GNU bug report logs - #75017
31.0.50; Untrusted user lisp files

Previous Next

Package: emacs;

Reported by: john muhl <jm <at> pub.pink>

Date: Sat, 21 Dec 2024 20:50:02 UTC

Severity: normal

Found in version 31.0.50

Full log

Message #20 received at 75017 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefankangas <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>, john muhl <jm <at> pub.pink>
Cc: 75017 <at> debbugs.gnu.org
Subject: Re: bug#75017: 31.0.50; Untrusted user lisp files
Date: Sun, 22 Dec 2024 17:20:13 +0000

Eli Zaretskii <eliz <at> gnu.org> writes:

>> From: john muhl <jm <at> pub.pink>
>> Date: Sat, 21 Dec 2024 14:48:52 -0600
>>
>> user-init-file is trusted by default but not other user files.
>>
>>   C-xf ~/.emacs.d/early-init.el
>>   M-x flymake-mode
>>
>> Produces a warning:
>>
>>   Disabling elisp-flymake-byte-compile in early-init.el (untrusted content)
>>
>> custom-file (when not the same as user-init-file) also causes a
>> warning. Should these also be trusted by default?
>
> No, not IMO.  Please add those files you know you can trust to the
> list of trusted files, and let's see if that works well for you.  If,
> after you have used that for some time, you have observations to
> report or changes to suggest, please do, but let's please base such
> observations on some sufficiently significant (read: long enough)
> experience.
>
>> What about files put in place by a system admin or your distro’s
>> Emacs package (e.g. site-run-file, default.el)? They generally
>> require root priviledges to install so if they can’t be trusted
>> you’re already in trouble.
>
> On my system, these files do not need any admin privileges, so I don't
> think we should trust them by default.  Users who know that these
> files are modified only by trusted admins can and probably should add
> them to the list of trusted files, if they need that (in general,
> there should be no need to run Flymake in those files, in which case
> these files don't need to be added even if they are trusted).

I don't think it's meaningful to consider them as not
`trusted-content-p`, when we automatically load these files into any
running Emacs session.

> Btw, if we are talking about trusted admins, then entire directories
> should be trusted, for example /usr/share or /usr/share/emacs.

Yes, though we'd have to discuss which directories those are;
`load-path` and `source-directory` are two candidates.

> There's a reason why we didn't do that by default.

My understanding is that we just didn't consider all of these cases.
At least I didn't.

If others did, it wasn't sufficiently explicit for me to notice.
This bug report was last modified 171 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.