|
| From: | Jim Porter |
| Subject: | bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on demand |
| Date: | Thu, 11 Nov 2021 09:06:36 -0800 |
On 11/11/2021 5:04 AM, Ulrich Mueller wrote:
On Fri, 05 Nov 2021, Ulrich Mueller wrote:On Fri, 05 Nov 2021, Jim Porter wrote:I'm not an expert on this kind of attack, but my understanding is that it could go something like this:1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil 2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'Right, and IIUC this must be carefully timed to exploit some race condition between permission checking and creating the socket. I am not an expert on this either.Thinking about it some more, when you always start the daemon with XDG_RUNTIME_DIR present, there won't be a /tmp/emacs1000/server (at least not one with correct user and permissions), and I don't believe that a symlink attack would be possible. OTOH, when you start the daemon without XDG_RUNTIME_DIR, then the socket will be created in /tmp, but in that case you'd want the client to find it there.
The case I'm concerned about is when the daemon *hasn't* been started yet by the time emacsclient is called. In that case, emacsclient checks both XDG_RUNTIME_DIR and TMPDIR before giving up and starting the daemon. In this case, that means that even on a system where Emacs only uses XDG_RUNTIME_DIR in practice, it'll still search TMPDIR the first time when looking for the (non-existent) daemon. The question then is whether it's safe for the emacsclient to look in TMPDIR to confirm that no daemon already exists.
It's possible that this behavior is perfectly safe, but the way the code is currently written (plus Paul Eggert's reply in this bug) seem to indicate that it's vulnerable to attack. If it really is vulnerable, then I think it should be fixed; if it's safe, then just eliminating the warning is sufficient of course.
| [Prev in Thread] | Current Thread | [Next in Thread] |