234.69.149]) by smtp.gmail.com with ESMTPSA id x28sm21005955pfi.8.2017.09.27.08.44.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Sep 2017 08:44:41 -0700 (PDT) From: John Wiegley X-Google-Original-From: "John Wiegley" Received: by Vulcan.local (Postfix, from userid 501) id 292F99291D03; Wed, 27 Sep 2017 08:44:36 -0700 (PDT) In-Reply-To: (Dor Azouri's message of "Wed, 27 Sep 2017 13:56:46 +0000") Date: Wed, 27 Sep 2017 08:44:34 -0700 Message-ID: References: User-Agent: Gnus/5.130016 (Ma Gnus v0.16) Emacs/26.0 (darwin) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) >>>>> "DA" == Dor Azouri writes: DA> In short, a malicious actor that can execute code as one of the sudoers DA> (in non-elevated mode), can edit the init file, and add malicious commands DA> to it. Then he needs to wait for that user to invoke the editor in DA> elevated mode - and the plugin that was written before, will be loaded DA> with the root permissions. If the user has sudo access to run Emacs, isn't the game already over? They could M-x shell and rm -fr /, no? -- John Wiegley GPG fingerprint = 4710 CF98 AF9B 327B B80F http://newartisans.com 60E1 46C4 BD1A 7AC1 4BA2 From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: Dor Azouri Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 27 Sep 2017 16:03:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: John Wiegley Cc: 28618@debbugs.gnu.org Received: via spool by 28618-submit@debbugs.gnu.org id=B28618.15065281816485 (code B ref 28618); Wed, 27 Sep 2017 16:03:03 +0000 Received: (at 28618) by debbugs.gnu.org; 27 Sep 2017 16:03:01 +0000 Received: from localhost ([127.0.0.1]:35185 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxEnc-0001gX-Hf for submit@debbugs.gnu.org; Wed, 27 Sep 2017 12:03:00 -0400 Received: from mail-oi0-f45.google.com ([209.85.218.45]:56298) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxEna-0001gI-8g for 28618@debbugs.gnu.org; Wed, 27 Sep 2017 12:02:59 -0400 Received: by mail-oi0-f45.google.com with SMTP id x85so17415768oix.12 for <28618@debbugs.gnu.org>; Wed, 27 Sep 2017 09:02:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=safebreach-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kjdnJITBZw39ZkVwI7NORIxH5+qRy2VfalJFA4M5DTM=; b=XEC9w/0Jj1cS2DkdxWnqAt/GYZbRTcyiZ6h5WNTBoLVQe+HL2Asn4j/fTzGfykn1PH QI5YZ/xZbvIgdL9JRVkCOTY82Nxvf6JnvzKhXZMD6zTHXYLu2hVSSMjRCaA6Zrn01KoZ 4o9384ITV9r9fP4KBbB4v2e3PQ/yBm+I4cU7KVC8rN7CThcHLmMBeePvVjzafx1nFuRs JlY0dHeaoF9IJ/IEmuGUMqEPMsktvragONVQzQJRk+xZXTyRrLNFe3GwhM9Kx/Rf2pY5 pQ0v22OWyUqYssqoVysMrTK6Bvb/j/1NWFeAAPm3arraRJQNxsdQdD/mPgtGqMT0NauI gxhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kjdnJITBZw39ZkVwI7NORIxH5+qRy2VfalJFA4M5DTM=; b=hJLy6w9S2zhdn6nMiZHMJL1bjK8T21jkBNjhpf2IwMPxR9N/ZWDT/5W1tm6lEexbfl Sjt8S6o8hrD+IXVFMdw3QLCdqh25dENl7qUAnWE1XFB1ZCjFDMy+4C2nEwfKSqBiIyy8 0XInTJOKPY84E7sIFi2dzYr6zdP9ItMS0VSx72BrtL70lTB1OA7gMv5NhGJ0F+3gOaoH ByTs6c6DHnzYkhVDt728xWxhsLK6Wi9LBoMvK6bUseWbstMcDCfwnsZXYcb+Qf4iYKRb Lsodw2mY4PMoNip+HuoD0nU2hs/xsI4zlVRLKWM4/yy+gHMANvaPTIzR86J9CNMfsqdc Cy4g== X-Gm-Message-State: AHPjjUgPg8UdXBL+OW8byraYa5tjdO/LMCCtDVuDcZmh/45ekz+IU/gB 0umK/gglOeoCXwd5ouOdgmzJXRTY3o73H2lNxuBQtw== X-Google-Smtp-Source: AOwi7QBH7vWsgVfeRVgohnIIje0ROcnucLDVV0fXG8VJW0u/YZ7Lzlp967Y5cArakgTUfNnLi+dHARqHJLmcNBZQZUg= X-Received: by 10.157.45.33 with SMTP id v30mr1097974ota.38.1506528172440; Wed, 27 Sep 2017 09:02:52 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dor Azouri Date: Wed, 27 Sep 2017 16:02:42 +0000 Message-ID: Content-Type: multipart/alternative; boundary="001a113cacfc901d24055a2dec36" X-Spam-Score: 0.5 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.5 (/) --001a113cacfc901d24055a2dec36 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable sudo access is not required to edit the init file. The only requirement is that the user is a sudoer (a user that=E2=80=99s in /etc/sudoers). It is different: a sudoer is a user that is able to elevate to root after entering root password, it doesn't mean that it is always doing things as root. Such a user still needs to explicitly "sudo" for elevated commands (similar to "Run As Administrator" or UAC in Windows). So what I identified here is that such a user can be used by an attacker to edit the init file without elevating, even though the same file will be loaded when elevating the editor. The flow: after inserting malicious commands to the init script, all the attacker has to do is wait for the user to elevate Emacs at some point (under the assumption that the user will at some point elevate Emacs, which may not always be true). The malicious commands will be run as root. On Wed, Sep 27, 2017 at 6:44 PM John Wiegley wrote: > >>>>> "DA" =3D=3D Dor Azouri writes: > > DA> In short, a malicious actor that can execute code as one of the sudoe= rs > DA> (in non-elevated mode), can edit the init file, and add malicious > commands > DA> to it. Then he needs to wait for that user to invoke the editor in > DA> elevated mode - and the plugin that was written before, will be loade= d > DA> with the root permissions. > > If the user has sudo access to run Emacs, isn't the game already over? Th= ey > could M-x shell and rm -fr /, no? > > -- > John Wiegley GPG fingerprint =3D 4710 CF98 AF9B 327B B80= F > http://newartisans.com 60E1 46C4 BD1A 7AC1 4BA2 > --001a113cacfc901d24055a2dec36 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
sudo access is not required to edit the init file.
The= only requirement is that the user is a sudoer (a user that=E2=80=99s in /e= tc/sudoers). It is different: a sudoer is a user that is able to elevate to= root after entering root password, it doesn't mean that it is always d= oing things as root. Such a user still needs to explicitly "sudo"= for elevated commands (similar to "Run As Administrator" or UAC = in Windows).

So what I identified here is that suc= h a user can be used by an attacker to edit the init file without elevating= , even though the same file will be loaded when elevating the editor.
=
The flow: after inserting malicious commands to the init script, all t= he attacker has to do is wait for the user to elevate Emacs at some point (= under the assumption that the user will at some point elevate Emacs, which = may not always be true). The malicious commands will be run as root.
<= div>
On Wed, Sep 27, 2017 at= 6:44 PM John Wiegley <jwiegley@gm= ail.com> wrote:
>>>= >> "DA" =3D=3D Dor Azouri <dor.azouri@safebreach.com> writes:=

DA> In short, a malicious actor that can execute code as one of the sudo= ers
DA> (in non-elevated mode), can edit the init file, and add malicious co= mmands
DA> to it. Then he needs to wait for that user to invoke the editor in DA> elevated mode - and the plugin that was written before, will be load= ed
DA> with the root permissions.

If the user has sudo access to run Emacs, isn't the game already over? = They
could M-x shell and rm -fr /, no?

--
John Wiegley=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = GPG fingerprint =3D 4710 CF98 AF9B 327B B80F
htt= p://newartisans.com=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 60E1 46C4 BD1A 7AC1 4BA2
--001a113cacfc901d24055a2dec36-- From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: Andreas Schwab Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 27 Sep 2017 16:25:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Dor Azouri Cc: 28618@debbugs.gnu.org Received: via spool by 28618-submit@debbugs.gnu.org id=B28618.15065294438340 (code B ref 28618); Wed, 27 Sep 2017 16:25:02 +0000 Received: (at 28618) by debbugs.gnu.org; 27 Sep 2017 16:24:03 +0000 Received: from localhost ([127.0.0.1]:35198 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxF7z-0002AR-F9 for submit@debbugs.gnu.org; Wed, 27 Sep 2017 12:24:03 -0400 Received: from mx2.suse.de ([195.135.220.15]:58578 helo=mx1.suse.de) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxF7x-0002A2-CQ for 28618@debbugs.gnu.org; Wed, 27 Sep 2017 12:24:01 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 0AAC5AAD0; Wed, 27 Sep 2017 16:24:00 +0000 (UTC) From: Andreas Schwab References: X-Yow: ONE: I will donate my entire ``BABY HUEY'' comic book collection to the downtown PLASMA CENTER.. TWO: I won't START a BAND called ``KHADAFY & THE HIT SQUAD''.. THREE: I won't ever TUMBLE DRY my FOX TERRIER again!! Date: Wed, 27 Sep 2017 18:23:59 +0200 In-Reply-To: (Dor Azouri's message of "Wed, 27 Sep 2017 13:56:46 +0000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) On Sep 27 2017, Dor Azouri wrote: > Reproduction steps: > =================== > 1) Add the following ELisp line of code to the init file. It will be > loaded on startup and execute the command “touch /stub.file”, when > “~/.emacs.d/” is the working directory. > *(let ((default-directory "~/.emacs.d/")) (shell-command "touch > /stub.file"))* Why would I want to do that? Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 27 Sep 2017 17:25:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Dor Azouri Cc: 28618@debbugs.gnu.org Received: via spool by 28618-submit@debbugs.gnu.org id=B28618.150653309313574 (code B ref 28618); Wed, 27 Sep 2017 17:25:02 +0000 Received: (at 28618) by debbugs.gnu.org; 27 Sep 2017 17:24:53 +0000 Received: from localhost ([127.0.0.1]:35247 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxG4r-0003Ws-78 for submit@debbugs.gnu.org; Wed, 27 Sep 2017 13:24:53 -0400 Received: from eggs.gnu.org ([208.118.235.92]:47919) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxG4p-0003Wg-PS for 28618@debbugs.gnu.org; Wed, 27 Sep 2017 13:24:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dxG4k-00049Z-1Y for 28618@debbugs.gnu.org; Wed, 27 Sep 2017 13:24:46 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:56586) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxG4g-00043T-FS; Wed, 27 Sep 2017 13:24:42 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1dxG4g-0004ny-1w; Wed, 27 Sep 2017 13:24:42 -0400 From: Glenn Morris References: X-Spook: Fusion Center LLNL Exon Shell Reynosa Security Council X-Ran: @$91JrP]V7uPJJ{"k8.32bEF9dI]"T7hVq=m0)Aey7I*zL)z1'+56V=~*qP!(F58OrTg2j X-Hue: red X-Attribution: GM Date: Wed, 27 Sep 2017 13:24:41 -0400 In-Reply-To: (Dor Azouri's message of "Wed, 27 Sep 2017 13:56:46 +0000") Message-ID: <7qh8vohx5y.fsf@fencepost.gnu.org> User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Dor Azouri wrote: > I would like to report a possible abuse one can perform on Emacs's > extensibility mechanism, that may lead to privilege escalation. > > In short, a malicious actor that can execute code as one of the sudoers (in > non-elevated mode), can edit the init file, and add malicious commands to > it. Then he needs to wait for that user to invoke the editor in elevated > mode - and the plugin that was written before, will be loaded with the root > permissions. If an attacker has comprised a user account that can run "sudo arbitrary command", then that's just the same as having compromised the root account, and so worrying about this on the individual application level doesn't seem to make sense. Eg they could replace "sudo" with a keylogger. From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 27 Sep 2017 18:04:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Dor Azouri Cc: 28618@debbugs.gnu.org Received: via spool by 28618-submit@debbugs.gnu.org id=B28618.150653541517211 (code B ref 28618); Wed, 27 Sep 2017 18:04:02 +0000 Received: (at 28618) by debbugs.gnu.org; 27 Sep 2017 18:03:35 +0000 Received: from localhost ([127.0.0.1]:35289 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxGgJ-0004TX-C3 for submit@debbugs.gnu.org; Wed, 27 Sep 2017 14:03:35 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55881) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxGgH-0004TK-Mk for 28618@debbugs.gnu.org; Wed, 27 Sep 2017 14:03:33 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dxGgB-0003aU-Km for 28618@debbugs.gnu.org; Wed, 27 Sep 2017 14:03:28 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:57054) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxGg8-0003YZ-9m; Wed, 27 Sep 2017 14:03:24 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1dxGg7-0005Ex-Sd; Wed, 27 Sep 2017 14:03:23 -0400 From: Glenn Morris References: <7qh8vohx5y.fsf@fencepost.gnu.org> X-Spook: Power outage Roswell Yuma Facility Strain Subway Fusion X-Ran: 5/PP8m\*6:nOtER'^y-{@~HAP6ByXxD^GYV@5u/oGa3+HCzG1SC^ciBC.{V+ (Glenn Morris's message of "Wed, 27 Sep 2017 13:24:41 -0400") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) PS If your concern is about a user account that can only run "sudo emacs", firstly that seems a bit unlikely, and secondly Emacs is a big, complicated program that can eg spawn a bash shell. So it should not be used in a sudo environment where you want to have tight control over what the sudoer can run. BTW, if user foo runs "sudo emacs", it consults /root/.emacs, not ~foo/.emacs. So I don't understand your specific concern with the init file. From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: Noam Postavsky Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 28 Sep 2017 11:26:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Dor Azouri Cc: 28618@debbugs.gnu.org Received: via spool by 28618-submit@debbugs.gnu.org id=B28618.15065979433003 (code B ref 28618); Thu, 28 Sep 2017 11:26:02 +0000 Received: (at 28618) by debbugs.gnu.org; 28 Sep 2017 11:25:43 +0000 Received: from localhost ([127.0.0.1]:35994 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxWwp-0000mI-4q for submit@debbugs.gnu.org; Thu, 28 Sep 2017 07:25:43 -0400 Received: from mail-io0-f179.google.com ([209.85.223.179]:52140) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxWwm-0000m0-Cb; Thu, 28 Sep 2017 07:25:41 -0400 Received: by mail-io0-f179.google.com with SMTP id l15so1247892iol.8; Thu, 28 Sep 2017 04:25:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=pR2VbFI3qxAqiSZ5pkr66nnEczu1HE2SMdtQMTVxikQ=; b=OkOhH3fVOCgJzUSb/WkLVIVVYfw+FjLhMHuNqsid1/xtNaAbG8OIZUzuObIa4lwc8n 0pocqkgJBdACav3+TeJO8lmzeOChPR9oU6oO6g6mOsYDXzmkU17GRL3gQuLUogkUY/Tk TrNiqgfyPtZDwHFLPZS85Qa65Iw9EyRg6Px/E6GZG7legPaqkrKi8mUfn+KaBWumiz1J w0/WT6gQAV8c2W2jyjURu1p9OJ+IwEWa1caxcmDYrKGG4YqFD/EXC9Um1KeOxloiV2+J +9U6c2pfd3MnsqZLpoWh4hpwo1zaQgNO/oubt6cN02iITEnjaqVlnCbauN3V8s12l3At R8FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:references:date :in-reply-to:message-id:user-agent:mime-version :content-transfer-encoding; bh=pR2VbFI3qxAqiSZ5pkr66nnEczu1HE2SMdtQMTVxikQ=; b=ZxHe7En8tB/Qf2m1qFPtMNEQ2n5cEJZtLeOSzrdpuE6I/xHPZaYssSH+AHpLF41naC YpwuJDISOjH5AduvVLvM/6vbji6PaM6nnJqx6JS9XRsfOfVW8KIu23bWniDTfSWfjhoO NLA7qRH8e7hWnkHNA+SBgYzCDgYTk9SZw0aR83+QP5zlkirUSC4xG+RYSZriSDo0aQX0 JuTEC+gyYqlpETz7odvQBv/I96RRbKf0VDGv1pfnzlFtxhQqDSGNrsdtLBhte2gpWJRm qxmaURScCeqKdvbuMP0X/HbBoOe59Z2s3W1j92jZ4tQHRoE+uGK9BfD5cs7RzX/DdGQk ejaA== X-Gm-Message-State: AMCzsaU1of/ttrt/K0urybs0yGVnW3Nn+Iy5p4wRRQuWT9Mr8cOqOdZr qu/8r/73y5Jzkm/5W8rSAq6Cdw== X-Google-Smtp-Source: AOwi7QC9FrQC3cE+c6HbEdaZ98r46XbT4eLKufeCCl3E376LnYYxlLrnUVZCfNPO0idVggZ9NkE7sg== X-Received: by 10.107.32.70 with SMTP id g67mr6856458iog.77.1506597934658; Thu, 28 Sep 2017 04:25:34 -0700 (PDT) Received: from zebian ([45.2.119.34]) by smtp.googlemail.com with ESMTPSA id n4sm612915ioe.71.2017.09.28.04.25.33 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 28 Sep 2017 04:25:33 -0700 (PDT) From: Noam Postavsky References: Date: Thu, 28 Sep 2017 07:25:32 -0400 In-Reply-To: (Dor Azouri's message of "Wed, 27 Sep 2017 13:56:46 +0000") Message-ID: <87efqrf4k3.fsf@users.sourceforge.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.60 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.1 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.1 (--) tags 28618 + unreproducible quit Dor Azouri writes: > Reproduction steps: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > 1) =C2=A0Add the following ELisp line of code to the init file. It will be > loaded on startup and execute the command =E2=80=9Ctouch /stub.file=E2=80= =9D, when =E2=80=9C~ > /.emacs.d/=E2=80=9D is the working directory. > =C2=A0 =C2=A0 =C2=A0 =C2=A0 (let ((default-directory "~/.emacs.d/")) (she= ll-command > "touch /stub.file")) > 2) =C2=A0Wait for the user to invoke Emacs in elevated mode. The owner of > the newly created stub file is root. As Glenn noted, this doesn't actually work: 'sudo emacs' uses /root/.emacs, not ~/.emacs. ~$ sudo id uid=3D0(root) gid=3D0(root) groups=3D0(root) ~$ echo '(let ((default-directory "~/.emacs.d/")) (shell-command "touch /st= ub.file"))' > .emacs ~$ emacs # *Messages* has "touch: cannot touch '/stub.file': Permission den= ied" ~$ ls /stub.file ls: cannot access '/stub.file': No such file or directory ~$ sudo emacs ~$ ls /stub.file ls: cannot access '/stub.file': No such file or directory From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: Dor Azouri Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 29 Sep 2017 12:58:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security unreproducible To: Noam Postavsky Cc: 28618@debbugs.gnu.org Received: via spool by 28618-submit@debbugs.gnu.org id=B28618.15066898449935 (code B ref 28618); Fri, 29 Sep 2017 12:58:01 +0000 Received: (at 28618) by debbugs.gnu.org; 29 Sep 2017 12:57:24 +0000 Received: from localhost ([127.0.0.1]:37745 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxur5-0002aA-W8 for submit@debbugs.gnu.org; Fri, 29 Sep 2017 08:57:24 -0400 Received: from mail-oi0-f43.google.com ([209.85.218.43]:50071) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxur4-0002Zs-S6 for 28618@debbugs.gnu.org; Fri, 29 Sep 2017 08:57:23 -0400 Received: by mail-oi0-f43.google.com with SMTP id i128so1847501oih.6 for <28618@debbugs.gnu.org>; Fri, 29 Sep 2017 05:57:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=safebreach-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LmyKaN/5rnATRuo82peePDiVNvuqbAJsy4VZhSBhoZ8=; b=X8ylU1TMCJioevmft/DjdRIk4Oz00NuACoen7Vxasl/l4UM2FmdMOVM5J3CVLA3Pmt 4vX0XleswCnsm6a+wBUw5fjSgD8EzsgAwEV6I6nR/y2lFpvUv/C23UKU6xk0vQEAiYWG 1epSkHZXjP6bMurdNsSOWdlf63sZLRmkFrCXuyEFj8u3ykjQmrWz4S6OAuJ9ZVdx41A9 9wiM2J4Z3hqkvkazkpxs9CnRQsHkJBIsiopAFuJzTP7Dk+dakIi0t9myZiC2lhUfzdW/ /hbV7jSfL2Mhl1NC3+ZhLV6LxR6F89YlG249LXN8wSMl/OT1MYckM2NKftaayJAz201D Ixdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LmyKaN/5rnATRuo82peePDiVNvuqbAJsy4VZhSBhoZ8=; b=EZioVr7uHd7R/6xcb653Me+j30kEBaRmS/MuKL0r78dojT7Ct2qz4MS3gROzBuncoU ksKQe0ZGUEPer7JvqH8zfUzbiywDlEWxHWWGQVciEeJS3YOi6Z+Q5fa6juNPIuLYpudy cOY1VRIZh10bEZ4h42SgBJtkSb9ip5fDng4kRBlZgaJ9udxpvbO+at42pKTtue+r/g+O 4KikugeOaYorSQp77MrpxbFWxtPBLxYKH4cYr9twnmeJzi3IcwLAi0xmg58A7UkUwnzG tN9ylEt1GiVPQtmKGpde4FE71JGCztMWIq6qXhZJkysXqyjmFHJf0SrPemRZRnx0sSmh U22w== X-Gm-Message-State: AMCzsaW0ysn/MCADp8Mfnixo1uP9B2PqjrFnsit7MxmmI/xNuv2y322j 2gRZpZ1MZyP4pXAmjDOX9YTepzmyC9yZC1txzg+fkg== X-Google-Smtp-Source: AOwi7QA1iTkuxIb/Q78Vu0y4Q+gKx40E9EbC3IcI/wi3bRJ/UZugzt4UsZbf7l/1MNWUxAKJdmrort81iDt/PjlAA/o= X-Received: by 10.157.28.131 with SMTP id l3mr2250585ota.288.1506689836981; Fri, 29 Sep 2017 05:57:16 -0700 (PDT) MIME-Version: 1.0 References: <87efqrf4k3.fsf@users.sourceforge.net> In-Reply-To: <87efqrf4k3.fsf@users.sourceforge.net> From: Dor Azouri Date: Fri, 29 Sep 2017 12:57:06 +0000 Message-ID: Content-Type: multipart/alternative; boundary="f40304379770853e09055a5390d2" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --f40304379770853e09055a5390d2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, This is the output in my env that demonstrates how it works (forgive the hebrew chars): *~/.emacs.d$ ls -all* total 20 drwx------ 2 duke duke 4096 =D7=A1=D7=A4=D7=98 28 20:24 . drwxr----- 105 duke duke 16384 =D7=A1=D7=A4=D7=98 28 14:36 .. *~/.emacs.d$ echo '(let ((default-directory "/opt/")) (shell-command "touch stub.file"))' > init.el* *~/.emacs.d$ ls -all /opt/ | grep stub.file* *~/.emacs.d$ sudo emacs* *~/.emacs.d$ ls -all /opt/ | grep stub.file* -rw-r--r-- 1 root root 0 =D7=A1=D7=A4=D7=98 28 20:25 stub.file *~/.emacs.d$ rm /opt/stub.file * rm: remove write-protected regular empty file =E2=80=98/opt/stub.file=E2=80= =99? yes rm: cannot remove =E2=80=98/opt/stub.file=E2=80=99: Permission denied *~/.emacs.d$ sudo rm /opt/stub.file * *~/.emacs.d$ ls -all /opt/ | grep stub.file* *duke@nukem:~/.emacs.d$ sudo ls -all /root/.emacs* ls: cannot access /root/.emacs: No such file or directory My env: GNU Emacs 25.3.2 (tested with old version 23 as well) Ubuntu 14.04, Kernel 4.13.0 Tested and works as well on Ubuntu 16.04 with emacs24. Best, Dor Azouri On Thu, Sep 28, 2017 at 2:25 PM Noam Postavsky < npostavs@users.sourceforge.net> wrote: > tags 28618 + unreproducible > quit > > Dor Azouri writes: > > > Reproduction steps: > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > 1) Add the following ELisp line of code to the init file. It will be > > loaded on startup and execute the command =E2=80=9Ctouch /stub.file=E2= =80=9D, when =E2=80=9C~ > > /.emacs.d/=E2=80=9D is the working directory. > > (let ((default-directory "~/.emacs.d/")) (shell-command > > "touch /stub.file")) > > 2) Wait for the user to invoke Emacs in elevated mode. The owner of > > the newly created stub file is root. > > As Glenn noted, this doesn't actually work: 'sudo emacs' uses > /root/.emacs, not ~/.emacs. > > ~$ sudo id > uid=3D0(root) gid=3D0(root) groups=3D0(root) > ~$ echo '(let ((default-directory "~/.emacs.d/")) (shell-command "touch > /stub.file"))' > .emacs > ~$ emacs # *Messages* has "touch: cannot touch '/stub.file': Permission > denied" > ~$ ls /stub.file > ls: cannot access '/stub.file': No such file or directory > ~$ sudo emacs > ~$ ls /stub.file > ls: cannot access '/stub.file': No such file or directory > > > --f40304379770853e09055a5390d2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

This is the output in my env that d= emonstrates how it works (forgive the hebrew chars):
~/.e= macs.d$ ls -all
total 20
drwx------=C2=A0 =C2=A02 d= uke duke=C2=A0 4096 =D7=A1=D7=A4=D7=98 28 20:24 .
drwxr----- 105 = duke duke 16384 =D7=A1=D7=A4=D7=98 28 14:36 ..
~/.emacs.d$ ech= o '(let ((default-directory "/opt/")) (shell-command "to= uch stub.file"))' > init.el
~/.emacs.d$ ls -al= l /opt/ | grep stub.file
~/.emacs.d$ sudo emacs
<= div>~/.emacs.d$ ls -all /opt/ | grep stub.file
-rw-r--r--= =C2=A0 1 root=C2=A0 =C2=A0root=C2=A0 =C2=A0 =C2=A0 0 =D7=A1=D7=A4=D7=98 28 = 20:25 stub.file
~/.emacs.d$ rm /opt/stub.file=C2=A0
<= div>rm: remove write-protected regular empty file =E2=80=98/opt/stub.file= =E2=80=99? yes
rm: cannot remove =E2=80=98/opt/stub.file=E2=80=99= : Permission denied
~/.emacs.d$ sudo rm /opt/stub.file=C2=A0
~/.emacs.d$ ls -all /opt/ | grep stub.file
duke@nukem:~/.emacs.d$ sudo ls -all /root/.emacs
ls: ca= nnot access /root/.emacs: No such file or directory
<= br>
My env:
GNU Emacs 25.3.2 (tested with old version 2= 3 as well)
Ubuntu 14.04, Kernel=C2=A04.13.0

Tested and works as well on Ubuntu 16.04 with emacs24.
Best,
Dor Azouri

On Thu, Sep 28, 2017 at 2:25 PM Noam Postavsky <npostavs@user= s.sourceforge.net> wrote:
ta= gs 28618 + unreproducible
quit

Dor Azouri <dor.azouri@safebreach.com> writes:

> Reproduction steps:
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> 1) =C2=A0Add the following ELisp line of code to the init file. It wil= l be
> loaded on startup and execute the command =E2=80=9Ctouch /stub.file=E2= =80=9D, when =E2=80=9C~
> /.emacs.d/=E2=80=9D is the working directory.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 (let ((default-directory "~/.emacs.d/= ")) (shell-command
> "touch /stub.file"))
> 2) =C2=A0Wait for the user to invoke Emacs in elevated mode. The owner= of
> the newly created stub file is root.

As Glenn noted, this doesn't actually work: 'sudo emacs' uses /root/.emacs, not ~/.emacs.

~$ sudo id
uid=3D0(root) gid=3D0(root) groups=3D0(root)
~$ echo '(let ((default-directory "~/.emacs.d/")) (shell-comm= and "touch /stub.file"))' > .emacs
~$ emacs # *Messages* has "touch: cannot touch '/stub.file': P= ermission denied"
~$ ls /stub.file
ls: cannot access '/stub.file': No such file or directory
~$ sudo emacs
~$ ls /stub.file
ls: cannot access '/stub.file': No such file or directory


--f40304379770853e09055a5390d2-- From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: Noam Postavsky Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 29 Sep 2017 13:25:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security unreproducible To: Dor Azouri Cc: 28618@debbugs.gnu.org Received: via spool by 28618-submit@debbugs.gnu.org id=B28618.150669149013145 (code B ref 28618); Fri, 29 Sep 2017 13:25:04 +0000 Received: (at 28618) by debbugs.gnu.org; 29 Sep 2017 13:24:50 +0000 Received: from localhost ([127.0.0.1]:37777 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxvHd-0003Px-V6 for submit@debbugs.gnu.org; Fri, 29 Sep 2017 09:24:50 -0400 Received: from mail-it0-f53.google.com ([209.85.214.53]:49412) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxvHc-0003Pk-65 for 28618@debbugs.gnu.org; Fri, 29 Sep 2017 09:24:48 -0400 Received: by mail-it0-f53.google.com with SMTP id c195so2209229itb.4 for <28618@debbugs.gnu.org>; Fri, 29 Sep 2017 06:24:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=8Zny9YFYN6C2hpNgO/2Md/cfzEFtyTRZwNULMO7WODU=; b=KnDNueP6KAsSHek7knXm42/ZVxRbfl//AfGcPlTqrXQuO9ZHKglYqfbijmPeXhXJE+ zKp7Dphb1jlVhvxNrQUUVVecsVTuUdCTHlEUAAqO0/qT2fFCgxeQHCEJ4qINg+nHjrIP rapixpwCO9KpxqvhMwGNMLjMxnLqk1FJUi1EogmjNYmczuRhAc0P/rVB+YKL8UHfX9IC WwrJO4kX1lllWY3xsucJB/g+9Mr0mPgzaPDDHz4RTkFwCAHuNFzqzVfV1YsqECW8Rbpk YFt4TrYNdgkTco4Up2T4CoUwS169HHa7Np+iz9fTdcoVDZI/ovlFFTs5OKKfW5UMBGyB FgHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:references:date :in-reply-to:message-id:user-agent:mime-version :content-transfer-encoding; bh=8Zny9YFYN6C2hpNgO/2Md/cfzEFtyTRZwNULMO7WODU=; b=aYwLA8pLbx3lCHStIzcSEgJN3CrPKDxAyVqTCbVvWtpx0GxzZjOrTvIqZM8EvwsO7U LXhKgFkn00wtCpI3C14GbpuQ+GoxhlokfGGS/zES64J0MQAI9Nqg568KQCJmU40ZBJV/ Whv6LC+aw10DwRHbred6pXxFLBaqTO2HSPExJwUSI6eII4/3un24sfh/PKOi0hUNmmqr Kvt2clDW0EKqpHFXsVRAqIOoceNF+V2TMpMSBJR6VNVjoE9+rksqAkFLaB+bgWNVO963 trXEsbdq6jWHIKQyAxUSw8LO9PiDw2p0uoiBl8hDoIimlexS4hUd2+tfc5ZkVo+kKx6A 8xNw== X-Gm-Message-State: AMCzsaUFD+FQL7EelBt2kMijOanHOw9GE/uHlnrHo/s8Nz6pkbTx3nOD kfDUhgYB5qTk/LXgi8iWIrPlnA== X-Google-Smtp-Source: AOwi7QAqalXX9099vVVmIvj3TbTR4CIF3kY+OzpAHPDB3EsYmp2WJmribeZ0BuiFCytOmHFsutLX4Q== X-Received: by 10.36.92.133 with SMTP id q127mr6640439itb.31.1506691482274; Fri, 29 Sep 2017 06:24:42 -0700 (PDT) Received: from zebian ([45.2.119.34]) by smtp.googlemail.com with ESMTPSA id j93sm1723919iod.65.2017.09.29.06.24.41 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 29 Sep 2017 06:24:41 -0700 (PDT) From: Noam Postavsky References: <87efqrf4k3.fsf@users.sourceforge.net> Date: Fri, 29 Sep 2017 09:24:40 -0400 In-Reply-To: (Dor Azouri's message of "Fri, 29 Sep 2017 12:57:06 +0000") Message-ID: <87zi9deixz.fsf@users.sourceforge.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.60 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Dor Azouri writes: > This is the output in my env that demonstrates how it works (forgive > the hebrew chars): > ~/.emacs.d$ ls -all > total 20 > drwx------=C2=A0 =C2=A02 duke duke=C2=A0 4096 =D7=A1=D7=A4=D7=98 28 20:24= . > drwxr----- 105 duke duke 16384 =D7=A1=D7=A4=D7=98 28 14:36 .. > ~/.emacs.d$ echo '(let ((default-directory "/opt/")) (shell-command > "touch stub.file"))' > init.el > ~/.emacs.d$ ls -all /opt/ | grep stub.file > ~/.emacs.d$ sudo emacs > ~/.emacs.d$ ls -all /opt/ | grep stub.file > -rw-r--r--=C2=A0 1 root=C2=A0 =C2=A0root=C2=A0 =C2=A0 =C2=A0 0 =D7=A1=D7= =A4=D7=98 28 20:25 stub.file Hmm, it doesn't happen for me. ~/.emacs.d$ ls -all total 12 drwx------ 3 npostavs npostavs 4096 Sep 29 09:19 . drwxr-xr-x 37 npostavs npostavs 4096 Sep 29 09:19 .. drwx------ 2 npostavs npostavs 4096 Sep 29 09:19 auto-save-list ~/.emacs.d$ echo '(let ((default-directory "/opt/")) (shell-command "to= uch stub.file"))' > init.el ~/.emacs.d$ ls -all /opt/ | grep stub.file ~/.emacs.d$ sudo emacs [sudo] password for npostavs:=20 ~/.emacs.d$ ls -all /opt/ | grep stub.file Can you do echo '(debug)' > ~/.emacs.d/init.el sudo emacs and show the result backtrace please? From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 29 Sep 2017 16:42:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security unreproducible To: Noam Postavsky Cc: 28618@debbugs.gnu.org, Dor Azouri Received: via spool by 28618-submit@debbugs.gnu.org id=B28618.150670331910012 (code B ref 28618); Fri, 29 Sep 2017 16:42:02 +0000 Received: (at 28618) by debbugs.gnu.org; 29 Sep 2017 16:41:59 +0000 Received: from localhost ([127.0.0.1]:39462 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxyMR-0002bQ-HO for submit@debbugs.gnu.org; Fri, 29 Sep 2017 12:41:59 -0400 Received: from eggs.gnu.org ([208.118.235.92]:52547) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxyMP-0002bA-99 for 28618@debbugs.gnu.org; Fri, 29 Sep 2017 12:41:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dxyMJ-0004SZ-Cp for 28618@debbugs.gnu.org; Fri, 29 Sep 2017 12:41:52 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:49092) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxyLw-0004Lh-Jw; Fri, 29 Sep 2017 12:41:28 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1dxyLu-00066x-WF; Fri, 29 Sep 2017 12:41:27 -0400 From: Glenn Morris References: <87efqrf4k3.fsf@users.sourceforge.net> <87zi9deixz.fsf@users.sourceforge.net> X-Spook: Al Qaeda in the Islamic Maghreb [Hello to all my friends X-Ran: fL0rU}X>x{'H)QBw@R7InG}-_2y8hzu|/UQG$y*o@9skglswjQ<^u>'zg$?nmr^n6XoW?l X-Hue: blue X-Attribution: GM Date: Fri, 29 Sep 2017 12:41:26 -0400 In-Reply-To: <87zi9deixz.fsf@users.sourceforge.net> (Noam Postavsky's message of "Fri, 29 Sep 2017 09:24:40 -0400") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) On some systems, sudo may preserve HOME by default. Or it may be optional behaviour with "sudo -E" (eg on Debian 8, it seems). (Of course, the attacker who has complete control of your user account could alias "sudo" to "sudo -E".) Ref eg https://security.stackexchange.com/questions/18369/issues-with-preserving-home-on-sudo As it stands, I don't think this is an Emacs issue. From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: Noam Postavsky Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 29 Sep 2017 22:56:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security unreproducible To: Glenn Morris Cc: 28618@debbugs.gnu.org, Dor Azouri Received: via spool by 28618-submit@debbugs.gnu.org id=B28618.150672572422163 (code B ref 28618); Fri, 29 Sep 2017 22:56:01 +0000 Received: (at 28618) by debbugs.gnu.org; 29 Sep 2017 22:55:24 +0000 Received: from localhost ([127.0.0.1]:39763 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dy4Bo-0005lJ-9a for submit@debbugs.gnu.org; Fri, 29 Sep 2017 18:55:24 -0400 Received: from mail-io0-f169.google.com ([209.85.223.169]:44992) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dy4Bl-0005l0-Uv; Fri, 29 Sep 2017 18:55:22 -0400 Received: by mail-io0-f169.google.com with SMTP id v36so1024684ioi.1; Fri, 29 Sep 2017 15:55:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=ncNbjkAFLknEIu+SfoJSCnaQ+M5Ep0PL3OW9iTLIJnk=; b=Xn054bLkQwOZoxyHg7N4AaXZlIu011GPBJ2Y5EQSRXPVBXvjg3n8kHwVwmsz3U4ABy g1vxfi8r5LIb0Kx/SSxQPNuwKg/z+D5rmo4F6gj/Gb6Qz73S8uw4pNw02X0in86hLB3Z CrIbYk+px/5rLA535RH/T9NYzATneQl7R959onm91JliDLeypi6F2Q5t1aS39tRI8JXp ufb3KMub0i0VxqQCxocobZIqAAHME+NqEx0D2Jazyph99pwZ1JscGNVBVdKBQzMxocKA 8281bIq6w5LaZ7D6pfxz2x9cGO6MTGCiEb4M/ZUyUp4iBUus5Ib2ceoMi8h08Y8xw+yo opcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:references:date :in-reply-to:message-id:user-agent:mime-version; bh=ncNbjkAFLknEIu+SfoJSCnaQ+M5Ep0PL3OW9iTLIJnk=; b=Jk0dQuysp+UhUVPU8p6yUAkgxKHgwKMGd8pe9FDRbY4DJjO0unBetiU8crCJ4uZ4q0 8c4BCxohfHtlKKd7dEoneC9aZwd2bG8lPeVIHmi5iHt1NshRdeTQq5QcRyurDJBz+3kP jTzbfNU7y3JMEwiloDovpnA9UHLNeMJXE0WajR9aqmHamgleJVJ6PDRQQAmOM317+BqS hu/NfbQNbLkdqjY6G7heTAwRqyLcVINegl6WbbEzRlbZtoFQFHqPvnHPfSenoA5yXsG2 2HcIR+lyi8BGOGEDjBc0sMbQAElDGA1QyDej8RLuKsS/xiP3NpPbemLsVjjXOj4UR6Jg 7j+A== X-Gm-Message-State: AMCzsaX77Rk5EN0V98wpWE+aEOzir0cjIYZGSNkIGmrnQmGmt7UPsz4a aeF0hR9PM2MOIkJXgL4EPwr9Cg== X-Google-Smtp-Source: AOwi7QBxfFeebIgQvvCK5kvSyne0hmGnq5SFAbq2WPVOIft8uP53u1MV38OuZ+X+Aysc2Hi+7HpeDQ== X-Received: by 10.107.15.138 with SMTP id 10mr14415309iop.203.1506725715919; Fri, 29 Sep 2017 15:55:15 -0700 (PDT) Received: from zebian ([45.2.119.34]) by smtp.googlemail.com with ESMTPSA id k76sm2300575ita.4.2017.09.29.15.55.14 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 29 Sep 2017 15:55:14 -0700 (PDT) From: Noam Postavsky References: <87efqrf4k3.fsf@users.sourceforge.net> <87zi9deixz.fsf@users.sourceforge.net> Date: Fri, 29 Sep 2017 18:55:13 -0400 In-Reply-To: (Glenn Morris's message of "Fri, 29 Sep 2017 12:41:26 -0400") Message-ID: <87tvzldsj2.fsf@users.sourceforge.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.60 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.1 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.1 (--) tags 28618 - unreproducible tags 28618 + notabug quit Glenn Morris writes: > On some systems, sudo may preserve HOME by default. Or it may be > optional behaviour with "sudo -E" (eg on Debian 8, it seems). Ah, that explains the discrepancy then (it's the same with Debian 9, which I'm using here). > Ref eg > > https://security.stackexchange.com/questions/18369/issues-with-preserving-home-on-sudo > > As it stands, I don't think this is an Emacs issue. I agree. From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: Dor Azouri Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 01 Oct 2017 15:29:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: notabug security To: Noam Postavsky , Glenn Morris Cc: 28618@debbugs.gnu.org Received: via spool by 28618-submit@debbugs.gnu.org id=B28618.150687169724155 (code B ref 28618); Sun, 01 Oct 2017 15:29:02 +0000 Received: (at 28618) by debbugs.gnu.org; 1 Oct 2017 15:28:17 +0000 Received: from localhost ([127.0.0.1]:42880 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dygAC-0006HX-O6 for submit@debbugs.gnu.org; Sun, 01 Oct 2017 11:28:16 -0400 Received: from mail-oi0-f47.google.com ([209.85.218.47]:56352) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dygAA-0006HG-Rc for 28618@debbugs.gnu.org; Sun, 01 Oct 2017 11:28:15 -0400 Received: by mail-oi0-f47.google.com with SMTP id m198so3787080oig.13 for <28618@debbugs.gnu.org>; Sun, 01 Oct 2017 08:28:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=safebreach-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IBGeV5x6v2uaFnif/Gm6u24mwCKYvpXjIiPhzNZgfwg=; b=k+sYXUxm8p5BbxoKlK5ZpFGJYSkQDL7w2fiUBM58y06N6NZ5dyefpfEnPPcKQKHli6 FGbczOFSNALjGZoICHDO9giEKRa2QBcUxzohVWQ2GzcOJm+vntjZzDUleO93bkc01Ijv 7VzSEyiKPfUIGjiZqRcZdBrAoVdDlq6Byu1i6ZepXhZnFPWTy9h7oy6yPNJgN9t2dcGN Y7FUWrRBHQKRLkebSeatX+RkWfBeSuksTe7I0Oir+EZ7e5/pRjv9BQxM89QybN9chZvJ QuDdoNzI1gOKNJFQR1DUBDFzVGc8+iAMSGiFXAI/txx578XL8AKoddFQTN4PMspROoqL nyGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IBGeV5x6v2uaFnif/Gm6u24mwCKYvpXjIiPhzNZgfwg=; b=S3BGCpnXHomf/kaJcMj1kBMbP7ulKllmpWOsZ096l5rsGg0dQauRcdIRY5jwgo7quA dIx7dxRGC9rBo+y9XQN2Kvf/1OTsIcVw70TwVnoGwcJ0Sxnc0/zQ70YiepGlowuCg7J1 n/b3HQ/WkgAS3O+oMt+QwC1mAAdhNORZRi+u0CZndy1fPsH6R+Azero5IzRI1HLCE2Bf QjQ6j431gTmeitIOO6a4k0I9Cb9NZQpxzW18jxTkrD3voMRIvvhLjCxu1Th147tKrMpC hjyUe7r0vJvepaUhz5pFcxrhjhgHAmCnouoL8JIzdOYPhjnuLljBTgnZ2pS6ReXv/Gi7 udjg== X-Gm-Message-State: AMCzsaU+RQ4TMNr+qezDuazyphpDsSedfDCcJzrAQ+kSLp7Ke+8k1BZW tqoRsZN1Sr7Q6U5bxqlveb7X1EGkhx//JZDfOtSGjQ== X-Google-Smtp-Source: AOwi7QBpIrpuGJnkHAezmXDMiFy8F7wzgP6u2AnZDCI5TIqw1rJcpekNXJ68XogCAnGjdj9piciwQX4SaQPi9kpupXE= X-Received: by 10.202.86.206 with SMTP id k197mr450967oib.254.1506871689059; Sun, 01 Oct 2017 08:28:09 -0700 (PDT) MIME-Version: 1.0 References: <87efqrf4k3.fsf@users.sourceforge.net> <87zi9deixz.fsf@users.sourceforge.net> <87tvzldsj2.fsf@users.sourceforge.net> In-Reply-To: <87tvzldsj2.fsf@users.sourceforge.net> From: Dor Azouri Date: Sun, 01 Oct 2017 15:27:58 +0000 Message-ID: Content-Type: multipart/alternative; boundary="001a113d78f8bfbe07055a7de775" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --001a113d78f8bfbe07055a7de775 Content-Type: text/plain; charset="UTF-8" Thanks for checking this problem. I am convinced by the comments that this is not a pure Emacs issue, though a step can still be taken to help users protect from this abuse. For example, Notepad++ on Windows does not load user plugins (located in AppData) when run as Administrator - unless an Administrator explicitly puts a specific file in the protected installation directory ("allowAppDataPlugins.xml"). Best, Dor Azouri On Sat, Sep 30, 2017 at 1:55 AM Noam Postavsky < npostavs@users.sourceforge.net> wrote: > tags 28618 - unreproducible > tags 28618 + notabug > quit > > Glenn Morris writes: > > > On some systems, sudo may preserve HOME by default. Or it may be > > optional behaviour with "sudo -E" (eg on Debian 8, it seems). > > Ah, that explains the discrepancy then (it's the same with Debian 9, > which I'm using here). > > > Ref eg > > > > > https://security.stackexchange.com/questions/18369/issues-with-preserving-home-on-sudo > > > > As it stands, I don't think this is an Emacs issue. > > I agree. > --001a113d78f8bfbe07055a7de775 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks for checking this problem.
I am convinced by the comments that this is not = a pure Emacs issue, though a step can still be taken to help users protect = from this abuse.

For example, Notepad++ on Windows does not load use= r plugins (located in AppData) when run as Administrator - unless an Admini= strator explicitly puts a specific file in the protected installation direc= tory ("allowAppDataPlugins.xml").

Best,
Dor Azouri

=

On Sat, Sep 30, 2017 = at 1:55 AM Noam Postavsky <npostavs@users.sourceforge.net> wrote:
tags 28618 - unreproducible
tags 28618 + notabug
quit

Glenn Morris <rgm@gnu.o= rg> writes:

> On some systems, sudo may preserve HOME by default. Or it may be
> optional behaviour with "sudo -E" (eg on Debian 8, it seems)= .

Ah, that explains the discrepancy then (it's the same with Debian 9, which I'm using here).

> Ref eg
>
> https://s= ecurity.stackexchange.com/questions/18369/issues-with-preserving-home-on-su= do
>
> As it stands, I don't think this is an Emacs issue.

I agree.
--001a113d78f8bfbe07055a7de775-- From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: Noam Postavsky Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 06 Oct 2017 02:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: notabug security To: Dor Azouri Cc: 28618@debbugs.gnu.org, Glenn Morris Received: via spool by 28618-submit@debbugs.gnu.org id=B28618.15072566292876 (code B ref 28618); Fri, 06 Oct 2017 02:24:01 +0000 Received: (at 28618) by debbugs.gnu.org; 6 Oct 2017 02:23:49 +0000 Received: from localhost ([127.0.0.1]:51977 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e0IIn-0000kE-EO for submit@debbugs.gnu.org; Thu, 05 Oct 2017 22:23:49 -0400 Received: from mail-it0-f45.google.com ([209.85.214.45]:43306) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e0IIl-0000jw-1q; Thu, 05 Oct 2017 22:23:47 -0400 Received: by mail-it0-f45.google.com with SMTP id v62so1029307itd.0; Thu, 05 Oct 2017 19:23:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=pBAEiEVDtzW+x3Rbd7KYDx92UajBv5U/1OfQwd+Yx4Q=; b=GXRskaI4EKGGejpcRGQDGQnPz7W5g67PPF4KKDtgcKU00hI8h9it63Whzm0Gi1vbgJ /3yn85CxKDD/xOhWq3ytfSQaE7jRVIFW6p4lofLK0pO1y8F7o9U5YaFcYoSKPD/zyyap LQ9DrduPQ0E47lYr9POVCBXktDJXtAuTDQprzQ6wX2MjoacTacU8Epyiyn++kQzaWOtP jEbQZLZYPt2n7DUjhDMZnd4R7bwF3lP6tRIPWKU5FBRPnbcY2wyf7VsXZJbhpkC7c3CI 8t7gXPVbMllei0mULEOHeXP+kv2h3j1iENYaEHAj+S7kjQ90iM7N/aTrXNdRk7gApjq1 JEEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:references:date :in-reply-to:message-id:user-agent:mime-version; bh=pBAEiEVDtzW+x3Rbd7KYDx92UajBv5U/1OfQwd+Yx4Q=; b=inJ0vDgP83AwgU+WO70d1c3a3g4zIv/3ORc18YcfwRZApuaKb9EVv3y7FTO+9cz8iw FDHoYCsyTfteUUNiiGBS1e3oj8ZEzMPFBJFtE05kse/CjW++8/m/eYnDRarr6Vdt0tuC t2DVRFCYsJzEOaa1aF8jRq64ONkt7XLXj7tpG77NBGgFTikgMGbUuXOla+tF5/Ibcpt8 uZN2RIWFXOCkellhSUBYlA+4BLRLqLnIRek+R7r/1aJbRb2ITA6sGOC6eIqCjk2/lnDr B/n5gfm2FFwjd48g75IxpR/iOq9AMcObyYVP4vJwcQsO+X7eSwXJxY/xW2bd8z6FRK5V rRqA== X-Gm-Message-State: AMCzsaVva9VwuWWke0TdwmdDT1Vl7U8SKp7N2VT1ORcY1YwZc2keJFAW pjQE5SJD+uqrOl+hbFwU/Rlavw== X-Google-Smtp-Source: AOwi7QAJf1CYyVsOvwxqxSHVNL8pL8y3MYps6OlRaHeMWMxYmsie1eQNwjLO54/2e4d5MF2rz1ZMZg== X-Received: by 10.36.91.132 with SMTP id g126mr752139itb.122.1507256621211; Thu, 05 Oct 2017 19:23:41 -0700 (PDT) Received: from zebian ([45.2.119.34]) by smtp.googlemail.com with ESMTPSA id e141sm518413ite.0.2017.10.05.19.23.38 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 05 Oct 2017 19:23:39 -0700 (PDT) From: Noam Postavsky References: <87efqrf4k3.fsf@users.sourceforge.net> <87zi9deixz.fsf@users.sourceforge.net> <87tvzldsj2.fsf@users.sourceforge.net> Date: Thu, 05 Oct 2017 22:23:37 -0400 In-Reply-To: (Dor Azouri's message of "Sun, 01 Oct 2017 15:27:58 +0000") Message-ID: <87poa1c8uu.fsf@users.sourceforge.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.60 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.7 (/) retitle 28618 Emacs respects $HOME, even when user is root tags 28618 + wontfix quit Dor Azouri writes: > Thanks for checking this problem. > I am convinced by the comments that this is not a pure Emacs issue, > though a step can still be taken to help users protect from this > abuse. > > For example, Notepad++ on Windows does not load user plugins (located > in AppData) when run as Administrator - unless an Administrator > explicitly puts a specific file in the protected installation > directory ("allowAppDataPlugins.xml"). It could be different for Windows, but for GNU/Linux I think the previous messages already explained why this doesn't actually protect anything. The user can still get the behaviour they like by setting the appropriate sudo option. I don't see why Emacs should override that. From unknown Sat Jun 21 05:07:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28618: Emacs Security Issue Resent-From: Noam Postavsky Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 17 Mar 2018 01:44:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security wontfix notabug To: Noam Postavsky Cc: 28618@debbugs.gnu.org, Glenn Morris , Dor Azouri Received: via spool by 28618-submit@debbugs.gnu.org id=B28618.15212510159578 (code B ref 28618); Sat, 17 Mar 2018 01:44:01 +0000 Received: (at 28618) by debbugs.gnu.org; 17 Mar 2018 01:43:35 +0000 Received: from localhost ([127.0.0.1]:37446 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ex0sg-0002UM-Td for submit@debbugs.gnu.org; Fri, 16 Mar 2018 21:43:35 -0400 Received: from mail-io0-f182.google.com ([209.85.223.182]:33220) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ex0sc-0002U0-Kk; Fri, 16 Mar 2018 21:43:30 -0400 Received: by mail-io0-f182.google.com with SMTP id f1so14694524iob.0; Fri, 16 Mar 2018 18:43:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=IBbVq8zmk3nBxubYadOz9qSqhJuY3jsYCvnUJZFdwvA=; b=mNKy14SocWybjKEHBJbaMNSF+RSpRIkA5XpLEiCn42f5GNMolJ0gDbQDks22ig7UtI wyG50bF5isM+yi74ET1il/OKTkh5NmVck2LSS8SzhxpHZrs7P+ZQcikQEN8Pr2KQAnMZ RTPz9nPFlKESrd0eFJY4u7gcW2gJA5bk9pqGc4p7bU9TcvAHrpSEMS+yRz9Wqr8mxHkr KaQi5CQR0RFviE8K72tK2FrTOScWcLGz35YFhQM67i+9raHr2Cl7NjVasOB6lwC6MjXA yB+rWGy0yLa+ooeGSbf4YX/aqGMlIHKpBI8UIjVGhNoToWgbr1PUOi4toVt5gKULTlDi d5Sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=IBbVq8zmk3nBxubYadOz9qSqhJuY3jsYCvnUJZFdwvA=; b=qY73XpHdDpIX8eJcLp2TeiqLjrpZyDNQJmze8TCD+yOfkiRUH0rsa6b6NgRlTvp6Vg gefEkuitlQieoVLPrEtDmaocI5Hs+H2nYH5qxQMjZZ5hxrCl8evmS4baYAL8D09ngImn gvLm7DorYGeKg7Z53b1/LDSZWHcCkmE54i1YJB2yqiarMVBJgN0N54hSSloJ+SPPw69a 89dkFmQ0bMGZNas03/J0nOKE+bPZ4saIy3dsvd56TmMp8tOG0NqzIfr4y38p3FyRWccl GXlT44VrOXXX+Fb3hMfQMO+gUUOuM8wHxXltno83cdHaWolibQHWFY696wUE+o8ggN7A yJAA== X-Gm-Message-State: AElRT7HtJaqG1sOEJrcO3c/fbiO5tBs2ki8ydnK4CPNaBfSQr5cPXrJ2 +UCfrNwTobENiY2pyDLziuTW1Q== X-Google-Smtp-Source: AG47ELviqy8Jb2wkmnDnfkhhNYBpdEj8AfJZy2xxz2v3aBfYM95lAyxTCxD2SgWp4W6Q22v1+XKVDQ== X-Received: by 10.107.26.74 with SMTP id a71mr4187331ioa.121.1521251004932; Fri, 16 Mar 2018 18:43:24 -0700 (PDT) Received: from zebian (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34]) by smtp.googlemail.com with ESMTPSA id e142-v6sm668988ite.3.2018.03.16.18.43.23 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 16 Mar 2018 18:43:23 -0700 (PDT) From: Noam Postavsky References: <87efqrf4k3.fsf@users.sourceforge.net> <87zi9deixz.fsf@users.sourceforge.net> <87tvzldsj2.fsf@users.sourceforge.net> <87poa1c8uu.fsf@users.sourceforge.net> Date: Fri, 16 Mar 2018 21:43:22 -0400 In-Reply-To: <87poa1c8uu.fsf@users.sourceforge.net> (Noam Postavsky's message of "Thu, 05 Oct 2017 22:23:37 -0400") Message-ID: <87fu4zv5mt.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) close 28618 quit > The user can still get the behaviour they like by setting the > appropriate sudo option. I don't see why Emacs should override that. Seems there is nothing left to say about this. From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 22 20:05:11 2018 Received: (at control) by debbugs.gnu.org; 23 Mar 2018 00:05:11 +0000 Received: from localhost ([127.0.0.1]:48245 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ezACl-0003Zl-Ei for submit@debbugs.gnu.org; Thu, 22 Mar 2018 20:05:11 -0400 Received: from mail-it0-f52.google.com ([209.85.214.52]:56004) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ezACi-0003ZT-OX; Thu, 22 Mar 2018 20:05:09 -0400 Received: by mail-it0-f52.google.com with SMTP id e195-v6so482222ita.5; Thu, 22 Mar 2018 17:05:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=+UQADyqPj0FABcL+A5ESfoecRiIxfbVXvIS1mr+YJqA=; b=lBS8eDy64yfCpEOTuX50tuaa+mm9AatRqcvR2AFPe5NVlhLzq3dO/lphI/MUiCzGXk Ojcj+4vUhA5eNiY8WyqRErn8p0jxTROj0RTI9qSjjCsSrbidsbV6XYUuSqT8LPAggRvu 6EIkfp3cyd+bO0SrV1fXYlOjvP1lBHECYwV99+SznOMzR7arQjiSf3QYVQkGtntExDWA Cg0P6/ZLkxUI+vEMFFfCjZc0yRrb+Np3WtyVrBtZbAyYqKdi8R6t9zZjBkhcrlx2imgN mThLoKHdKEYclsC9lUHhRKfNBmsz9w6hzs48Ce6c/PQm/95sL2n8TC8UGVBoLq8czYdu hEHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=+UQADyqPj0FABcL+A5ESfoecRiIxfbVXvIS1mr+YJqA=; b=poA7/+4R5dYvaOHTbTGXJmVOQWe4Qx2imMbaR+hRT16gMlytM3HjIffxKSNAph3yjo 9cLxPm3NPc3b3jDicEJtSddQtLF6CG+dOo+n1YxjbfVT3HXqGxwC5aXZbk0RvLPXes02 DOnHSjAakLrjBmsEbCK//vH484bhLGLT8oiDCD97wogRfgoswRgikPoBb6trW9q1dPqM DwHI7NSo18pzozD8n61lYgWagXEzmw+CkCTEd2GV9DppO9HCXO2TVoxZNzaZqHAeVC32 Vd9Lg6OWLoK4a3Lv4H2qHRDYX4rYQJrVr7D6KSDw6A6c2/AcZSPftqDk7I1+udukYnSZ 6vPA== X-Gm-Message-State: AElRT7FjKJ+LvJolE8RERM8sVZZXf2b7ysy1BOjXV/u/RWA4cCIgScbp R+toqSTCeHosLBXnvN4XHCu9pQ== X-Google-Smtp-Source: AG47ELsyH/Iu6pbcYm+HqcRDxIdAYK2jus38vfFyAV1xYIsF6FSyaP6R6EgqmqEO7TryW7u0UO4w6A== X-Received: by 2002:a24:3c5:: with SMTP id e188-v6mr11581385ite.74.1521763502907; Thu, 22 Mar 2018 17:05:02 -0700 (PDT) Received: from zebian (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34]) by smtp.googlemail.com with ESMTPSA id e142-v6sm6145656ite.3.2018.03.22.17.05.01 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 22 Mar 2018 17:05:02 -0700 (PDT) From: Noam Postavsky To: "Nelson H. F. Beebe" Subject: Re: bug#30912: [bug-gnu-emacs] emacs as a route to privilege escalation References: Date: Thu, 22 Mar 2018 20:05:01 -0400 In-Reply-To: (Nelson H. F. Beebe's message of "Thu, 22 Mar 2018 17:41:22 -0600") Message-ID: <87lgejslle.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: control Cc: 30912@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) forcemerge 28618 30912 quit "Nelson H. F. Beebe" writes: > The SANS security list today carried a pointer to this Web site: > > Abusing Text Editors with Third-party Plugins > March 15, 2018 > Dor Azouri > https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins > > It links to an 11-page report of the same title at > > https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf > > Do emacs developers wish to respond to the security attacks described > there? Dor already brought this up in Bug#28618. As Glenn said: If an attacker has [compromised] a user account that can run "sudo arbitrary command", then that's just the same as having compromised the root account, and so worrying about this on the individual application level doesn't seem to make sense. Eg they could replace "sudo" with a keylogger. Note that the problem could be "fixed" by setting Defaults always_set_home in /etc/sudoers (Debian has this setting by default), but that won't help with the sudo-is-a-key-logger problem.