|
From: | Paul Eggert |
Subject: | Re: Closing a privilege escalation |
Date: | Wed, 25 Apr 2018 10:55:06 -0700 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 |
On 04/25/2018 10:09 AM, Stefan Monnier wrote:
$HOME should point to a directory which is only writable by users of higher-or-equal privilege-level.
It's not just $HOME, though, right? It's also EMACSLOADPATH, EMACSPATH, ESHELL, HISTFILE, or anything else specifying where Emacs should get code or data from or send information to. (Oh, and don't forget my favorite environment variable TZ. :-) If Emacs is serious about not trusting sudo, then every file and directory specified by any of these would need to be vetted.
Also, to be safe shouldn't Emacs check ownership and permissions not only of each file and directory, but also of all those files' ancestors? For example, it won't help that /home/whatever is owned by root, if /home itself is owned by baduser.
And suppose the user is 'eggert' and the directory /usr/share/emacs/site-lisp (or whatever) is owned by user 'bin' - in that case, how should Emacs determine that 'bin' is a user of "higher-or-equal privilege level"?
We do have to be careful of mission creep here. Emacs is supposed to be a user-level application and setup security is supposed to be sudo's job.
[Prev in Thread] | Current Thread | [Next in Thread] |