GNU bug report logs - #51327
28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on-demand

Previous Next

Package: emacs;

Reported by: Jim Porter <jporterbugs <at> gmail.com>

Date: Fri, 22 Oct 2021 04:59:02 UTC

Severity: normal

Tags: security

Found in version 28.0.60

Full log

View this message in rfc822 format

From: Jim Porter <jporterbugs <at> gmail.com>
To: Ulrich Mueller <ulm <at> gentoo.org>
Cc: 51327 <at> debbugs.gnu.org, Paul Eggert <eggert <at> cs.ucla.edu>
Subject: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on demand
Date: Fri, 5 Nov 2021 11:38:48 -0700

(Cc'ing Paul Eggert, who can probably answer more confidently than me.)

On 11/5/2021 11:05 AM, Ulrich Mueller wrote:
> Can someone please explain to me how an exploit on the _client_ side
> would look like?
> 
> When starting the server, I can believe that there may be some surface
> for a symlink attack. But once the daemon is running? What is the
> security issue for the client checking TMPDIR?

I'm not an expert on this kind of attack, but my understanding is that 
it could go something like this:

 1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil
 2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'
 3. User runs `emacsclient --alternate-editor=""'
 4. emacsclient doesn't see a socket in XDG_RUNTIME_DIR, checks TMPDIR
 5. emacsclient connects to evil-daemon

The evil-daemon probably can't get access to the user's files, but might 
be able to trick a user into entering some secret. I'll let others chime 
in too though, since like I said, I'm not an expert.

If I'm wrong and this isn't an a problem, then I agree that all we need 
to do here is silence the warning.
This bug report was last modified 2 years and 284 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.