Re: sudo:: method in tramp possible security issue

[Michael Albinus]

João Távora <address@hidden> writes:

> Hello emacs-devel, 

Hi João,

> The off-list discussion below is about TRAMP's usage of 
> the /sudo:: method, which surprised me very much recently 
> because I discovered that it lets any elisp run arbitrary shell 
> commands with root permissions while the buffer editing a file 
> with /sudo:: is live.  
>
> So in theory you could write malicious elisp code to lay there
> hoping to hijack a users system on their first file of 
> /sudo::/etc/apt/sources.list, for example. Supposing all the user 
> wanted is to edit that file, starting a full "elisp sudo server" for 
> the duration of the buffer is clearly overkill and unnecessarily 
> dangerous for most users.

It isn't overkill. The implementation in Tramp depends on the file name
handler concept, which requires to implement 70 basic functions. How
would it be possible to implement `file-attributes', for example, w/o an
interactive shell with root permissions?

> For me this is a very serious security hole, but apparently
> it's part of the contract of the /sudo:: method.
>
> I am arguing for:
>
> 1. A sudoedit method that works like `sudo -e`

Agreed. It shall basically implement just `insert-file-contents' and
`write-region'. (If possible, I haven't started to investigate in detail).

> 2. A one-time stern warning the first time that the user uses /sudo:: 
> to explain the security implications to new users.

Here I'm not convinced. I agree that it must be said more prominent in
the Tramp manual, that an interactive session with root permissions is
running in the background, but I believe it would be too bossy to tell
users they shall not use "/sudo::". It is like telling something like
this to users, who call sudo in a terminal. Are there such warnings,
somewhere?

> Michael and I are converging on some possibilities, but I
> think it's a good idea to have the rest of emacs-devel speak
> their mind.
>
> Thanks,
> João

Best regards, Michael.