mirror/emacs
1
0
Fork 0
mirror of https://git.savannah.gnu.org/git/emacs.git synced 2024-12-15 09:47:20 +00:00
Code Issues Releases Activity
4b3dc7a139
emacs/admin/merge-gnulib
Paul Eggert 007744dd04 Redo emacsclient socket symlink-attack checking 
* admin/merge-gnulib (GNULIB_MODULES): Add file-has-acl.
* lib/file-has-acl.c: New file, copied from Gnulib.
* lib/gnulib.mk.in, m4/gnulib-comp.m4: Regenerate.
* lib-src/emacsclient.c: Include acl.h, for file_has_acl.
(O_PATH): Default to O_SEARCH, which is good enough here.
(union local_sockaddr): New type.
(socket_status): Remove, replacing with ...
(connect_socket): New function.  All callers changed.
This function checks for ownership and permissions issues with the
parent directory of the socket file, instead of checking the
owner of the socket (which does not help security).
(socknamesize): Move to file scope.
(local_sockname): New arg S.  No need to pass socknamesize.
UID arg is now uid_t.  All callers changed.  Get file descriptor
of parent directory of socket, to foil some symlink attacks.
Do not follow symlinks to that directory.
(set_local_socket): Create the socket here instead of on
each attempt to connect it.  Fall back from XDG_RUNTIME_DIR
to /tmp only if the former fails due to ENOENT.  Adjust
permission-failure diagnostic to match changed behavior.

This addresses Bug#33847, which complained about emacsclient in a
safer XDG environment not connecting to an Emacs server running in
a less-safe enviroment outside XDG.  The patch fixes a
longstanding issue with emacsclient permission checking.
It’s ineffective to look at the permission of the socket file
itself; on some platforms, these permissions are ignored anyway.
What matters are the permissions on the parent directory of the
socket file, as these are what make symlink attacks possible.
Change the permissions check accordingly, and also refuse to
follow symlinks to that parent directory.  These changes make it
OK for emacsclient to fall back from XDG_RUNTIME_DIR to the
traditionally less-safe /tmp/emacsNNNN directories, since /tmp is
universally sticky nowadays.
2021-07-23 13:33:37 +02:00

123 lines
3.9 KiB
Bash
Executable File
Raw Blame History

#! /bin/sh
# Merge gnulib sources into Emacs sources.
# Typical usage:
#
# admin/merge-gnulib
# Copyright 2012-2021 Free Software Foundation, Inc.
# This file is part of GNU Emacs.
# GNU Emacs is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# GNU Emacs is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with GNU Emacs. If not, see <https://www.gnu.org/licenses/>.
# written by Paul Eggert
GNULIB_URL=git://git.savannah.gnu.org/gnulib.git
GNULIB_MODULES='
alloca-opt binary-io byteswap c-ctype c-strcase
canonicalize-lgpl
careadlinkat close-stream copy-file-range
count-leading-zeros count-one-bits count-trailing-zeros
crypto/md5-buffer crypto/sha1-buffer crypto/sha256-buffer crypto/sha512-buffer
d-type diffseq double-slash-root dtoastr dtotimespec dup2
environ execinfo explicit_bzero faccessat
fchmodat fcntl fcntl-h fdopendir file-has-acl
filemode filename filevercmp flexmember fpieee
free-posix fstatat fsusage fsync futimens
getloadavg getopt-gnu getrandom gettime gettimeofday gitlog-to-changelog
ieee754-h ignore-value intprops largefile libgmp lstat
manywarnings memmem-simple mempcpy memrchr minmax mkostemp mktime nstrftime
pathmax pipe2 pselect pthread_sigmask
qcopy-acl readlink readlinkat regex
sig2str sigdescr_np socklen stat-time std-gnu11 stdalign stddef stdio
stpcpy strnlen strtoimax symlink sys_stat sys_time
tempname time time_r time_rz timegm timer-time timespec-add timespec-sub
update-copyright unlocked-io utimensat
vla warnings
'
AVOIDED_MODULES='
btowc close dup fchdir fstat langinfo lock
malloc-posix mbrtowc mbsinit memchr mkdir msvc-inval msvc-nothrow nl_langinfo
openat-die opendir pthread-h raise
save-cwd select setenv sigprocmask stat stdarg stdbool
threadlib tzset unsetenv utime utime-h
wchar wcrtomb wctype-h
'
GNULIB_TOOL_FLAGS='
--conditional-dependencies --import --no-changelog --no-vc-files
--gnu-make
--makefile-name=gnulib.mk.in
'
# The source directory, with a trailing '/'.
# If empty, the source directory is the working directory.
src=$2
case $src in
*/ | '') ;;
*) src=$src/ ;;
esac
# Gnulib's source directory.
gnulib_srcdir=${1-$src../gnulib}
case $gnulib_srcdir in
-*) src=- ;;
esac
case $src in
-*)
printf '%s\n' >&2 "$0: usage: $0 [GNULIB_SRCDIR [SRCDIR]]
SRCDIR is the Emacs source directory (default: working directory).
GNULIB_SRCDIR is the Gnulib source directory (default: SRCDIR/../gnulib)."
exit 1 ;;
esac
test -x "$src"autogen.sh || {
printf '%s\n' >&2 "$0: '${src:-.}' is not an Emacs source directory."
exit 1
}
test -d "$gnulib_srcdir" ||
git clone -- "$GNULIB_URL" "$gnulib_srcdir" ||
exit
test -x "$gnulib_srcdir"/gnulib-tool || {
printf '%s\n' >&2 "$0: '$gnulib_srcdir' is not a Gnulib source directory."
exit 1
}
avoided_flags=
for module in $AVOIDED_MODULES; do
avoided_flags="$avoided_flags --avoid=$module"
done
"$gnulib_srcdir"/gnulib-tool --dir="$src" $GNULIB_TOOL_FLAGS \
$avoided_flags $GNULIB_MODULES &&
rm -- "$src"lib/gl_openssl.h "$src"m4/fcntl-o.m4 \
"$src"m4/gl-openssl.m4 \
"$src"m4/gnulib-cache.m4 "$src"m4/gnulib-tool.m4 \
"$src"m4/manywarnings-c++.m4 \
"$src"m4/warn-on-use.m4 "$src"m4/wint_t.m4 &&
cp -- "$gnulib_srcdir"/build-aux/texinfo.tex "$src"doc/misc &&
cp -- "$gnulib_srcdir"/build-aux/config.guess \
"$gnulib_srcdir"/build-aux/config.sub \
"$gnulib_srcdir"/build-aux/install-sh \
"$gnulib_srcdir"/build-aux/move-if-change \
"$src"build-aux &&
{ test -z "$src" || cd "$src"; } &&
./autogen.sh
Reference in New Issue View Git Blame Copy Permalink