emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: emacsclient socket ownership

From: Glenn Morris
Subject: Re: emacsclient socket ownership
Date: Sun, 04 Nov 2018 20:13:45 -0500
User-agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) 
Thanks for looking at this. (I wish you'd reply-to-all though...)

Stefan Monnier wrote:

> so it's likely meant for the case where you `su` (or `sudo`) and want to
> use emacsclient from root but connect to your main (non-root) Emacs server.

Tramp methods would seem a better alternative for this.
So I suggest favoring (slight) security over (slighter) convenience, and
eliminating the emacsclient UID 0 exception.

> I guess the risk is reduced in practice for the following reason:
> server.el should hopefully signal an error if it can't create&own
> /tmp/emacsUID/server, so emacsclient only risks connecting to a wrong
> Emacs if:
> - you forgot to start your Emacs server.
> - your Emacs failed to start and you didn't notice it.
> - server.el did not check things carefully enough and the attacker
>   managed to replace your socket with his (e.g. /tmp/emacsUID/ or /tmp is
>   somehow writable for the attacker).

If you are in the habit of using emasclient -a "", none of the server.el
checks apply. emacsclient will simply start talking to the running
server if it finds one. /tmp is usually world writable.

> Right, the problem is not really that the other end of the socket
> belongs to another user, but that the other end may be something else
> than intended (e.g. it could be some unsuspecting daemon running as root

That's beyond what I was thinking about initially, and would also apply
to non-root users. I was thinking of the case where non-root Emacs eg
runs a keylogger to watch what root types.


BTW is /tmp still the right default location for these sockets, or
should it be eg /run or XDG_RUNTIME_DIR these days?
reply via email to
[Prev in Thread] Current Thread [Next in Thread]