Re: How do I report security issue?

[Michael Albinus]

Kenneth Wyatt <soy.el.gato.negro@gmail.com> writes:

> Hi guys,

Hi Kenneth,

> I found a very simple way to get sudo/root shell in Emacs without
> passing a password check for launching the shell. While it does rely
> on actions by a user who does know the sudo password, once these
> actions are taken, an unattended terminal can be used to gain full
> sudo shell session with (from what I can tell) no timeout on one's
> ability to do so.
>
> Unsure exactly where to report this as the public bugtracker seems
> inappropriate even if reporting it seems unlikely to result in
> widespread in-the-wild use.
>
> It's totally possible this is also "as intended" behaviour, but that
> seems unlikely, and if it is, I think changing the default behaviour
> would be the responsible thing to do. I'm sure I'm not the first
> person to discover this, but an admittedly cursory search didn't turn
> up discussion online.
>
> Could someone direct me where to report the replication steps in a
> responsible manner?

I suppose you mean Tramp's sudo method. Yes, this has been discussed
already. We made some counter measures:

- For sudo (and doas) methods, there is a session timeout of 300
  seconds. That is, after that time of inactivity you must enter the
  password, again. This behaviour is similar to a sudo call in a shell.

- If you are still concerned, there is the Tramp sudoedit method. This
  does not keep an open session running in the background.

For further discussion of Tramp problems, I might be the person to
contact, 'cos I'm the Tramp maintainer.

If you do not mean Tramp, I recommend to contact one of the Emacs
maintainers directly. These are Eli Zaretskii <eliz@gnu.org> and Lars
Ingebrigtsen  <larsi@gnus.org>.

> Thanks so much,
>
> Kenneth

Best regards, Michael.