GNU bug report logs -
#51327
28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on-demand
Previous Next
Full log
Message #28 received at 51327 <at> debbugs.gnu.org (full text, mbox):
>>>>> On Fri, 05 Nov 2021, Jim Porter wrote:
> (Cc'ing Paul Eggert, who can probably answer more confidently than me.)
> On 11/5/2021 11:05 AM, Ulrich Mueller wrote:
>> Can someone please explain to me how an exploit on the _client_ side
>> would look like?
>> When starting the server, I can believe that there may be some
>> surface for a symlink attack. But once the daemon is running? What is
>> the security issue for the client checking TMPDIR?
> I'm not an expert on this kind of attack, but my understanding is that
> it could go something like this:
> 1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil
> 2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'
Right, and IIUC this must be carefully timed to exploit some race
condition between permission checking and creating the socket. I am not
an expert on this either.
> 3. User runs `emacsclient --alternate-editor=""'
> 4. emacsclient doesn't see a socket in XDG_RUNTIME_DIR, checks TMPDIR
> 5. emacsclient connects to evil-daemon
Note that after locating the socket, emacsclient will double check for
sane permissions. That is, correct user id and _no_ write permission for
either group or others. That's why I think that there's little attack
surface on the client side, once the socket has been created.
> The evil-daemon probably can't get access to the user's files, but
> might be able to trick a user into entering some secret. I'll let
> others chime in too though, since like I said, I'm not an expert.
> If I'm wrong and this isn't an a problem, then I agree that all we
> need to do here is silence the warning.
This bug report was last modified 2 years and 284 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.