Re: Closing a privilege escalation

[Stefan Monnier]

> A normal (uncompromised) user account inadvertently installs a malicious
> Emacs package that contains exploit code that waits to be run as root.

At that point, the account *is* compromised.

And this exploit code could just as well not wait to be run as root and
instead install a key-logger on `sudo`, after which the attacker can
`sudo` to run any code it wants.

> This entire class of exploit can be avoided by suitable sudo options
> (always_set_home etc), but that doesn't necessarily mean that Emacs
> should not do something about it.

I think running as UID=0 with $HOME pointing to a directory writable (or
containing files writable) by non-root users is fundamentally insecure.

More generally $HOME should point to a directory which is only writable
by users of higher-or-equal privilege-level.

> It seems to me, that "if UID = 0, set user-init-file, user-emacs-directory
> etc to those of root" is a simpler solution that the one you propose.

We could try and paper over the problem this way, indeed.

Rather than (re)set user-init-file and user-emacs-directory, I'd rather
reset $HOME altogether (and stash the old value somewhere, so
~root/.emacs can still read that user's ~/.emacs if they *really* want),
tho, and emit a warning message while doing it, of course, so the user
isn't caught by surprise.


        Stefan