GNU bug report logs - #33366
emacsclient to not follow symlinks to sockets

Previous Next

Package: emacs;

Reported by: Glenn Morris <rgm <at> gnu.org>

Date: Tue, 13 Nov 2018 18:21:02 UTC

Severity: minor

Tags: security

Found in version 26.2

Fixed in version 27.1

Done: Glenn Morris <rgm <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 33366 in the body.
You can then email your comments to 33366 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Message #1 received at quiet <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: quiet <at> debbugs.gnu.org
Subject: emacsclient to not follow symlinks to sockets
Date: Tue, 13 Nov 2018 13:20:21 -0500

Package: emacs
Version: 26.2
Severity: minor
Tags: security

In http://lists.gnu.org/r/emacs-devel/2018-11/msg00051.html some concern
was expressed about potential security implications from emacsclient
following symlinks to incorrect sockets.
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#33366; Package emacs. (Mon, 03 Dec 2018 08:10:02 GMT) Full text and rfc822 format available.

Message #4 received at 33366 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: 33366 <at> debbugs.gnu.org
Subject: Re: emacsclient to not follow symlinks to sockets
Date: Mon, 3 Dec 2018 00:09:15 -0800

[Message part 1 (text/plain, inline)]
After looking into this, I don't see any good solution on older systems where 
Emacs sockets are put under /tmp, particularly on ancient systems where /tmp is 
not sticky. There are too many ways to fool Emacs with symlinks, and none of the 
workarounds avoid all races. I did install the attached patch to fix a race that 
is reasonably easy to fix, by checking the socket's UID after connecting to it 
as well as before connecting to it.

On more-modern desktops where Emacs sockets live under XDG_RUNTIME_DIR (see 
Bug#33367, now fixed), the security issues of symlinks-to-sockets should go away 
unless the user explicitly specifies a socket. This may be the best we can do.

[0001-emacsclient-fix-symlink-socket-race.patch (text/x-patch, attachment)]
bug marked as fixed in version 27.1, send any further explanations to 33366 <at> debbugs.gnu.org and Glenn Morris <rgm <at> gnu.org> Request was from Glenn Morris <rgm <at> gnu.org> to control <at> debbugs.gnu.org. (Sat, 15 Dec 2018 23:23:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 13 Jan 2019 12:24:06 GMT) Full text and rfc822 format available.
This bug report was last modified 5 years and 103 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.