[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#28618: Emacs Security Issue
From: |
John Wiegley |
Subject: |
bug#28618: Emacs Security Issue |
Date: |
Wed, 27 Sep 2017 08:44:34 -0700 |
User-agent: |
Gnus/5.130016 (Ma Gnus v0.16) Emacs/26.0 (darwin) |
>>>>> "DA" == Dor Azouri <dor.azouri@safebreach.com> writes:
DA> In short, a malicious actor that can execute code as one of the sudoers
DA> (in non-elevated mode), can edit the init file, and add malicious commands
DA> to it. Then he needs to wait for that user to invoke the editor in
DA> elevated mode - and the plugin that was written before, will be loaded
DA> with the root permissions.
If the user has sudo access to run Emacs, isn't the game already over? They
could M-x shell and rm -fr /, no?
--
John Wiegley GPG fingerprint = 4710 CF98 AF9B 327B B80F
http://newartisans.com 60E1 46C4 BD1A 7AC1 4BA2