GNU bug report logs - #51327
28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on-demand

Message received at 51327 <at> debbugs.gnu.org:

Received: (at 51327) by debbugs.gnu.org; 7 Dec 2021 11:26:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Dec 07 06:26:32 2021
Received: from localhost ([127.0.0.1]:36472 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1muYcC-00064b-5b
	for submit <at> debbugs.gnu.org; Tue, 07 Dec 2021 06:26:32 -0500
Received: from mail-pf1-f176.google.com ([209.85.210.176]:37509)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1muYcA-00064L-3i
 for 51327 <at> debbugs.gnu.org; Tue, 07 Dec 2021 06:26:30 -0500
Received: by mail-pf1-f176.google.com with SMTP id 8so13189418pfo.4
 for <51327 <at> debbugs.gnu.org>; Tue, 07 Dec 2021 03:26:30 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:in-reply-to:references:user-agent
 :mime-version:date:message-id:subject:to:cc;
 bh=RWjOzYn+yO6DZ4ddNhjTf7EqGuIf0kDCaxDkP6SkiuY=;
 b=3IGC7S2evyIHlqc8VfC8IH7yRzSdWKFR1rwPpRPYjUarj7Um5OHuCAQiPwKBG9uay2
 P/W/XcgxfVinA8s42caPWiqXTqjVPXhXZmfeH3zpuux+5VUgPci5ywZDHiX6nQJs/kV+
 1B86Vz+hrJBDTERxzs6e7tatplmQvZCQQMpDf+nXDUmzBalePYamYhp0al28BKsuMbnN
 d8PtSDWBbc6AQUmObw8XAXl1VzNES/EaAGDe7rrYk5w9yCfFIFCY8+GdoN0PR53XjnxN
 cjTKd8rfM/PisVTpLCnKXE3bhqqtFmozBcCmIPA9mkyE2WvdIlgVSyuiZ/Vp94Yrg2Cs
 xvYA==
X-Gm-Message-State: AOAM533ClsNZCyGTt4EsSoWctF5vqcyoMdWO+lVrzO5r6zPsd70R1jfE
 s+gj5kDh1Es8l+X0tP1e7stwG6ydgSO94jwpN4I=
X-Google-Smtp-Source: ABdhPJy3oWSHcwuBNelrJ0GkUyfCQh54rcM7K8DoZXoJqd3ipwdkqaeksLGV8LywJMGKWw3oX+/+6fClZeny9sIYZ4U=
X-Received: by 2002:aa7:8283:0:b0:49f:a0d0:abcf with SMTP id
 s3-20020aa78283000000b0049fa0d0abcfmr16852487pfm.70.1638876384229; Tue, 07
 Dec 2021 03:26:24 -0800 (PST)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Tue, 7 Dec 2021 12:26:23 +0100
From: Stefan Kangas <stefan@HIDDEN>
In-Reply-To: <b6140cd0-b692-0be9-70c2-64e751381ae6@HIDDEN> (Paul Eggert's
 message of "Sat, 30 Oct 2021 15:33:11 -0700")
References: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@HIDDEN>
 <53706fa9-1458-fb5c-bd31-15ab555b59e9@HIDDEN>
 <b6140cd0-b692-0be9-70c2-64e751381ae6@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux)
MIME-Version: 1.0
Date: Tue, 7 Dec 2021 12:26:23 +0100
Message-ID: <CADwFkmk3hCc_2ZcqJnexHKt7tNnBsUbGpM1X57-xtLU3EKrKjg@HIDDEN>
Subject: Re: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when
 starting daemon on-demand
To: Paul Eggert <eggert@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.5 (/)
X-Debbugs-Envelope-To: 51327
Cc: Jim Porter <jporterbugs@HIDDEN>, 51327 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.5 (/)

Paul Eggert <eggert@HIDDEN> writes:

> Thanks, this patch looks good to me. You're right that the current approach is
> insecure, and your patch should make it somewhat less insecure.

Agreed.  The only question is if this patch should go to emacs-28 or
master?  Perhaps Eli or Lars has an opinion about that.

Message received at 51327 <at> debbugs.gnu.org:

Received: (at 51327) by debbugs.gnu.org; 12 Nov 2021 02:21:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 11 21:21:35 2021
Received: from localhost ([127.0.0.1]:42724 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mlMC6-00062Y-Rk
	for submit <at> debbugs.gnu.org; Thu, 11 Nov 2021 21:21:34 -0500
Received: from zimbra.cs.ucla.edu ([131.179.128.68]:47824)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eggert@HIDDEN>) id 1mlMC3-00062H-H6
 for 51327 <at> debbugs.gnu.org; Thu, 11 Nov 2021 21:21:33 -0500
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 725F11600FC;
 Thu, 11 Nov 2021 18:21:25 -0800 (PST)
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id pYjOikSM2CUB; Thu, 11 Nov 2021 18:21:24 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id CD45B160100;
 Thu, 11 Nov 2021 18:21:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id zTuiXwF7gWOv; Thu, 11 Nov 2021 18:21:24 -0800 (PST)
Received: from [192.168.1.9] (cpe-172-91-119-151.socal.res.rr.com
 [172.91.119.151])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id A68811600FC;
 Thu, 11 Nov 2021 18:21:24 -0800 (PST)
Message-ID: <87cc40c9-de9b-8d26-eaad-5c08f4bd065a@HIDDEN>
Date: Thu, 11 Nov 2021 18:21:24 -0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.2.1
Subject: Re: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when
 starting daemon on demand
Content-Language: en-US
To: Jim Porter <jporterbugs@HIDDEN>, Ulrich Mueller <ulm@HIDDEN>,
 51327 <at> debbugs.gnu.org
References: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@HIDDEN>
 <uczneyjin@HIDDEN> <238ece9e-df13-a604-ba3a-36b346857423@HIDDEN>
 <uwnlmwk9u@HIDDEN> <f13fb4b7-0299-db20-e80c-9c14be4ba466@HIDDEN>
 <umtmiwhm4@HIDDEN> <u7ddevo6y@HIDDEN>
 <82a66db9-f9b3-fc0f-a98d-8900d4fec066@HIDDEN>
From: Paul Eggert <eggert@HIDDEN>
Organization: UCLA Computer Science Department
In-Reply-To: <82a66db9-f9b3-fc0f-a98d-8900d4fec066@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: -2.4 (--)
X-Debbugs-Envelope-To: 51327
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.4 (---)

On 11/11/21 09:06, Jim Porter wrote:
> It's possible that this behavior is perfectly safe, but the way the code 
> is currently written (plus Paul Eggert's reply in this bug) seem to 
> indicate that it's vulnerable to attack.

Yes, that's indeed the worry.

Message received at 51327 <at> debbugs.gnu.org:

Received: (at 51327) by debbugs.gnu.org; 11 Nov 2021 17:06:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 11 12:06:44 2021
Received: from localhost ([127.0.0.1]:42133 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mlDXA-00048R-Aa
	for submit <at> debbugs.gnu.org; Thu, 11 Nov 2021 12:06:44 -0500
Received: from mail-pg1-f170.google.com ([209.85.215.170]:33326)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jporterbugs@HIDDEN>) id 1mlDX8-000488-Ku
 for 51327 <at> debbugs.gnu.org; Thu, 11 Nov 2021 12:06:43 -0500
Received: by mail-pg1-f170.google.com with SMTP id 136so1036394pgc.0
 for <51327 <at> debbugs.gnu.org>; Thu, 11 Nov 2021 09:06:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=subject:to:cc:references:from:message-id:date:mime-version
 :in-reply-to:content-language:content-transfer-encoding;
 bh=6o6VHQtLCx81SdiuQjRF5NVLhaEm0M3mHwQJHLvis6s=;
 b=n+hloJschzHzW29ndgGrXjA2YanVpXUzp74tvPQpwpGtJv3wBWu4XpUHjL2kwSlfU9
 yNVd4+aH6KID2hi0+mYcfRszzUOkdpfaGMvoFuofCDRFOvm+/2RDYmh+fbZX1pbkbV+6
 /lWvloCtlXYT6UXrMlqVVLjXbB8KK/Yjgny4gFN1IqaybQ4eIlWQ9uCXUNIN3iSSlGNQ
 oSDa374zx1dEyV9fcTcoH28HIuhvl/hachv59lxbkXUm/y7L2wwdJI0XWPm2Pih9Yz+L
 CpUJsom2dODjwfjuZbTp8/RNoJWqv1vqHHTnPK/3weFr7cEWYuKhWDNJbmH55c5+fH45
 MljQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:subject:to:cc:references:from:message-id:date
 :mime-version:in-reply-to:content-language:content-transfer-encoding;
 bh=6o6VHQtLCx81SdiuQjRF5NVLhaEm0M3mHwQJHLvis6s=;
 b=wUZxB/Zf1Kcl2cPjUg5hNofBaz6JknONeQjjT77r/50aCa0MB7DsCwd6iOx7e/jZ0p
 E4+e66H245JpFjps33lCZoIlE7IqvViV35isa7ZOM2oAgop7Zd0vXp8iuddxp1D/WlpL
 Lk7lHQfULwedfACek3Jo4MTVWX4L9eim4Q42dW+9nld8ObMbIDCvMHm16usOX0motflS
 JSJyJuXIoiLmMJc+DUoZRqbR9BsahqrI54Qc8GIn+RaqRd1nHW2YsUvmzlB0fBtMdE2/
 9zEBbyjHmH902RsiW2iPl6vUSU/dTMeltZ5ooOUed/ku/mHUw35xVGxkJZECtHDv+cEp
 5O6Q==
X-Gm-Message-State: AOAM5315iMj6VXsiU5cKw1I7OL6DX5VY5/SGI26XQLVLRY6PGCbfwyLw
 drpugKU6doQhwZoyy3tjgnU=
X-Google-Smtp-Source: ABdhPJwal05qtudO4HS5aJIy4x1pg39qXy9zZK4aQtRUGi8o8nOImsLaHaLZ9pnvo/6RE0Sy7NK2Hg==
X-Received: by 2002:a63:ff04:: with SMTP id k4mr5386302pgi.309.1636650396629; 
 Thu, 11 Nov 2021 09:06:36 -0800 (PST)
Received: from [192.168.1.2] (cpe-76-168-148-233.socal.res.rr.com.
 [76.168.148.233])
 by smtp.googlemail.com with ESMTPSA id h22sm2681045pgh.80.2021.11.11.09.06.35
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Thu, 11 Nov 2021 09:06:36 -0800 (PST)
Subject: Re: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when
 starting daemon on demand
To: Ulrich Mueller <ulm@HIDDEN>, 51327 <at> debbugs.gnu.org
References: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@HIDDEN>
 <uczneyjin@HIDDEN> <238ece9e-df13-a604-ba3a-36b346857423@HIDDEN>
 <uwnlmwk9u@HIDDEN> <f13fb4b7-0299-db20-e80c-9c14be4ba466@HIDDEN>
 <umtmiwhm4@HIDDEN> <u7ddevo6y@HIDDEN>
From: Jim Porter <jporterbugs@HIDDEN>
Message-ID: <82a66db9-f9b3-fc0f-a98d-8900d4fec066@HIDDEN>
Date: Thu, 11 Nov 2021 09:06:36 -0800
MIME-Version: 1.0
In-Reply-To: <u7ddevo6y@HIDDEN>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 51327
Cc: Paul Eggert <eggert@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 11/11/2021 5:04 AM, Ulrich Mueller wrote:
>>>>>> On Fri, 05 Nov 2021, Ulrich Mueller wrote:
> 
>>>>>> On Fri, 05 Nov 2021, Jim Porter wrote:
>>> I'm not an expert on this kind of attack, but my understanding is that
>>> it could go something like this:
> 
>>> 1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil
>>> 2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'
> 
>> Right, and IIUC this must be carefully timed to exploit some race
>> condition between permission checking and creating the socket. I am
>> not an expert on this either.
> 
> Thinking about it some more, when you always start the daemon with
> XDG_RUNTIME_DIR present, there won't be a /tmp/emacs1000/server (at
> least not one with correct user and permissions), and I don't believe
> that a symlink attack would be possible.
> 
> OTOH, when you start the daemon without XDG_RUNTIME_DIR, then the socket
> will be created in /tmp, but in that case you'd want the client to find
> it there.

The case I'm concerned about is when the daemon *hasn't* been started 
yet by the time emacsclient is called. In that case, emacsclient checks 
both XDG_RUNTIME_DIR and TMPDIR before giving up and starting the 
daemon. In this case, that means that even on a system where Emacs only 
uses XDG_RUNTIME_DIR in practice, it'll still search TMPDIR the first 
time when looking for the (non-existent) daemon. The question then is 
whether it's safe for the emacsclient to look in TMPDIR to confirm that 
no daemon already exists.

It's possible that this behavior is perfectly safe, but the way the code 
is currently written (plus Paul Eggert's reply in this bug) seem to 
indicate that it's vulnerable to attack. If it really is vulnerable, 
then I think it should be fixed; if it's safe, then just eliminating the 
warning is sufficient of course.

Message received at 51327 <at> debbugs.gnu.org:

Received: (at 51327) by debbugs.gnu.org; 11 Nov 2021 13:04:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 11 08:04:18 2021
Received: from localhost ([127.0.0.1]:40386 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ml9kX-0002s6-RP
	for submit <at> debbugs.gnu.org; Thu, 11 Nov 2021 08:04:18 -0500
Received: from woodpecker.gentoo.org ([140.211.166.183]:37168
 helo=smtp.gentoo.org) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ulm@HIDDEN>) id 1ml9kW-0002rs-2P
 for 51327 <at> debbugs.gnu.org; Thu, 11 Nov 2021 08:04:16 -0500
From: Ulrich Mueller <ulm@HIDDEN>
To: 51327 <at> debbugs.gnu.org
Subject: Re: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR
 when starting daemon on demand
In-Reply-To: <umtmiwhm4@HIDDEN> (Ulrich Mueller's message of "Fri, 05 Nov
 2021 20:02:43 +0100")
References: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@HIDDEN>
 <uczneyjin@HIDDEN>
 <238ece9e-df13-a604-ba3a-36b346857423@HIDDEN>
 <uwnlmwk9u@HIDDEN>
 <f13fb4b7-0299-db20-e80c-9c14be4ba466@HIDDEN>
 <umtmiwhm4@HIDDEN>
Date: Thu, 11 Nov 2021 14:04:05 +0100
Message-ID: <u7ddevo6y@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 51327
Cc: Jim Porter <jporterbugs@HIDDEN>, Paul Eggert <eggert@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

>>>>> On Fri, 05 Nov 2021, Ulrich Mueller wrote:

>>>>> On Fri, 05 Nov 2021, Jim Porter wrote:
>> I'm not an expert on this kind of attack, but my understanding is that
>> it could go something like this:

>> 1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil
>> 2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'

> Right, and IIUC this must be carefully timed to exploit some race
> condition between permission checking and creating the socket. I am
> not an expert on this either.

Thinking about it some more, when you always start the daemon with
XDG_RUNTIME_DIR present, there won't be a /tmp/emacs1000/server (at
least not one with correct user and permissions), and I don't believe
that a symlink attack would be possible.

OTOH, when you start the daemon without XDG_RUNTIME_DIR, then the socket
will be created in /tmp, but in that case you'd want the client to find
it there.

>> 3. User runs `emacsclient --alternate-editor=""'
>> 4. emacsclient doesn't see a socket in XDG_RUNTIME_DIR, checks TMPDIR
>> 5. emacsclient connects to evil-daemon

See above, unless the daemon was started without XDG*, there won't be
any socket in TMPDIR.

> Note that after locating the socket, emacsclient will double check for
> sane permissions. That is, correct user id and _no_ write permission for
> either group or others. That's why I think that there's little attack
> surface on the client side, once the socket has been created.

>> The evil-daemon probably can't get access to the user's files, but
>> might be able to trick a user into entering some secret. I'll let
>> others chime in too though, since like I said, I'm not an expert.

>> If I'm wrong and this isn't an a problem, then I agree that all we
>> need to do here is silence the warning.

The core issue is that /run/user/${UID}/ is transient and will disappear
after logout. So if you start an Emacs daemon then its process will
persist after logout, but its socket file will be gone and it will no
longer be possible to connect. This may not be a security issue, but it
may cause loss of data.

Message received at 51327 <at> debbugs.gnu.org:

Received: (at 51327) by debbugs.gnu.org; 5 Nov 2021 19:02:57 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Nov 05 15:02:57 2021
Received: from localhost ([127.0.0.1]:47246 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mj4UL-0002Y0-8s
	for submit <at> debbugs.gnu.org; Fri, 05 Nov 2021 15:02:57 -0400
Received: from woodpecker.gentoo.org ([140.211.166.183]:37654
 helo=smtp.gentoo.org) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ulm@HIDDEN>) id 1mj4UI-0002Xm-SS
 for 51327 <at> debbugs.gnu.org; Fri, 05 Nov 2021 15:02:55 -0400
From: Ulrich Mueller <ulm@HIDDEN>
To: Jim Porter <jporterbugs@HIDDEN>
Subject: Re: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR
 when starting daemon on demand
In-Reply-To: <f13fb4b7-0299-db20-e80c-9c14be4ba466@HIDDEN> (Jim Porter's
 message of "Fri, 5 Nov 2021 11:38:48 -0700")
References: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@HIDDEN>
 <uczneyjin@HIDDEN>
 <238ece9e-df13-a604-ba3a-36b346857423@HIDDEN>
 <uwnlmwk9u@HIDDEN>
 <f13fb4b7-0299-db20-e80c-9c14be4ba466@HIDDEN>
Date: Fri, 05 Nov 2021 20:02:43 +0100
Message-ID: <umtmiwhm4@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 51327
Cc: Ulrich Mueller <ulm@HIDDEN>, 51327 <at> debbugs.gnu.org,
 Paul Eggert <eggert@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

>>>>> On Fri, 05 Nov 2021, Jim Porter wrote:

> (Cc'ing Paul Eggert, who can probably answer more confidently than me.)
> On 11/5/2021 11:05 AM, Ulrich Mueller wrote:
>> Can someone please explain to me how an exploit on the _client_ side
>> would look like?

>> When starting the server, I can believe that there may be some
>> surface for a symlink attack. But once the daemon is running? What is
>> the security issue for the client checking TMPDIR?

> I'm not an expert on this kind of attack, but my understanding is that
> it could go something like this:

>  1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil
>  2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'

Right, and IIUC this must be carefully timed to exploit some race
condition between permission checking and creating the socket. I am not
an expert on this either.

>  3. User runs `emacsclient --alternate-editor=""'
>  4. emacsclient doesn't see a socket in XDG_RUNTIME_DIR, checks TMPDIR
>  5. emacsclient connects to evil-daemon

Note that after locating the socket, emacsclient will double check for
sane permissions. That is, correct user id and _no_ write permission for
either group or others. That's why I think that there's little attack
surface on the client side, once the socket has been created.

> The evil-daemon probably can't get access to the user's files, but
> might be able to trick a user into entering some secret. I'll let
> others chime in too though, since like I said, I'm not an expert.

> If I'm wrong and this isn't an a problem, then I agree that all we
> need to do here is silence the warning.

Message received at 51327 <at> debbugs.gnu.org:

Received: (at 51327) by debbugs.gnu.org; 5 Nov 2021 18:38:56 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Nov 05 14:38:56 2021
Received: from localhost ([127.0.0.1]:47213 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mj476-0008Eg-Hq
	for submit <at> debbugs.gnu.org; Fri, 05 Nov 2021 14:38:56 -0400
Received: from mail-pj1-f45.google.com ([209.85.216.45]:40553)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jporterbugs@HIDDEN>) id 1mj474-0008ES-Jq
 for 51327 <at> debbugs.gnu.org; Fri, 05 Nov 2021 14:38:54 -0400
Received: by mail-pj1-f45.google.com with SMTP id
 n36-20020a17090a5aa700b0019fa884ab85so3934295pji.5
 for <51327 <at> debbugs.gnu.org>; Fri, 05 Nov 2021 11:38:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=subject:to:cc:references:from:message-id:date:mime-version
 :in-reply-to:content-language:content-transfer-encoding;
 bh=MiGhWH2j2cw0qmwxsbOuzZgpDIVPmATTk7VWONWWAl8=;
 b=dWH8QyARvmI1e3A9KnClEt85wfvsoRQRHojFr8Z28CQpwPtWY7va2e/+pU5J22IoHp
 hPPmx4Iev4To1UdsB5wyFySeWsQiH0+jofVVU8KIVe/oMGOapJEwPllPE4e7GSJ+FiLQ
 BJjXTIJX6/Oa7x4U0Na4eAwBFPmIcMZaZJogzuX9RwHkukWX5m5YJZ2UYN2R2oMlYWgT
 nL4LjSqOaaCo+Uz2WpEkkcmXSSOoJ7Adf0oUP6Wa5L0aV79jvBkdxhTdbN4pGXe3k+gY
 4CKx2/bx5X+Aln+NEm1vkT3PKAhuAQ7jCiD+yC+/ndIEzW1DDjo8eivSiQ4zbkLt9kcN
 NYiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:subject:to:cc:references:from:message-id:date
 :mime-version:in-reply-to:content-language:content-transfer-encoding;
 bh=MiGhWH2j2cw0qmwxsbOuzZgpDIVPmATTk7VWONWWAl8=;
 b=WiDD2ONKW+vimcRCQpRWYd7Nud/RQGkOdsgzcetIAomM7HUt3ouCnIuzKJKNUVbnNY
 LD/eSJVOAxDCUYDXj8CM23nJxWj1kvWI4tRHaOXpgJVWTSjBrR2EnA1Wtn8rLdcrUr3w
 zJoaSpIfF1UC7keBnb9sPBUC5XzVa/ZDvzScXdjzoHZEKDjSo7+1J9GAOKwLXIZCvkuL
 wEoqqIbJamiFlJm0TlUlrRVSLFap8VSPq845ccjxXxEyXFkVJ2ihqsX/3ekSw3+dxmDO
 oh2n5XfQJ/VdrGrHtdYERTooLzzq0pigH1LUa2EtBnRaOkqhix7QiddpwWFFodd0VKuM
 lX/w==
X-Gm-Message-State: AOAM533/RR1Z6dRPJCZ0VOCaOwFv82ZVvcAQLXWbXm/Bjt4tY3ZcAnWT
 CA62bAnaZ37hpfGmcA8w+jM=
X-Google-Smtp-Source: ABdhPJxSJwPrWaUmRcOh1IHisZNTmnoG/d8FsQ9RVjOkGX0bUh81GWnUfkOMI31KRwkm9ahl1ctdUw==
X-Received: by 2002:a17:90a:4586:: with SMTP id
 v6mr32394936pjg.43.1636137528658; 
 Fri, 05 Nov 2021 11:38:48 -0700 (PDT)
Received: from [192.168.1.2] (cpe-76-168-148-233.socal.res.rr.com.
 [76.168.148.233])
 by smtp.googlemail.com with ESMTPSA id e6sm6444806pgf.59.2021.11.05.11.38.47
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Fri, 05 Nov 2021 11:38:48 -0700 (PDT)
Subject: Re: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when
 starting daemon on demand
To: Ulrich Mueller <ulm@HIDDEN>
References: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@HIDDEN>
 <uczneyjin@HIDDEN> <238ece9e-df13-a604-ba3a-36b346857423@HIDDEN>
 <uwnlmwk9u@HIDDEN>
From: Jim Porter <jporterbugs@HIDDEN>
Message-ID: <f13fb4b7-0299-db20-e80c-9c14be4ba466@HIDDEN>
Date: Fri, 5 Nov 2021 11:38:48 -0700
MIME-Version: 1.0
In-Reply-To: <uwnlmwk9u@HIDDEN>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 51327
Cc: 51327 <at> debbugs.gnu.org, Paul Eggert <eggert@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

(Cc'ing Paul Eggert, who can probably answer more confidently than me.)

On 11/5/2021 11:05 AM, Ulrich Mueller wrote:
> Can someone please explain to me how an exploit on the _client_ side
> would look like?
> 
> When starting the server, I can believe that there may be some surface
> for a symlink attack. But once the daemon is running? What is the
> security issue for the client checking TMPDIR?

I'm not an expert on this kind of attack, but my understanding is that 
it could go something like this:

  1. Attacker runs `evil-daemon' which puts its socket in /tmp/evil
  2. Attacker runs `ln -s /tmp/evil /tmp/emacs1000/server'
  3. User runs `emacsclient --alternate-editor=""'
  4. emacsclient doesn't see a socket in XDG_RUNTIME_DIR, checks TMPDIR
  5. emacsclient connects to evil-daemon

The evil-daemon probably can't get access to the user's files, but might 
be able to trick a user into entering some secret. I'll let others chime 
in too though, since like I said, I'm not an expert.

If I'm wrong and this isn't an a problem, then I agree that all we need 
to do here is silence the warning.

Message received at 51327 <at> debbugs.gnu.org:

Received: (at 51327) by debbugs.gnu.org; 5 Nov 2021 18:05:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Nov 05 14:05:30 2021
Received: from localhost ([127.0.0.1]:47128 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mj3aj-0007OT-Sf
	for submit <at> debbugs.gnu.org; Fri, 05 Nov 2021 14:05:30 -0400
Received: from woodpecker.gentoo.org ([140.211.166.183]:49864
 helo=smtp.gentoo.org) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ulm@HIDDEN>) id 1mj3ai-0007O1-7T
 for 51327 <at> debbugs.gnu.org; Fri, 05 Nov 2021 14:05:28 -0400
From: Ulrich Mueller <ulm@HIDDEN>
To: Jim Porter <jporterbugs@HIDDEN>
Subject: Re: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR
 when starting daemon on demand
In-Reply-To: <238ece9e-df13-a604-ba3a-36b346857423@HIDDEN> (Jim Porter's
 message of "Fri, 5 Nov 2021 10:54:29 -0700")
References: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@HIDDEN>
 <uczneyjin@HIDDEN>
 <238ece9e-df13-a604-ba3a-36b346857423@HIDDEN>
Date: Fri, 05 Nov 2021 19:05:17 +0100
Message-ID: <uwnlmwk9u@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 51327
Cc: 51327 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

Can someone please explain to me how an exploit on the _client_ side
would look like?

When starting the server, I can believe that there may be some surface
for a symlink attack. But once the daemon is running? What is the
security issue for the client checking TMPDIR?

Message received at 51327 <at> debbugs.gnu.org:

Received: (at 51327) by debbugs.gnu.org; 5 Nov 2021 17:54:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Nov 05 13:54:40 2021
Received: from localhost ([127.0.0.1]:47109 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mj3QF-00077H-WF
	for submit <at> debbugs.gnu.org; Fri, 05 Nov 2021 13:54:40 -0400
Received: from mail-pj1-f47.google.com ([209.85.216.47]:52868)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jporterbugs@HIDDEN>) id 1mj3QA-00076z-V1
 for 51327 <at> debbugs.gnu.org; Fri, 05 Nov 2021 13:54:38 -0400
Received: by mail-pj1-f47.google.com with SMTP id h24so2496692pjq.2
 for <51327 <at> debbugs.gnu.org>; Fri, 05 Nov 2021 10:54:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=subject:to:references:from:message-id:date:mime-version:in-reply-to
 :content-language:content-transfer-encoding;
 bh=qsjqsJuAG96HVuKLzky2sgHjBn6TzFCbNf8oEk+Exv0=;
 b=qX5EAf5MfMwkzKO56oCXJk8ZkHQj+L2q6xLPAsltnxN2MhKdFpXe2RvLDMrdrMgbOT
 oEHnVzzL1znzb0E1XETa9k60bT6kBSoAuE28YA/Un1ZVJA93KqwcUnDw1UvZvLeO8aLQ
 oel1oseLsar42py7StqDT8YomcKLgg6KaWW1t8nUDl2go5MPu1ev2yI0NMcw/4bXZQRI
 /EEnrwz7FjksgimCNDcDT0WSj/GR38UfKmS9bAVc1VvMuLMnScSfFTS/raqbbqzz56CL
 KhsBnnYBiphfgMjXWSgl5FejsKYfWb9f3+fSyDdFG/gXsvDqvpfCJGPaiYRSNg/RhXNf
 EKiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:subject:to:references:from:message-id:date
 :mime-version:in-reply-to:content-language:content-transfer-encoding;
 bh=qsjqsJuAG96HVuKLzky2sgHjBn6TzFCbNf8oEk+Exv0=;
 b=3U2JcCA+87Qv51rN56VXMuvUWbuAdQmfTQLzZ9gmIWtJHOsdxajRr1GN89uW5g0bVd
 NLUS7dHjQlJtZrQQ6xsCnKpfzOOp+hf27rmChE/i7Z420r4HfxGKCL68R5Zzc7C6xLv9
 wQ9YCHPRu++eIii+aD2eT3925ARWIFOUqb1yaBXtbVnN6jcMDhQ32iu8MwS2IJWe/0Lh
 T8RDwQV+DgEBNV5WeiimZ7Dt6BbWGmkQVm8PSlH4ZgZVKCsNVN52ofXfzn7nTMPn1uJI
 sbwCRdW53C4a9bN2P/c/+It9GWL9oEjaGCWvcu2kYSfY+QOrMiZCYpsEY1CQ+3s+b/Ou
 7I7g==
X-Gm-Message-State: AOAM530s+oC9FzOQr8s155SYtD19oEj1F77Tc5tm2MTew8ChAtwbBtmB
 dMns+fS5PN02MpsT/5jS0NV5GeRaxbo=
X-Google-Smtp-Source: ABdhPJz4EbC+qm9JtNL4qPckRdBYp/683PPIcIaVJ0GM6+r2lPuBtFktQuO09d2GwAfgnqNyd8CsyQ==
X-Received: by 2002:a17:90a:8912:: with SMTP id
 u18mr31223649pjn.69.1636134869067; 
 Fri, 05 Nov 2021 10:54:29 -0700 (PDT)
Received: from [192.168.1.2] (cpe-76-168-148-233.socal.res.rr.com.
 [76.168.148.233]) by smtp.googlemail.com with ESMTPSA id
 x193sm6526110pfd.160.2021.11.05.10.54.28
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Fri, 05 Nov 2021 10:54:28 -0700 (PDT)
Subject: Re: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when
 starting daemon on demand
To: Ulrich Mueller <ulm@HIDDEN>, 51327 <at> debbugs.gnu.org
References: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@HIDDEN>
 <uczneyjin@HIDDEN>
From: Jim Porter <jporterbugs@HIDDEN>
Message-ID: <238ece9e-df13-a604-ba3a-36b346857423@HIDDEN>
Date: Fri, 5 Nov 2021 10:54:29 -0700
MIME-Version: 1.0
In-Reply-To: <uczneyjin@HIDDEN>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 51327
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 11/5/2021 3:38 AM, Ulrich Mueller wrote:
> If I understand this report correctly, the problem is just the spurious
> warning about XDG_RUNTIME_DIR?
> 
> Instead of changing the functionality (which breaks other use cases, see
> my message to emacs-devel), wouldn't it make more sense to just suppress
> the warning if the variable is set? As in attached patch?

It's not just a spurious warning; the warning is telling the user about 
a real problem, though the wording is a bit confusing for this 
particular case. If a user calls `emacsclient --alternate-editor=""' 
with XDG_RUNTIME_DIR set and no Emacs server running, emacsclient will 
check in both XDG_RUNTIME_DIR and TMPDIR to find the server socket 
before giving up and starting the daemon.

Since XDG_RUNTIME_DIR exists (at least in part) to prevent symlink 
attacks, Emacs should try to avoid checking TMPDIR in order to avoid 
this vulnerability. Emacs 27 is secure in this regard, since it *never* 
checks TMPDIR if XDG_RUNTIME_DIR is set. However, that behavior caused 
the problems described in bug#33847. The patch I posted is a compromise 
that restores the secure behavior for users who set the alternate editor 
and want to start the Emacs daemon on demand (it's not perfect though; 
see my reply in emacs-devel).

Message received at 51327 <at> debbugs.gnu.org:

Received: (at 51327) by debbugs.gnu.org; 5 Nov 2021 10:38:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Nov 05 06:38:54 2021
Received: from localhost ([127.0.0.1]:44947 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1miwcY-000840-1K
	for submit <at> debbugs.gnu.org; Fri, 05 Nov 2021 06:38:54 -0400
Received: from woodpecker.gentoo.org ([140.211.166.183]:37806
 helo=smtp.gentoo.org) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ulm@HIDDEN>) id 1miwcV-00083i-Kb
 for 51327 <at> debbugs.gnu.org; Fri, 05 Nov 2021 06:38:52 -0400
From: Ulrich Mueller <ulm@HIDDEN>
To: 51327 <at> debbugs.gnu.org
Subject: Re: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting
 daemon on demand
Date: Fri, 05 Nov 2021 11:38:40 +0100
Message-ID: <uczneyjin@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 51327
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

--=-=-=
Content-Type: text/plain

If I understand this report correctly, the problem is just the spurious
warning about XDG_RUNTIME_DIR?

Instead of changing the functionality (which breaks other use cases, see
my message to emacs-devel), wouldn't it make more sense to just suppress
the warning if the variable is set? As in attached patch?

--=-=-=
Content-Type: text/plain
Content-Disposition: attachment;
 filename=0001-Suppress-a-spurious-warning-in-emacsclient.patch

From 8b13b4ce6b5c5998ea8dc6db0c1021f2beba41aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <ulm@HIDDEN>
Date: Fri, 5 Nov 2021 11:30:28 +0100
Subject: [PATCH] Suppress a spurious warning in emacsclient

* lib-src/emacsclient.c (set_local_socket): Suppress warning about
unset XDG_RUNTIME_DIR if the variable is actually set.
(Bug#51327)
---
 lib-src/emacsclient.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib-src/emacsclient.c b/lib-src/emacsclient.c
index 0e800dd7e8..d812ae6bc8 100644
--- a/lib-src/emacsclient.c
+++ b/lib-src/emacsclient.c
@@ -1447,6 +1447,7 @@ set_local_socket (char const *server_name)
   int tmpdirlen = -1;
   int socknamelen = -1;
   uid_t uid = geteuid ();
+  char const *xdg_runtime_dir = NULL;
   bool tmpdir_used = false;
   int s = cloexec_socket (AF_UNIX, SOCK_STREAM, 0);
   if (s < 0)
@@ -1468,7 +1469,7 @@ set_local_socket (char const *server_name)
     {
       /* socket_name is a file name component.  */
       sock_status = ENOENT;
-      char const *xdg_runtime_dir = egetenv ("XDG_RUNTIME_DIR");
+      xdg_runtime_dir = egetenv ("XDG_RUNTIME_DIR");
       if (xdg_runtime_dir)
 	{
 	  socknamelen = snprintf (sockname, socknamesize, "%s/emacs/%s",
@@ -1559,7 +1560,8 @@ set_local_socket (char const *server_name)
 	  int sockdirnamelen = snprintf (sockdirname, sizeof sockdirname,
 					 "/run/user/%"PRIuMAX, id);
 	  if (0 <= sockdirnamelen && sockdirnamelen < sizeof sockdirname
-	      && faccessat (AT_FDCWD, sockdirname, X_OK, AT_EACCESS) == 0)
+	      && faccessat (AT_FDCWD, sockdirname, X_OK, AT_EACCESS) == 0
+	      && !xdg_runtime_dir)
 	    message
 	      (true,
 	       ("%s: Should XDG_RUNTIME_DIR='%s' be in the environment?\n"
-- 
2.33.1


--=-=-=--

Message received at 51327 <at> debbugs.gnu.org:

Received: (at 51327) by debbugs.gnu.org; 30 Oct 2021 22:33:22 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 30 18:33:22 2021
Received: from localhost ([127.0.0.1]:58582 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mgwug-0004NK-CV
	for submit <at> debbugs.gnu.org; Sat, 30 Oct 2021 18:33:22 -0400
Received: from zimbra.cs.ucla.edu ([131.179.128.68]:36470)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eggert@HIDDEN>) id 1mgwud-0004N5-JO
 for 51327 <at> debbugs.gnu.org; Sat, 30 Oct 2021 18:33:20 -0400
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 4918A1600EB;
 Sat, 30 Oct 2021 15:33:13 -0700 (PDT)
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id jjdj3vYFbjCM; Sat, 30 Oct 2021 15:33:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id A1B8F1600FC;
 Sat, 30 Oct 2021 15:33:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id Oqpsl-BP-XtM; Sat, 30 Oct 2021 15:33:12 -0700 (PDT)
Received: from [192.168.1.9] (cpe-172-91-119-151.socal.res.rr.com
 [172.91.119.151])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 6763B1600EB;
 Sat, 30 Oct 2021 15:33:12 -0700 (PDT)
Message-ID: <b6140cd0-b692-0be9-70c2-64e751381ae6@HIDDEN>
Date: Sat, 30 Oct 2021 15:33:11 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.1.2
Subject: Re: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when
 starting daemon on-demand
Content-Language: en-US
To: Jim Porter <jporterbugs@HIDDEN>
References: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@HIDDEN>
 <53706fa9-1458-fb5c-bd31-15ab555b59e9@HIDDEN>
From: Paul Eggert <eggert@HIDDEN>
Organization: UCLA Computer Science Department
In-Reply-To: <53706fa9-1458-fb5c-bd31-15ab555b59e9@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: -2.4 (--)
X-Debbugs-Envelope-To: 51327
Cc: 51327 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.4 (---)

Thanks, this patch looks good to me. You're right that the current 
approach is insecure, and your patch should make it somewhat less insecure.

Message received at 51327 <at> debbugs.gnu.org:

Received: (at 51327) by debbugs.gnu.org; 30 Oct 2021 19:37:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 30 15:37:12 2021
Received: from localhost ([127.0.0.1]:58485 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mguAC-0008OU-JA
	for submit <at> debbugs.gnu.org; Sat, 30 Oct 2021 15:37:12 -0400
Received: from mail-pj1-f43.google.com ([209.85.216.43]:42703)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jporterbugs@HIDDEN>) id 1mguAA-0008OI-Pd
 for 51327 <at> debbugs.gnu.org; Sat, 30 Oct 2021 15:37:11 -0400
Received: by mail-pj1-f43.google.com with SMTP id
 nn3-20020a17090b38c300b001a03bb6c4ebso9745835pjb.1
 for <51327 <at> debbugs.gnu.org>; Sat, 30 Oct 2021 12:37:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=subject:from:to:cc:references:message-id:date:mime-version
 :in-reply-to:content-language;
 bh=eokKXPErDDuO3HWssqTTmpUCjEMOQ0t7scrKT861+FM=;
 b=MKFM5CpMfMzjNU9Rk49uX0Q6htO1L0/WD6b3rRYwq/ddS1v8spZmvcUGXdA5G5o/iZ
 BjLAoyMPEKqHJJAyIa2A6v9w3egfXuL/MUUFgtZBYKvFXdfYGX4FQt+6Ne6wvGbTpOZs
 ieNeIBvq72/S4lQjWB5kjVP74QLKOriTGa4VWC0yrhP3MIIXa/gVY/1vaMTfV6flU+LZ
 OgycYyVGSiu1PaqGeQBA55muV9xd2k5Km1VeetGupbjoFLCJqIhWm7OGOib2hxvvDwsj
 YcHvck/7XDGrKbM7NXNog25Ksi5V/o4iBZIz5tLyylAkpoPXtr9U+BkAZfAUWczimPo2
 G+6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:subject:from:to:cc:references:message-id:date
 :mime-version:in-reply-to:content-language;
 bh=eokKXPErDDuO3HWssqTTmpUCjEMOQ0t7scrKT861+FM=;
 b=zjW/oHg85xGFj2hDCqV3Wx3OVvNt7EMmZWYWc/SV951MoIOPPIe9VonBU1LewVbo0V
 clnr9v5QwdYtTdDQvOvmeZRpfwHoFcb5AWMwdgNAd9WK4b19Ax/fmuGL7RJt4xAb0t53
 p5HSntoBMbOE5IgAvFUIhL6UbuUI/dAMW3JTfbzBQlxe3q4PWTag395s2sLTc8mzbACZ
 etbuGI3L4I+1A4OUHqZuEkR1auQyGqKIX3/nt4W6NCUVQlXEYmIGS3Qv9H0e1EcsikZL
 AgVU8sOS7uf4b6HUPci/8urSpkvy9KVuuGBN90F1ljG04lTKfBqc7xeHWRaOsaZR0OXN
 QpUQ==
X-Gm-Message-State: AOAM533/Bc9CREgNUDSfv3IkpumPVUZ21qO+bXIi6WB8bCNNEqfqCbRp
 CRTOwD1G/Y66d3hEFJAEETI=
X-Google-Smtp-Source: ABdhPJyI/e8AoTgDvlm292LxfLerIobqInZXnNEjgRxp3IKmNOOofiPqOAh0sZR4ovGdup3gUKJdeg==
X-Received: by 2002:a17:902:b94a:b0:141:8454:d665 with SMTP id
 h10-20020a170902b94a00b001418454d665mr16548780pls.88.1635622624834; 
 Sat, 30 Oct 2021 12:37:04 -0700 (PDT)
Received: from [192.168.1.2] (cpe-76-168-148-233.socal.res.rr.com.
 [76.168.148.233])
 by smtp.googlemail.com with ESMTPSA id m4sm4176913pjs.1.2021.10.30.12.37.02
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sat, 30 Oct 2021 12:37:03 -0700 (PDT)
Subject: Re: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when
 starting daemon on-demand
From: Jim Porter <jporterbugs@HIDDEN>
To: 51327 <at> debbugs.gnu.org
References: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@HIDDEN>
Message-ID: <53706fa9-1458-fb5c-bd31-15ab555b59e9@HIDDEN>
Date: Sat, 30 Oct 2021 12:37:02 -0700
MIME-Version: 1.0
In-Reply-To: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@HIDDEN>
Content-Type: multipart/mixed; boundary="------------D0A415F2BE8E27FC4474B716"
Content-Language: en-US
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 51327
Cc: eggert@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is a multi-part message in MIME format.
--------------D0A415F2BE8E27FC4474B716
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

On 10/21/2021 9:58 PM, Jim Porter wrote:
> Normally, when running `emacsclient --alternate-editor=""' with no Emacs 
> server running, it will run `emacs --daemon' and then connect to it. In 
> Emacs 28, it will also issue the following warning:
> 
>    Should XDG_RUNTIME_DIR='/run/user/1000' be in the environment?
>    (Be careful: XDG_RUNTIME_DIR is security-related.)
> 
> However, XDG_RUNTIME_DIR *is* set in my environment, so it shouldn't be 
> warning me about it.
> 
> I believe this is due to the fix for bug#33847 (see commit 
> 007744dd0404d6febca88b00c22981cc630fb8c0). That bug asked for 
> emacsclient to look in both XDG_RUNTIME_DIR and TMPDIR to find the 
> server socket, in order to accommodate the case where `emacs --daemon' 
> is started when XDG_RUNTIME_DIR is unset, but *is* set when running 
> `emacsclient'.

Attached is a patch that should fix this by skipping the TMPDIR check 
whenever a) we have an alternate editor and b) XDG_RUNTIME_DIR is set. 
This has the benefit of supporting the use case in bug#33847 as well as 
users who start the Emacs daemon on-demand.

The only flaw I can think of with this method is that it would still be 
technically possible to perform a symlink attack against a user who runs 
`emacs --daemon' explicitly with XDG_RUNTIME_DIR set, and then runs 
`emacsclient' without an alternate editor set. However, this would 
require the attacker to be able to kill the `emacs --daemon' process 
somehow so that emacsclient falls back to looking in TMPDIR. I'm not 
sure that's a realistic attack vector, but I thought I'd mention it for 
completeness.

--------------D0A415F2BE8E27FC4474B716
Content-Type: text/plain; charset=UTF-8;
 name="0001-Prevent-symlink-attacks-in-emacsclient-when-an-alter.patch"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename*0="0001-Prevent-symlink-attacks-in-emacsclient-when-an-alter.pa";
 filename*1="tch"

RnJvbSA2YjhjN2E5ODgxYjc5MjU0YzYxODM1NmE0ZGZhMjU3ODEyYTZmZTVjIE1vbiBTZXAg
MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKaW0gUG9ydGVyIDxqcG9ydGVyYnVnc0BnbWFpbC5j
b20+CkRhdGU6IFNhdCwgMzAgT2N0IDIwMjEgMTI6MjI6MDIgLTA3MDAKU3ViamVjdDogW1BB
VENIXSBQcmV2ZW50IHN5bWxpbmsgYXR0YWNrcyBpbiBlbWFjc2NsaWVudCB3aGVuIGFuIGFs
dGVybmF0ZQogZWRpdG9yIGlzIHNldAoKKiBsaWItc3JjL2VtYWNzY2xpZW50LmMgKHNldF9s
b2NhbF9zb2NrZXQpOiBEb24ndCBsb29rIGluIFRNUERJUiBmb3IgYQpzb2NrZXQgaWYgd2Ug
aGF2ZSBhbiBhbHRlcm5hdGUgZWRpdG9yIGFuZCBYREdfUlVOVElNRV9ESVIgaXMgc2V0CihC
dWcjNTEzMjcpLgotLS0KIGxpYi1zcmMvZW1hY3NjbGllbnQuYyB8IDUgKysrKy0KIDEgZmls
ZSBjaGFuZ2VkLCA0IGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkKCmRpZmYgLS1naXQg
YS9saWItc3JjL2VtYWNzY2xpZW50LmMgYi9saWItc3JjL2VtYWNzY2xpZW50LmMKaW5kZXgg
Y2ZmM2NlYzJhNy4uMTMwNTIyNjA1NiAxMDA2NDQKLS0tIGEvbGliLXNyYy9lbWFjc2NsaWVu
dC5jCisrKyBiL2xpYi1zcmMvZW1hY3NjbGllbnQuYwpAQCAtMTQ2Niw3ICsxNDY2LDEwIEBA
IHNldF9sb2NhbF9zb2NrZXQgKGNoYXIgY29uc3QgKnNlcnZlcl9uYW1lKQogCQkJID8gY29u
bmVjdF9zb2NrZXQgKEFUX0ZEQ1dELCBzb2NrbmFtZSwgcywgMCkKIAkJCSA6IEVOQU1FVE9P
TE9ORyk7CiAJfQotICAgICAgaWYgKHNvY2tfc3RhdHVzID09IEVOT0VOVCkKKyAgICAgIC8q
IEZhbGwgYmFjayB0byBjaGVja2luZyBmb3IgYSBzb2NrZXQgaW4gVE1QRElSIHVubGVzcyB3
ZSBoYXZlCisJIGFuIGFsdGVybmF0ZSBlZGl0b3IgYW5kIFhER19SVU5USU1FX0RJUiBpcyBz
ZXQuICBJbiB0aGF0CisJIGNhc2UsIHdlIHdhbnQgdG8gYmFpbCBvdXQgYW5kIHNwYXduIHRo
ZSBhbHRlcm5hdGUgZWRpdG9yLiAqLworICAgICAgaWYgKCEoeGRnX3J1bnRpbWVfZGlyICYm
IGFsdGVybmF0ZV9lZGl0b3IpICYmIHNvY2tfc3RhdHVzID09IEVOT0VOVCkKIAl7CiAJICBj
aGFyIGNvbnN0ICp0bXBkaXIgPSBlZ2V0ZW52ICgiVE1QRElSIik7CiAJICBpZiAodG1wZGly
KQotLSAKMi4yNS4xCgo=
--------------D0A415F2BE8E27FC4474B716--

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 22 Oct 2021 04:58:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Oct 22 00:58:09 2021
Received: from localhost ([127.0.0.1]:59069 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mdmd7-00010z-GJ
	for submit <at> debbugs.gnu.org; Fri, 22 Oct 2021 00:58:09 -0400
Received: from lists.gnu.org ([209.51.188.17]:49980)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jporterbugs@HIDDEN>) id 1mdmd5-00010q-T8
 for submit <at> debbugs.gnu.org; Fri, 22 Oct 2021 00:58:08 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37938)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jporterbugs@HIDDEN>)
 id 1mdmd5-00021Y-IV
 for bug-gnu-emacs@HIDDEN; Fri, 22 Oct 2021 00:58:07 -0400
Received: from mail-pg1-x533.google.com ([2607:f8b0:4864:20::533]:36439)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <jporterbugs@HIDDEN>)
 id 1mdmd1-0006HU-Qw
 for bug-gnu-emacs@HIDDEN; Fri, 22 Oct 2021 00:58:07 -0400
Received: by mail-pg1-x533.google.com with SMTP id 75so2277304pga.3
 for <bug-gnu-emacs@HIDDEN>; Thu, 21 Oct 2021 21:58:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:subject:to:cc:message-id:date:mime-version:content-language
 :content-transfer-encoding;
 bh=hvJGcbhYZLpEGRxE6NByVUbEDo7XK61DwYuIxjCJy5M=;
 b=QXHXVljBdGS0Aj9c1zINGDhLCuR9wmHyPIcxnvPabRDMJ+NlhK5lSQc+X2NcouQhvo
 hGKV9UDEWut4FaOYkXaL12uf1ZjC1Gjt+jEEcmHH1qZRlkeLUeGG6IFr6JaWQe3Lxryz
 +X633v+61QatKbSc0FebIfKPXVg0wjIHsA5Vphx8gfbPBMC7BParf6HsE20esVg2HBoQ
 p1u4xBQBinGh0SNHdHFtI3JwpRCHDM1EMMOBRYh2XsMYJlZ65CeUkHjeq2TKONe/Gmgi
 JpKtDR6h8B9YmV1DoUHgouW2AJudGw9EYUdDMzuRRQTGC/DQqfgz/aKuMqzVDdH0Irmh
 rhgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:subject:to:cc:message-id:date:mime-version
 :content-language:content-transfer-encoding;
 bh=hvJGcbhYZLpEGRxE6NByVUbEDo7XK61DwYuIxjCJy5M=;
 b=hPLapf1XK9UKlFrJA/miIrzLCcPdkhBe9v0WgVj05heI/nXI+3fs0UzdcSFW46OYiP
 H4SA7mXu3wqvR3NBYPTWXYZDfy5pTpkdvQef/qHoxX6/TEuQvdqpDuRlH7vCiG8OZuOz
 q0czJt08C1b/+aUBQaSTkfmabzea7jmCuryzgX8ZNzOybr/BCgDG28ofbQ2HbXrqWXuo
 t5Y/Mxk5qyz1DWyTa19YG2aofkwv0LB/b6hxVlCZ3JMEolxRp0YA8nCi1q20ddyUIm3B
 RytlRDguMCkfwU91giVMT75VRlVwlJ/PHkHy6nF7XDUB5TWWH1ivaqSeMES4d4yx52C+
 l7JQ==
X-Gm-Message-State: AOAM533rT7L8rF6RCKxzxpZqA3otCrDQkbzAOW7b0Gtz78+mikWltOTH
 drQSUMDqrVLbvbDjDvFI7QE=
X-Google-Smtp-Source: ABdhPJwFHPRO7Ldwvsfx6sjBwSXCz3ZDn+X01wCmKHMfa3uUqRmdaUa12cQz6uWuPyd9iuCsFEOVsw==
X-Received: by 2002:a63:b218:: with SMTP id x24mr7630645pge.29.1634878681443; 
 Thu, 21 Oct 2021 21:58:01 -0700 (PDT)
Received: from [192.168.1.2] (cpe-76-168-148-233.socal.res.rr.com.
 [76.168.148.233])
 by smtp.googlemail.com with ESMTPSA id u11sm8165835pfg.2.2021.10.21.21.58.00
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Thu, 21 Oct 2021 21:58:00 -0700 (PDT)
X-Mozilla-News-Host: news://news.gmane.org:119
From: Jim Porter <jporterbugs@HIDDEN>
Subject: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon
 on-demand
To: bug-gnu-emacs@HIDDEN
Message-ID: <ba5ee273-9d0f-7baf-ef2e-d0b005f29ed0@HIDDEN>
Date: Thu, 21 Oct 2021 21:58:00 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=2607:f8b0:4864:20::533;
 envelope-from=jporterbugs@HIDDEN; helo=mail-pg1-x533.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: eggert@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Normally, when running `emacsclient --alternate-editor=""' with no Emacs 
server running, it will run `emacs --daemon' and then connect to it. In 
Emacs 28, it will also issue the following warning:

   Should XDG_RUNTIME_DIR='/run/user/1000' be in the environment?
   (Be careful: XDG_RUNTIME_DIR is security-related.)

However, XDG_RUNTIME_DIR *is* set in my environment, so it shouldn't be 
warning me about it.

I believe this is due to the fix for bug#33847 (see commit 
007744dd0404d6febca88b00c22981cc630fb8c0). That bug asked for 
emacsclient to look in both XDG_RUNTIME_DIR and TMPDIR to find the 
server socket, in order to accommodate the case where `emacs --daemon' 
is started when XDG_RUNTIME_DIR is unset, but *is* set when running 
`emacsclient'.

That works for the issue described in bug#33847, but for users with 
XDG_RUNTIME_DIR set who want `emacs --daemon' to start on demand, the 
change means that emacsclient will look in TMPDIR to find a server 
socket, record that attempt, and then warn about it before finally going 
ahead and starting `emacs --daemon'.

I'm not an expert on XDG_RUNTIME_DIR, but my understanding is that this 
was added to improve security over using TMPDIR. However, as far as I 
can tell, the fix in bug#33847 partially undoes the security improvement 
for users who want to start `emacs --daemon' on demand.

I'm not sure what the fix here is, at least not while ensuring that both 
this case and the case in bug#33847 "just work" without setting some 
option...

(The original bug#33847 is rather long, and I see that similar concerns 
were raised there, so I hope I've summarized this accurately and I'm not 
just misunderstanding what this code is doing.)