GNU bug report logs - #51327
28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on-demand

Previous Next

Package: emacs;

Reported by: Jim Porter <jporterbugs <at> gmail.com>

Date: Fri, 22 Oct 2021 04:59:02 UTC

Severity: normal

Tags: security

Found in version 28.0.60

Full log

View this message in rfc822 format

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Jim Porter <jporterbugs <at> gmail.com>, Stefan Kangas <stefan <at> marxist.se>, Eli Zaretskii <eliz <at> gnu.org>
Cc: 51327 <at> debbugs.gnu.org
Subject: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on-demand
Date: Wed, 8 Dec 2021 11:06:12 -0800

On 12/7/21 22:57, Jim Porter wrote:
> Doing that by default opens a loophole for all emacsclient users, but 
> what about a command-line flag like `emacsclient 
> --allow-tmpdir-loophole' and/or an environment variable like 
> `EMACS_ALLOW_TMPDIR_LOOPHOLE=1 emacsclient' (with a better name, of 
> course)? Then, the default behavior would be free of loopholes[2], but 
> Ulrich's case could be achieved by passing that flag when calling 
> emacsclient. It might even be possible for Gentoo to enable that for the 
> user in the appropriate cases...

Yes, I think something like this would be OK. The command-line flag 
would be easier to audit.

Not sure whether a last-minute change like this should go into Emacs 28, 
though, even though it's security-relevant. Eli would be a better judge 
of that.

This bug report was last modified 2 years and 284 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #51327 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on-demand

GNU bug report logs - #51327
28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on-demand