GNU bug report logs - #51327
28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on-demand

Previous Next

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: jporterbugs <at> gmail.com, 51327 <at> debbugs.gnu.org, stefan <at> marxist.se
Subject: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on-demand
Date: Wed, 08 Dec 2021 21:16:40 +0200

> Date: Wed, 8 Dec 2021 11:06:12 -0800
> Cc: 51327 <at> debbugs.gnu.org
> From: Paul Eggert <eggert <at> cs.ucla.edu>
> 
> On 12/7/21 22:57, Jim Porter wrote:
> > Doing that by default opens a loophole for all emacsclient users, but 
> > what about a command-line flag like `emacsclient 
> > --allow-tmpdir-loophole' and/or an environment variable like 
> > `EMACS_ALLOW_TMPDIR_LOOPHOLE=1 emacsclient' (with a better name, of 
> > course)? Then, the default behavior would be free of loopholes[2], but 
> > Ulrich's case could be achieved by passing that flag when calling 
> > emacsclient. It might even be possible for Gentoo to enable that for the 
> > user in the appropriate cases...
> 
> Yes, I think something like this would be OK. The command-line flag 
> would be easier to audit.
> 
> Not sure whether a last-minute change like this should go into Emacs 28, 
> though, even though it's security-relevant. Eli would be a better judge 
> of that.

If it's a new command-line argument, and if the participants in this
discussion can live with it as the solution for this problem, I'm okay
with having it on emacs-28.

Thanks.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.