>From 71de784f1a14200b83049e359a9b009eddbceb94 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Wed, 21 Oct 2015 20:22:34 -0700 Subject: [PATCH 1/2] =?UTF-8?q?New=20lispref=20section=20=E2=80=9CSecurity?= =?UTF-8?q?=20Considerations=E2=80=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This attempts to document some of the issues recently discussed on emacs-devel, and to indicate other such issues. The section could be a lot longer. * doc/lispref/os.texi (Security Considerations): New node. * doc/lispref/elisp.texi (Top): * doc/lispref/processes.texi (Shell Arguments): * lisp/subr.el (shell-quote-argument): * src/callproc.c (syms_of_callproc): Reference it. --- doc/lispref/elisp.texi | 1 + doc/lispref/os.texi | 104 +++++++++++++++++++++++++++++++++++++++++++++ doc/lispref/processes.texi | 2 +- lisp/subr.el | 3 +- src/callproc.c | 2 +- 5 files changed, 109 insertions(+), 3 deletions(-) diff --git a/doc/lispref/elisp.texi b/doc/lispref/elisp.texi index 5ca518e..2d3548f 100644 --- a/doc/lispref/elisp.texi +++ b/doc/lispref/elisp.texi @@ -1487,6 +1487,7 @@ Top * Desktop Notifications:: Desktop notifications. * File Notifications:: File notifications. * Dynamic Libraries:: On-demand loading of support libraries. +* Security Considerations:: Running Emacs in an unfriendly environment. Starting Up Emacs diff --git a/doc/lispref/os.texi b/doc/lispref/os.texi index 204055d..1925bd5 100644 --- a/doc/lispref/os.texi +++ b/doc/lispref/os.texi @@ -37,6 +37,7 @@ System Interface * Desktop Notifications:: Desktop notifications. * File Notifications:: File notifications. * Dynamic Libraries:: On-demand loading of support libraries. +* Security Considerations:: Running Emacs in an unfriendly environment. @end menu @node Starting Up @@ -2760,3 +2761,106 @@ Dynamic Libraries This variable is ignored if the given @var{library} is statically linked into Emacs. @end defvar + address@hidden Security Considerations address@hidden Security Considerations address@hidden security address@hidden hardening + +Like any application, Emacs can be run in a secure environment, where +the operating system enforces rules about access and the like. With +some care, Emacs-based applications can also be part of a security +perimeter that checks such rules. Although the default settings for +Emacs work well for a typical software development environment, they +may require adjustment in environments containing untrusted users that +may include attackers. Here is a compendium of security issues that +may be helpful if you are developing such applications. It is by no +means complete; it is intended to give you an idea of the security +issues involved, rather than to be a security checklist. + address@hidden @asis address@hidden Access control +Although Emacs normally respects access permissions of the underlying +operating system, in some cases it handles accesses specially. For +example, file names can have handlers that treat the files specially, +with their own access checking. @xref{Magic File Names}. Also, a +buffer can be read-only even if the corresponding file is writeable, +and vice versa, which can result in messages such as @samp{File passwd +is write-protected; try to save anyway? (yes or no)}. @xref{Read Only +Buffers}. + address@hidden Authentication +Emacs has several functions that deal with passwords, e.g., address@hidden Although these functions do not attempt to +broadcast passwords to the world, their implementations are not proof +against determined attackers with access to Emacs internals. For +example, even if Elisp code attempts to scrub a password from +its memory after using it, remnants of the password may still reside +in the garbage-collected free list. + address@hidden Code injection +Emacs can send commands to many other applications, and applications +should take care that strings sent as operands of these commands are +not misinterpreted as directives. For example, when sending a shell +command to rename a file @var{a} to @var{b}, do not simply use the +string @code{mv @var{a} @var{b}}, because either file name might start +with @samp{-}, or might contain shell metacharacters like @samp{;}. +Although functions like @code{shell-quote-argument} can help avoid +this sort of problem, they are not panaceas; for example, on a POSIX +platform @code{shell-quote-argument} quotes shell metacharacters but +not leading @samp{-}. @xref{Shell Arguments}. + address@hidden Coding systems +Emacs attempts to infer the coding systems of the files and network +connections it accesses. If it makes a mistake, or if the other +parties to the network connection disagree with Emacs's deductions, +the resulting system could be unreliable. Also, even when it infers +correctly, Emacs often can use bytes that other programs cannot. For +example, although to Emacs the NUL (all bits zero) byte is just a +character like any other, many other applications treat it as a string +terminator and mishandle strings or files containing NUL bytes. + address@hidden Environment and configuration variables +POSIX specifies several environment variables that can affect how +Emacs behaves. Any environment variable whose name consists entirely +of uppercase ASCII letters, digits, and the underscore may affect the +internal behavior of Emacs. Emacs uses several such variables, e.g., address@hidden @xref{Library Search}. On some platforms some +environment variables (e.g., @env{PATH}, @env{POSIXLY_CORRECT}, address@hidden, @env{TMPDIR}) need to have properly-configured values in +order to get standard behavior for any utility Emacs might invoke. +Even seemingly-benign variables like @env{TZ} may have security +implications. + +Emacs has customization and other variables with similar +considerations. For example, if the variable @code{shell-file-name} +specifies a shell with nonstandard behavior, an Emacs-based +application may misbehave. + address@hidden Installation +When Emacs is installed, if the installation directory hierarchy can +be modified by untrusted users, the application cannot be trusted. +This applies also to the directory hierarchies of the programs that +Emacs uses, and of the files that Emacs reads and writes. + address@hidden Network access +Emacs often accesses the network, and you may want to configure it to +avoid network accesses that it would normally do. For example, unless +you set @code{tramp-mode} to @code{nil}, file names using a certain +syntax are interpreted as being network files, and are retrieved +across the network. @xref{Top, The Tramp Manual,, tramp, The Tramp +Manual}. + address@hidden Race conditions +Emacs applications have the same sort of race-condition issues that +other applications do. For example, even when address@hidden(file-readable-p "foo.txt")} returns @code{t}, it could be that address@hidden is unreadable because some other program changed the +file's permissions between the call to @code{file-readable-p} and now. + address@hidden Resource limits +When Emacs exhausts memory or other operating system resources, its +behavior can be less reliable, in that computations that ordinarily +run to completion may abort back to the top level. This may cause +Emacs to neglect operations that it normally would have done. address@hidden table diff --git a/doc/lispref/processes.texi b/doc/lispref/processes.texi index 196cb7c..0ce696a 100644 --- a/doc/lispref/processes.texi +++ b/doc/lispref/processes.texi @@ -180,7 +180,7 @@ Shell Arguments Precisely what this function does depends on your operating system. The function is designed to work with the syntax of your system's standard shell; if you use an unusual shell, you will need to redefine this -function. +function. @xref{Security Considerations}. @example ;; @r{This example shows the behavior on GNU and Unix systems.} diff --git a/lisp/subr.el b/lisp/subr.el index c903ee3..ea926ae 100644 --- a/lisp/subr.el +++ b/lisp/subr.el @@ -2714,7 +2714,8 @@ shell-quote-argument "Quote ARGUMENT for passing as argument to an inferior shell. This function is designed to work with the syntax of your system's -standard shell, and might produce incorrect results with unusual shells." +standard shell, and might produce incorrect results with unusual shells. +See Info node `(elisp)Security Considerations'." (cond ((eq system-type 'ms-dos) ;; Quote using double quotes, but escape any existing quotes in diff --git a/src/callproc.c b/src/callproc.c index eafd621..bb21c35 100644 --- a/src/callproc.c +++ b/src/callproc.c @@ -1660,7 +1660,7 @@ syms_of_callproc (void) DEFVAR_LISP ("shell-file-name", Vshell_file_name, doc: /* File name to load inferior shells from. Initialized from the SHELL environment variable, or to a system-dependent -default if SHELL is not set. */); +default if SHELL is unset. See Info node `(elisp)Security Considerations'. */); DEFVAR_LISP ("exec-path", Vexec_path, doc: /* List of directories to search programs to run in subprocesses. -- 2.1.0