diff options
| author | Paul Eggert <eggert@cs.ucla.edu> | 2021-07-23 13:33:21 +0200 |
|---|---|---|
| committer | Lars Ingebrigtsen <larsi@gnus.org> | 2021-07-23 13:33:37 +0200 |
| commit | 007744dd0404d6febca88b00c22981cc630fb8c0 (patch) | |
| tree | 34e0756665429089a8098bc091eaf03a2032a8db /admin | |
| parent | 55a19a1da26d35673c8eb2c52171ff3b31594dd9 (diff) | |
| download | emacs-007744dd0404d6febca88b00c22981cc630fb8c0.tar.gz | |
Redo emacsclient socket symlink-attack checking
* admin/merge-gnulib (GNULIB_MODULES): Add file-has-acl.
* lib/file-has-acl.c: New file, copied from Gnulib.
* lib/gnulib.mk.in, m4/gnulib-comp.m4: Regenerate.
* lib-src/emacsclient.c: Include acl.h, for file_has_acl.
(O_PATH): Default to O_SEARCH, which is good enough here.
(union local_sockaddr): New type.
(socket_status): Remove, replacing with ...
(connect_socket): New function. All callers changed.
This function checks for ownership and permissions issues with the
parent directory of the socket file, instead of checking the
owner of the socket (which does not help security).
(socknamesize): Move to file scope.
(local_sockname): New arg S. No need to pass socknamesize.
UID arg is now uid_t. All callers changed. Get file descriptor
of parent directory of socket, to foil some symlink attacks.
Do not follow symlinks to that directory.
(set_local_socket): Create the socket here instead of on
each attempt to connect it. Fall back from XDG_RUNTIME_DIR
to /tmp only if the former fails due to ENOENT. Adjust
permission-failure diagnostic to match changed behavior.
This addresses Bug#33847, which complained about emacsclient in a
safer XDG environment not connecting to an Emacs server running in
a less-safe enviroment outside XDG. The patch fixes a
longstanding issue with emacsclient permission checking.
It’s ineffective to look at the permission of the socket file
itself; on some platforms, these permissions are ignored anyway.
What matters are the permissions on the parent directory of the
socket file, as these are what make symlink attacks possible.
Change the permissions check accordingly, and also refuse to
follow symlinks to that parent directory. These changes make it
OK for emacsclient to fall back from XDG_RUNTIME_DIR to the
traditionally less-safe /tmp/emacsNNNN directories, since /tmp is
universally sticky nowadays.
Diffstat (limited to 'admin')
| -rwxr-xr-x | admin/merge-gnulib | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/admin/merge-gnulib b/admin/merge-gnulib index 1c8b4427000..c12e83dd2fa 100755 --- a/admin/merge-gnulib +++ b/admin/merge-gnulib @@ -33,7 +33,7 @@ GNULIB_MODULES=' crypto/md5-buffer crypto/sha1-buffer crypto/sha256-buffer crypto/sha512-buffer d-type diffseq double-slash-root dtoastr dtotimespec dup2 environ execinfo explicit_bzero faccessat - fchmodat fcntl fcntl-h fdopendir + fchmodat fcntl fcntl-h fdopendir file-has-acl filemode filename filevercmp flexmember fpieee free-posix fstatat fsusage fsync futimens getloadavg getopt-gnu getrandom gettime gettimeofday gitlog-to-changelog |