GNU bug report logs - #51327
28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on-demand

Previous Next

Package: emacs;

Reported by: Jim Porter <jporterbugs <at> gmail.com>

Date: Fri, 22 Oct 2021 04:59:02 UTC

Severity: normal

Tags: security

Found in version 28.0.60

Full log

Message #34 received at 51327 <at> debbugs.gnu.org (full text, mbox):

From: Jim Porter <jporterbugs <at> gmail.com>
To: Ulrich Mueller <ulm <at> gentoo.org>, 51327 <at> debbugs.gnu.org
Cc: Paul Eggert <eggert <at> cs.ucla.edu>
Subject: Re: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when
 starting daemon on demand
Date: Thu, 11 Nov 2021 09:06:36 -0800

On 11/11/2021 5:04 AM, Ulrich Mueller wrote:
>>>>>> On Fri, 05 Nov 2021, Ulrich Mueller wrote:
> 
>>>>>> On Fri, 05 Nov 2021, Jim Porter wrote:
>>> I'm not an expert on this kind of attack, but my understanding is that
>>> it could go something like this:
> 
>>> 1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil
>>> 2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'
> 
>> Right, and IIUC this must be carefully timed to exploit some race
>> condition between permission checking and creating the socket. I am
>> not an expert on this either.
> 
> Thinking about it some more, when you always start the daemon with
> XDG_RUNTIME_DIR present, there won't be a /tmp/emacs1000/server (at
> least not one with correct user and permissions), and I don't believe
> that a symlink attack would be possible.
> 
> OTOH, when you start the daemon without XDG_RUNTIME_DIR, then the socket
> will be created in /tmp, but in that case you'd want the client to find
> it there.

The case I'm concerned about is when the daemon *hasn't* been started 
yet by the time emacsclient is called. In that case, emacsclient checks 
both XDG_RUNTIME_DIR and TMPDIR before giving up and starting the 
daemon. In this case, that means that even on a system where Emacs only 
uses XDG_RUNTIME_DIR in practice, it'll still search TMPDIR the first 
time when looking for the (non-existent) daemon. The question then is 
whether it's safe for the emacsclient to look in TMPDIR to confirm that 
no daemon already exists.

It's possible that this behavior is perfectly safe, but the way the code 
is currently written (plus Paul Eggert's reply in this bug) seem to 
indicate that it's vulnerable to attack. If it really is vulnerable, 
then I think it should be fixed; if it's safe, then just eliminating the 
warning is sufficient of course.
This bug report was last modified 2 years and 284 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.