New lispref section “Security Considerations”

This attempts to document some of the issues recently discussed on emacs-devel, and to indicate other such issues. The section could be a lot longer. * doc/lispref/os.texi (Security Considerations): New node. * doc/lispref/elisp.texi (Top): * doc/lispref/processes.texi (Shell Arguments): * lisp/subr.el (shell-quote-argument): * src/callproc.c (syms_of_callproc): Reference it.
author: Paul Eggert 2015-10-21 20:22:34 -0700
committer: Paul Eggert 2015-10-21 20:26:49 -0700
commit: f373e812d95e1822833f88db024e011a769998b4 (patch)
tree: 5cc676ac1723fd2631f356f3c3c2e6c5b5b7105e
parent: 0bb27cd32e4a6a7fc4485381efc9ff0026e15689 (diff)
download: emacs-f373e812d95e1822833f88db024e011a769998b4.tar.gz
emacs-f373e812d95e1822833f88db024e011a769998b4.zip
5 files changed, 109 insertions, 3 deletions
diff --git a/doc/lispref/elisp.texi b/doc/lispref/elisp.texi
index 5ca518ecd5f..2d3548f65ba 100644
--- a/doc/lispref/elisp.texi
+++ b/doc/lispref/elisp.texi
@@ -1487,6 +1487,7 @@ Operating System Interface
 * Desktop Notifications::   Desktop notifications.
 * File Notifications::      File notifications.
 * Dynamic Libraries::       On-demand loading of support libraries.
+* Security Considerations:: Running Emacs in an unfriendly environment.
 Starting Up Emacs
diff --git a/doc/lispref/os.texi b/doc/lispref/os.texi
index 204055d9e78..1925bd544e5 100644
--- a/doc/lispref/os.texi
+++ b/doc/lispref/os.texi
@@ -37,6 +37,7 @@ terminal and the screen.
 * Desktop Notifications:: Desktop notifications.
 * File Notifications::  File notifications.
 * Dynamic Libraries::   On-demand loading of support libraries.
+* Security Considerations:: Running Emacs in an unfriendly environment.
 @end menu
 @node Starting Up
@@ -2760,3 +2761,106 @@ be loaded through it.
 This variable is ignored if the given @var{library} is statically
 linked into Emacs.
 @end defvar
+@node Security Considerations
+@section Security Considerations
+@cindex security
+@cindex hardening
+Like any application, Emacs can be run in a secure environment, where
+the operating system enforces rules about access and the like.  With
+some care, Emacs-based applications can also be part of a security
+perimeter that checks such rules.  Although the default settings for
+Emacs work well for a typical software development environment, they
+may require adjustment in environments containing untrusted users that
+may include attackers.  Here is a compendium of security issues that
+may be helpful if you are developing such applications.  It is by no
+means complete; it is intended to give you an idea of the security
+issues involved, rather than to be a security checklist.
+@table @asis
+@item Access control
+Although Emacs normally respects access permissions of the underlying
+operating system, in some cases it handles accesses specially.  For
+example, file names can have handlers that treat the files specially,
+with their own access checking.  @xref{Magic File Names}.  Also, a
+buffer can be read-only even if the corresponding file is writeable,
+and vice versa, which can result in messages such as @samp{File passwd
+is write-protected; try to save anyway? (yes or no)}.  @xref{Read Only
+Buffers}.
+@item Authentication
+Emacs has several functions that deal with passwords, e.g.,
+@code{password-read}.  Although these functions do not attempt to
+broadcast passwords to the world, their implementations are not proof
+against determined attackers with access to Emacs internals.  For
+example, even if Elisp code attempts to scrub a password from
+its memory after using it, remnants of the password may still reside
+in the garbage-collected free list.
+@item Code injection
+Emacs can send commands to many other applications, and applications
+should take care that strings sent as operands of these commands are
+not misinterpreted as directives.  For example, when sending a shell
+command to rename a file @var{a} to @var{b}, do not simply use the
+string @code{mv @var{a} @var{b}}, because either file name might start
+with @samp{-}, or might contain shell metacharacters like @samp{;}.
+Although functions like @code{shell-quote-argument} can help avoid
+this sort of problem, they are not panaceas; for example, on a POSIX
+platform @code{shell-quote-argument} quotes shell metacharacters but
+not leading @samp{-}.  @xref{Shell Arguments}.
+@item Coding systems
+Emacs attempts to infer the coding systems of the files and network
+connections it accesses.  If it makes a mistake, or if the other
+parties to the network connection disagree with Emacs's deductions,
+the resulting system could be unreliable.  Also, even when it infers
+correctly, Emacs often can use bytes that other programs cannot.  For
+example, although to Emacs the NUL (all bits zero) byte is just a
+character like any other, many other applications treat it as a string
+terminator and mishandle strings or files containing NUL bytes.
+@item Environment and configuration variables
+POSIX specifies several environment variables that can affect how
+Emacs behaves.  Any environment variable whose name consists entirely
+of uppercase ASCII letters, digits, and the underscore may affect the
+internal behavior of Emacs.  Emacs uses several such variables, e.g.,
+@env{EMACSLOADPATH}.  @xref{Library Search}.  On some platforms some
+environment variables (e.g., @env{PATH}, @env{POSIXLY_CORRECT},
+@env{SHELL}, @env{TMPDIR}) need to have properly-configured values in
+order to get standard behavior for any utility Emacs might invoke.
+Even seemingly-benign variables like @env{TZ} may have security
+implications.
+Emacs has customization and other variables with similar
+considerations.  For example, if the variable @code{shell-file-name}
+specifies a shell with nonstandard behavior, an Emacs-based
+application may misbehave.
+@item Installation
+When Emacs is installed, if the installation directory hierarchy can
+be modified by untrusted users, the application cannot be trusted.
+This applies also to the directory hierarchies of the programs that
+Emacs uses, and of the files that Emacs reads and writes.
+@item Network access
+Emacs often accesses the network, and you may want to configure it to
+avoid network accesses that it would normally do.  For example, unless
+you set @code{tramp-mode} to @code{nil}, file names using a certain
+syntax are interpreted as being network files, and are retrieved
+across the network.  @xref{Top, The Tramp Manual,, tramp, The Tramp
+Manual}.
+@item Race conditions
+Emacs applications have the same sort of race-condition issues that
+other applications do.  For example, even when
+@code{(file-readable-p "foo.txt")} returns @code{t}, it could be that
+@file{foo.txt} is unreadable because some other program changed the
+file's permissions between the call to @code{file-readable-p} and now.
+@item Resource limits
+When Emacs exhausts memory or other operating system resources, its
+behavior can be less reliable, in that computations that ordinarily
+run to completion may abort back to the top level.  This may cause
+Emacs to neglect operations that it normally would have done.
+@end table
diff --git a/doc/lispref/processes.texi b/doc/lispref/processes.texi
index 196cb7c1f9b..0ce696ad533 100644
--- a/doc/lispref/processes.texi
+++ b/doc/lispref/processes.texi
@@ -180,7 +180,7 @@ and then pass it to a shell for execution.
 Precisely what this function does depends on your operating system.  The
 function is designed to work with the syntax of your system's standard
 shell; if you use an unusual shell, you will need to redefine this
-function.
+function.  @xref{Security Considerations}.
 @example
 ;; @r{This example shows the behavior on GNU and Unix systems.}
diff --git a/lisp/subr.el b/lisp/subr.el
index c903ee3c758..ea926ae1475 100644
--- a/lisp/subr.el
+++ b/lisp/subr.el
@@ -2714,7 +2714,8 @@ Note: :data and :device are currently not supported on Windows."
  "Quote ARGUMENT for passing as argument to an inferior shell.
 This function is designed to work with the syntax of your system's
-standard shell, and might produce incorrect results with unusual shells."
+standard shell, and might produce incorrect results with unusual shells.
+See Info node `(elisp)Security Considerations'."
  (cond
   ((eq system-type 'ms-dos)
    ;; Quote using double quotes, but escape any existing quotes in
diff --git a/src/callproc.c b/src/callproc.c
index eafd6217c0f..bb21c35dccc 100644
--- a/src/callproc.c
+++ b/src/callproc.c
@@ -1660,7 +1660,7 @@ syms_of_callproc (void)
  DEFVAR_LISP ("shell-file-name", Vshell_file_name,
               doc: /* File name to load inferior shells from.
 Initialized from the SHELL environment variable, or to a system-dependent
-default if SHELL is not set.  */);
+default if SHELL is unset.  See Info node `(elisp)Security Considerations'.  */);
  DEFVAR_LISP ("exec-path", Vexec_path,
               doc: /* List of directories to search programs to run in subprocesses.
author	Paul Eggert	2015-10-21 20:22:34 -0700
committer	Paul Eggert	2015-10-21 20:26:49 -0700
commit	f373e812d95e1822833f88db024e011a769998b4 (patch)
tree	5cc676ac1723fd2631f356f3c3c2e6c5b5b7105e
parent	0bb27cd32e4a6a7fc4485381efc9ff0026e15689 (diff)
download	emacs-f373e812d95e1822833f88db024e011a769998b4.tar.gz emacs-f373e812d95e1822833f88db024e011a769998b4.zip

diff --git a/doc/lispref/elisp.texi b/doc/lispref/elisp.texi index 5ca518ecd5f..2d3548f65ba 100644 --- a/doc/lispref/elisp.texi +++ b/doc/lispref/elisp.texi
@@ -1487,6 +1487,7 @@ Operating System Interface
1487	* Desktop Notifications:: Desktop notifications.	1487	* Desktop Notifications:: Desktop notifications.
1488	* File Notifications:: File notifications.	1488	* File Notifications:: File notifications.
1489	* Dynamic Libraries:: On-demand loading of support libraries.	1489	* Dynamic Libraries:: On-demand loading of support libraries.
		1490	* Security Considerations:: Running Emacs in an unfriendly environment.
1490		1491
1491	Starting Up Emacs	1492	Starting Up Emacs
1492		1493


diff --git a/doc/lispref/os.texi b/doc/lispref/os.texi index 204055d9e78..1925bd544e5 100644 --- a/doc/lispref/os.texi +++ b/doc/lispref/os.texi
@@ -37,6 +37,7 @@ terminal and the screen.
37	* Desktop Notifications:: Desktop notifications.	37	* Desktop Notifications:: Desktop notifications.
38	* File Notifications:: File notifications.	38	* File Notifications:: File notifications.
39	* Dynamic Libraries:: On-demand loading of support libraries.	39	* Dynamic Libraries:: On-demand loading of support libraries.
		40	* Security Considerations:: Running Emacs in an unfriendly environment.
40	@end menu	41	@end menu
41		42
42	@node Starting Up	43	@node Starting Up
@@ -2760,3 +2761,106 @@ be loaded through it.
2760	This variable is ignored if the given @var{library} is statically	2761	This variable is ignored if the given @var{library} is statically
2761	linked into Emacs.	2762	linked into Emacs.
2762	@end defvar	2763	@end defvar
		2764
		2765	@node Security Considerations
		2766	@section Security Considerations
		2767	@cindex security
		2768	@cindex hardening
		2769
		2770	Like any application, Emacs can be run in a secure environment, where
		2771	the operating system enforces rules about access and the like. With
		2772	some care, Emacs-based applications can also be part of a security
		2773	perimeter that checks such rules. Although the default settings for
		2774	Emacs work well for a typical software development environment, they
		2775	may require adjustment in environments containing untrusted users that
		2776	may include attackers. Here is a compendium of security issues that
		2777	may be helpful if you are developing such applications. It is by no
		2778	means complete; it is intended to give you an idea of the security
		2779	issues involved, rather than to be a security checklist.
		2780
		2781	@table @asis
		2782	@item Access control
		2783	Although Emacs normally respects access permissions of the underlying
		2784	operating system, in some cases it handles accesses specially. For
		2785	example, file names can have handlers that treat the files specially,
		2786	with their own access checking. @xref{Magic File Names}. Also, a
		2787	buffer can be read-only even if the corresponding file is writeable,
		2788	and vice versa, which can result in messages such as @samp{File passwd
		2789	is write-protected; try to save anyway? (yes or no)}. @xref{Read Only
		2790	Buffers}.
		2791
		2792	@item Authentication
		2793	Emacs has several functions that deal with passwords, e.g.,
		2794	@code{password-read}. Although these functions do not attempt to
		2795	broadcast passwords to the world, their implementations are not proof
		2796	against determined attackers with access to Emacs internals. For
		2797	example, even if Elisp code attempts to scrub a password from
		2798	its memory after using it, remnants of the password may still reside
		2799	in the garbage-collected free list.
		2800
		2801	@item Code injection
		2802	Emacs can send commands to many other applications, and applications
		2803	should take care that strings sent as operands of these commands are
		2804	not misinterpreted as directives. For example, when sending a shell
		2805	command to rename a file @var{a} to @var{b}, do not simply use the
		2806	string @code{mv @var{a} @var{b}}, because either file name might start
		2807	with @samp{-}, or might contain shell metacharacters like @samp{;}.
		2808	Although functions like @code{shell-quote-argument} can help avoid
		2809	this sort of problem, they are not panaceas; for example, on a POSIX
		2810	platform @code{shell-quote-argument} quotes shell metacharacters but
		2811	not leading @samp{-}. @xref{Shell Arguments}.
		2812
		2813	@item Coding systems
		2814	Emacs attempts to infer the coding systems of the files and network
		2815	connections it accesses. If it makes a mistake, or if the other
		2816	parties to the network connection disagree with Emacs's deductions,
		2817	the resulting system could be unreliable. Also, even when it infers
		2818	correctly, Emacs often can use bytes that other programs cannot. For
		2819	example, although to Emacs the NUL (all bits zero) byte is just a
		2820	character like any other, many other applications treat it as a string
		2821	terminator and mishandle strings or files containing NUL bytes.
		2822
		2823	@item Environment and configuration variables
		2824	POSIX specifies several environment variables that can affect how
		2825	Emacs behaves. Any environment variable whose name consists entirely
		2826	of uppercase ASCII letters, digits, and the underscore may affect the
		2827	internal behavior of Emacs. Emacs uses several such variables, e.g.,
		2828	@env{EMACSLOADPATH}. @xref{Library Search}. On some platforms some
		2829	environment variables (e.g., @env{PATH}, @env{POSIXLY_CORRECT},
		2830	@env{SHELL}, @env{TMPDIR}) need to have properly-configured values in
		2831	order to get standard behavior for any utility Emacs might invoke.
		2832	Even seemingly-benign variables like @env{TZ} may have security
		2833	implications.
		2834
		2835	Emacs has customization and other variables with similar
		2836	considerations. For example, if the variable @code{shell-file-name}
		2837	specifies a shell with nonstandard behavior, an Emacs-based
		2838	application may misbehave.
		2839
		2840	@item Installation
		2841	When Emacs is installed, if the installation directory hierarchy can
		2842	be modified by untrusted users, the application cannot be trusted.
		2843	This applies also to the directory hierarchies of the programs that
		2844	Emacs uses, and of the files that Emacs reads and writes.
		2845
		2846	@item Network access
		2847	Emacs often accesses the network, and you may want to configure it to
		2848	avoid network accesses that it would normally do. For example, unless
		2849	you set @code{tramp-mode} to @code{nil}, file names using a certain
		2850	syntax are interpreted as being network files, and are retrieved
		2851	across the network. @xref{Top, The Tramp Manual,, tramp, The Tramp
		2852	Manual}.
		2853
		2854	@item Race conditions
		2855	Emacs applications have the same sort of race-condition issues that
		2856	other applications do. For example, even when
		2857	@code{(file-readable-p "foo.txt")} returns @code{t}, it could be that
		2858	@file{foo.txt} is unreadable because some other program changed the
		2859	file's permissions between the call to @code{file-readable-p} and now.
		2860
		2861	@item Resource limits
		2862	When Emacs exhausts memory or other operating system resources, its
		2863	behavior can be less reliable, in that computations that ordinarily
		2864	run to completion may abort back to the top level. This may cause
		2865	Emacs to neglect operations that it normally would have done.
		2866	@end table


diff --git a/doc/lispref/processes.texi b/doc/lispref/processes.texi index 196cb7c1f9b..0ce696ad533 100644 --- a/doc/lispref/processes.texi +++ b/doc/lispref/processes.texi
@@ -180,7 +180,7 @@ and then pass it to a shell for execution.
180	Precisely what this function does depends on your operating system. The	180	Precisely what this function does depends on your operating system. The
181	function is designed to work with the syntax of your system's standard	181	function is designed to work with the syntax of your system's standard
182	shell; if you use an unusual shell, you will need to redefine this	182	shell; if you use an unusual shell, you will need to redefine this
183	function.	183	function. @xref{Security Considerations}.
184		184
185	@example	185	@example
186	;; @r{This example shows the behavior on GNU and Unix systems.}	186	;; @r{This example shows the behavior on GNU and Unix systems.}


diff --git a/lisp/subr.el b/lisp/subr.el index c903ee3c758..ea926ae1475 100644 --- a/lisp/subr.el +++ b/lisp/subr.el
@@ -2714,7 +2714,8 @@ Note: :data and :device are currently not supported on Windows."
2714	"Quote ARGUMENT for passing as argument to an inferior shell.	2714	"Quote ARGUMENT for passing as argument to an inferior shell.
2715		2715
2716	This function is designed to work with the syntax of your system's	2716	This function is designed to work with the syntax of your system's
2717	standard shell, and might produce incorrect results with unusual shells."	2717	standard shell, and might produce incorrect results with unusual shells.
		2718	See Info node `(elisp)Security Considerations'."
2718	(cond	2719	(cond
2719	((eq system-type 'ms-dos)	2720	((eq system-type 'ms-dos)
2720	;; Quote using double quotes, but escape any existing quotes in	2721	;; Quote using double quotes, but escape any existing quotes in


diff --git a/src/callproc.c b/src/callproc.c index eafd6217c0f..bb21c35dccc 100644 --- a/src/callproc.c +++ b/src/callproc.c
@@ -1660,7 +1660,7 @@ syms_of_callproc (void)
1660	DEFVAR_LISP ("shell-file-name", Vshell_file_name,	1660	DEFVAR_LISP ("shell-file-name", Vshell_file_name,
1661	doc: /* File name to load inferior shells from.	1661	doc: /* File name to load inferior shells from.
1662	Initialized from the SHELL environment variable, or to a system-dependent	1662	Initialized from the SHELL environment variable, or to a system-dependent
1663	default if SHELL is not set. */);	1663	default if SHELL is unset. See Info node `(elisp)Security Considerations'. */);
1664		1664
1665	DEFVAR_LISP ("exec-path", Vexec_path,	1665	DEFVAR_LISP ("exec-path", Vexec_path,
1666	doc: /* List of directories to search programs to run in subprocesses.	1666	doc: /* List of directories to search programs to run in subprocesses.