Re: bug#48676: Arbitrary code execution in Org export macros
Thanks, you managed to understand my question. I was wondeing if there was a risk of privilege escalation. Fortunately that seems not to be the case. El jue., 27 may. 2021 15:13, Tim Cross escribió: > > Rafael Ramirez Morales writes: > > > Just a couple of questions: > > who is the owner of the HELLO file? > > OR > > who is the owner of the "touch" process? > > > > Is the owner the unprivileged user or the "emacs" system? > > > > Thanks. > > > > Not clear exactly what your asking. The process which will execute the > 'touch' will be a sub-process of the process running Emacs. This will > typically be the user who executes Emacs and willl have the same > permissions and access rights as the user running Emacs. There is no > 'emacs' system and the privileges will be the same as the user who runs > Emacs. This is assuming a 'normal' installation, not some unusual setup > which uses setuid or similar to alter the way Emacs runs or the > ownership of files in a directory etc. > >
Re: bug#48676: Arbitrary code execution in Org export macros
Rafael Ramirez Morales writes: > Just a couple of questions: > who is the owner of the HELLO file? > OR > who is the owner of the "touch" process? > > Is the owner the unprivileged user or the "emacs" system? > > Thanks. > Not clear exactly what your asking. The process which will execute the 'touch' will be a sub-process of the process running Emacs. This will typically be the user who executes Emacs and willl have the same permissions and access rights as the user running Emacs. There is no 'emacs' system and the privileges will be the same as the user who runs Emacs. This is assuming a 'normal' installation, not some unusual setup which uses setuid or similar to alter the way Emacs runs or the ownership of files in a directory etc.
bug#48676: Arbitrary code execution in Org export macros
Just a couple of questions:
who is the owner of the HELLO file?
OR
who is the owner of the "touch" process?
Is the owner the unprivileged user or the "emacs" system?
Thanks.
On Wed, 26 May 2021 at 17:53, Glenn Morris wrote:
> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
>
>
bug#48676: Arbitrary code execution in Org export macros
Glenn,
thanks for the report.
i guess my take is that macro-evaluation, and that of other forms,
should be subject to the same restrictions as that of source block
evaluation. i.e., prompting for permission to execute, subject to
=org-confirm-babel-evaluate= (or, more specific variables).
cheers, Greg
> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
Re: bug#48676: Arbitrary code execution in Org export macros
Glenn Morris writes:
> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
I'm not quite sure if this is the same as the concern with risky local
file variables. The big difference is that with the local file
variables, without the default behaviour of asking for permission to
evaluate, the code would be evaluated simply by loading the file. With
the org file, nothing is evaluated when you load the file. The user has
to actively request for evaluation (via export or tangling).
I would agree the org manual should make it very clear that exporting
and tangling can result in macro evaluation, which could involve
evaluation of arbitrary code and the risks that can introduce.
--
Tim Cross
bug#48676: Arbitrary code execution in Org export macros
Hi Glenn, The definition for local variables doesn't cover things like org macros, though the spirit of the policy is something worth keeping in mind. Running M-x org-export-dispatch and hitting two keys means that the user has to do something to trigger code execution, much like they would have to intentionally accept certain risky local variables. That said, the fact that many org operations can run arbitrary code is definitely something that needs clearer documentation. It might make sense to add a setting to detect closures that appear in org files to ask for permission before running, but it likely should not be on by default. For a fairly extensive discussion of code execution in org see this thread from Nov 2020. https://orgmode.org/list/robi94$ma$1...@ciao.gmane.io/#t Best, Tom
Re: bug#48676: Arbitrary code execution in Org export macros
Thanks for reporting this. Glenn Morris writes: > This seems contrary to normal Emacs practice for risky local variables, Hmm, correct me if I'm wrong but the issue with risky local variables is that they affect Emacs before the user sees them in the file? If this is an important distinction, it means this particular type of concern does not apply to Org #+macro statements, as they are not executed when the user opens the file. That said, if one were making say an automated Org file exporter or something, I could see this being problematic. Perhaps a var set to allow macros by default could be a good idea. > and to the section "Code Evaluation and Security Issues" in the Org manual > (which does not mention macros). Looks like this should be updated regardless of the above. -- Timothy
bug#48676: Arbitrary code execution in Org export macros
Package: emacs,org-mode
Version: 28.0.50
Severity: important
Tags: security
emacs -Q hello.org, where hello.org contains:
#+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
Hello. {{{hello}}}
Then:
M-x org-export-dispatch
t A
-> now /tmp/HELLO exist, with no prompting.
This seems contrary to normal Emacs practice for risky local variables,
and to the section "Code Evaluation and Security Issues" in the Org manual
(which does not mention macros).
