GNU bug report logs - #37445
27.0.50; Permission denied after make install

Previous Next

Package: emacs;

Reported by: Tino Calancha <tino.calancha <at> gmail.com>

Date: Wed, 18 Sep 2019 09:03:02 UTC

Severity: normal

Found in version 27.0.50

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

Message #33 received at 37445 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: 37445 <at> debbugs.gnu.org, tino.calancha <at> gmail.com
Subject: Re: bug#37445: 27.0.50; Permission denied after make install
Date: Fri, 20 Sep 2019 15:40:59 +0300

> From: Paul Eggert <eggert <at> cs.ucla.edu>
> Date: Fri, 20 Sep 2019 02:10:10 -0700
> Cc: 37445 <at> debbugs.gnu.org
> 
> This glitch suggests that there are more-serious security problems in the 
> default Emacs install. If source-directory is (say) "/tmp/emacs-build/whatever", 
> and /tmp/emacs-build is removed after the build, an attacker can provide a bogus 
> source directory in place of the real one, and this could cause real problems.

What kind of problems could accessing such a directory cause?

Note that there are also various EMACS* environment variables to which
Emacs heeds, they can override the likes of data-directory.

> Fedora 30 solves this potential security problem by arranging for the Lisp 
> variable source-directory to have a value like "/usr/share/emacs/26.2/", which 
> is a place attackers shouldn't be able to overwrite.
> 
> However, the default Emacs install doesn't do that. It installs the sources into 
> (say) "/usr/local/share/emacs/27.0.50", but it doesn't arrange for 
> source-directory to point there; instead, source-directory points to wherever 
> the sources happened to be when Emacs was built, which could be in /tmp. This 
> sounds like a configuration error in the default Emacs install, and I plan to 
> look into why it's unsafe whereas the Fedora Emacs install is safer.

If you point source-directory away of where the real sources are, some
Help features will cease working.  So I don't think we want the Fedora
solution.  What we want is that sources will be inaccessible in this
situation, but APIs such as 'load' and 'require' still work
regardless.
This bug report was last modified 5 years and 242 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.