bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when startin

From: Paul Eggert
Subject: bug#51327: 28.0.60; emacsclient warns about XDG_RUNTIME_DIR when starting daemon on-demand
Date: Tue, 7 Dec 2021 11:03:35 -0800
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.1 
On 12/7/21 06:58, Stefan Kangas wrote:

Eli Zaretskii <eliz@gnu.org> writes:


Agreed.  The only question is if this patch should go to emacs-28 or
master?  Perhaps Eli or Lars has an opinion about that.


AFAIU, Ulrich wasn't happy with that patch and proposed an
alternative?


You are correct, so it seems like we need to think about this more
closely before taking action.

I linked the relevant emacs-devel thread with more discussion
separately.
Although none of us has done a thorough security audit, I still think that looking in TMPDIR first is a security loophole that is exploitable in some circumstances.
Ulrich says the loophole is small because Emacs verifies that the current user is the socket owner. However, small loopholes can still be exploited: for example, an attacker could cause you to think that you're connecting to your Emacs when you're really connecting to another of your processes, and this could still lead to problems (particularly if you're root).
reply via email to
[Prev in Thread] Current Thread [Next in Thread]