GNU bug report logs - #28618
Emacs respects $HOME, even when user is root

Previous Next

Package: emacs;

Reported by: Dor Azouri <dor.azouri <at> safebreach.com>

Date: Wed, 27 Sep 2017 15:31:01 UTC

Severity: normal

Tags: notabug, security, wontfix

Merged with 30912

Done: Noam Postavsky <npostavs <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #11 received at 28618 <at> debbugs.gnu.org (full text, mbox):

From: Dor Azouri <dor.azouri <at> safebreach.com>
To: John Wiegley <jwiegley <at> gmail.com>
Cc: 28618 <at> debbugs.gnu.org
Subject: Re: bug#28618: Emacs Security Issue
Date: Wed, 27 Sep 2017 16:02:42 +0000

[Message part 1 (text/plain, inline)]
sudo access is not required to edit the init file.
The only requirement is that the user is a sudoer (a user that’s in
/etc/sudoers). It is different: a sudoer is a user that is able to elevate
to root after entering root password, it doesn't mean that it is always
doing things as root. Such a user still needs to explicitly "sudo" for
elevated commands (similar to "Run As Administrator" or UAC in Windows).

So what I identified here is that such a user can be used by an attacker to
edit the init file without elevating, even though the same file will be
loaded when elevating the editor.
The flow: after inserting malicious commands to the init script, all the
attacker has to do is wait for the user to elevate Emacs at some point
(under the assumption that the user will at some point elevate Emacs, which
may not always be true). The malicious commands will be run as root.

On Wed, Sep 27, 2017 at 6:44 PM John Wiegley <jwiegley <at> gmail.com> wrote:

> >>>>> "DA" == Dor Azouri <dor.azouri <at> safebreach.com> writes:
>
> DA> In short, a malicious actor that can execute code as one of the sudoers
> DA> (in non-elevated mode), can edit the init file, and add malicious
> commands
> DA> to it. Then he needs to wait for that user to invoke the editor in
> DA> elevated mode - and the plugin that was written before, will be loaded
> DA> with the root permissions.
>
> If the user has sudo access to run Emacs, isn't the game already over? They
> could M-x shell and rm -fr /, no?
>
> --
> John Wiegley                  GPG fingerprint = 4710 CF98 AF9B 327B B80F
> http://newartisans.com                          60E1 46C4 BD1A 7AC1 4BA2
>

[Message part 2 (text/html, inline)]
This bug report was last modified 7 years and 57 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.