sudo access is not required to edit the init file.
The only requirement is that the user is a sudoer (a user that’s in /etc/sudoers). It is different: a sudoer is a user that is able to elevate to root after entering root password, it doesn't mean that it is always doing things as root. Such a user still needs to explicitly "sudo" for elevated commands (similar to "Run As Administrator" or UAC in Windows).
So what I identified here is that such a user can be used by an attacker to edit the init file without elevating, even though the same file will be loaded when elevating the editor.
The flow: after inserting malicious commands to the init script, all the attacker has to do is wait for the user to elevate Emacs at some point (under the assumption that the user will at some point elevate Emacs, which may not always be true). The malicious commands will be run as root.
>>>>> "DA" == Dor Azouri <dor.azouri@safebreach.com> writes:
DA> In short, a malicious actor that can execute code as one of the sudoers
DA> (in non-elevated mode), can edit the init file, and add malicious commands
DA> to it. Then he needs to wait for that user to invoke the editor in
DA> elevated mode - and the plugin that was written before, will be loaded
DA> with the root permissions.
If the user has sudo access to run Emacs, isn't the game already over? They
could M-x shell and rm -fr /, no?
--
John Wiegley GPG fingerprint = 4710 CF98 AF9B 327B B80F
http://newartisans.com 60E1 46C4 BD1A 7AC1 4BA2