GNU bug report logs -
#28618
Emacs respects $HOME, even when user is root
Previous Next
Reported by: Dor Azouri <dor.azouri <at> safebreach.com>
Date: Wed, 27 Sep 2017 15:31:01 UTC
Severity: normal
Tags: notabug, security, wontfix
Merged with 30912
Done: Noam Postavsky <npostavs <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Dear Emacs developers,
I would like to report a possible abuse one can perform on Emacs's
extensibility mechanism, that may lead to privilege escalation.
In short, a malicious actor that can execute code as one of the sudoers (in
non-elevated mode), can edit the init file, and add malicious commands to
it. Then he needs to wait for that user to invoke the editor in elevated
mode - and the plugin that was written before, will be loaded with the root
permissions.
The root cause that enables this abuse is basically incomplete separation
between regular and elevated execution modes of the editor (using "sudo").
I can suggest possible solutions to this issue, e.g.: applying better
permissions to the plugins directories.
Reproduction steps:
===================
1) Add the following ELisp line of code to the init file. It will be
loaded on startup and execute the command “touch /stub.file”, when
“~/.emacs.d/” is the working directory.
*(let ((default-directory "~/.emacs.d/")) (shell-command "touch
/stub.file"))*
2) Wait for the user to invoke Emacs in elevated mode. The owner of the
newly created stub file is root.
* This simple command is just for demonstration - of course much more
complicated intentions can be achieved once Emacs is invoked with sudo.
I will be happy to provide more information as needed,
Dor Azouri
[Message part 2 (text/html, inline)]
This bug report was last modified 7 years and 58 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.