From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id YNhuA3ibr2DBewEAgWs5BA (envelope-from ) for ; Thu, 27 May 2021 15:15:36 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 4Fa7Onebr2AbSwAAB5/wlQ (envelope-from ) for ; Thu, 27 May 2021 13:15:35 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6AB3D26277 for ; Thu, 27 May 2021 15:15:35 +0200 (CEST) Received: from localhost ([::1]:57362 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lmFrK-0003v4-F3 for larch@yhetil.org; Thu, 27 May 2021 09:15:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39428) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lmFf6-0006gB-EC for emacs-orgmode@gnu.org; Thu, 27 May 2021 09:03:05 -0400 Received: from mail-pj1-x102f.google.com ([2607:f8b0:4864:20::102f]:43813) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lmFeu-0003Pn-3g for emacs-orgmode@gnu.org; Thu, 27 May 2021 09:02:53 -0400 Received: by mail-pj1-x102f.google.com with SMTP id ep16-20020a17090ae650b029015d00f578a8so358114pjb.2 for ; Thu, 27 May 2021 06:02:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:subject:date:in-reply-to:message-id :mime-version; bh=VTuMm58W35RJrjrVZvlrZNnmWjugkZtv+MVbZvcMfYI=; b=YfDkzPq9nxfSRm3Djl3KIVPOj7KkqguF1WucUEByWgberzFqjROS1SWyqnWonJ3Tca VOrdw9ehQoFBbj8q9gu1tl+2h8bTGLhIgSZNKKKU/tnh0bizSXbt3urLM4brcun1hFFG P7QY28FhBhTALb3r6LVjMPQRYeewqhcwjKbuMsJXz1zBT3zoQubCGPCjmJ6ETU4FLH2i gADfesicSvOZSEF4cwztClHg0lsn0FZ0FOLhQPdlFtc7gAK/joVW7uupK1Pqtg+4YAck 2bAnBrueTEX9MMQ71ZuRILUC1/MNe7tIQvma4ONSzz0LoZeS+pmzwOnVZwnXzyIRePP5 86IA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:subject:date :in-reply-to:message-id:mime-version; bh=VTuMm58W35RJrjrVZvlrZNnmWjugkZtv+MVbZvcMfYI=; b=lA1e51H9oo69s5rvA0/PZfs47z9uLbOxVcdVvtWVu/ahHkMxVyrAgTiJnAyDUgECOa O08r8s5lS4JgnDXl+sGc7KmplUwRCirr7aFbKjN7YQt9JN+s6ZKiIfWYuj/QDyXH45vS ZGmF0BwEX3Ys7h8gtwcyi0a8UM1XcPURcIvD1X07W+wlOEquCi9nWLWF/cR0rWxkzHQN 0tJj1SpTGex1HHhx3oYTDzTMB7rM5H2h24MC/3EpTkGDA9S4Hbp34iN9xQb8oEhaanqS AbiGeqpVqzttTanGuiP6qpOAwlryXU5rK2ud/l1Pk2IWBTqrZeDPUvVdIXcGeK7NnK0W bPaw== X-Gm-Message-State: AOAM530IFO11bOQRq42ZlnQwn+I6sP1xuQKYWHAvFGaVxDweRzj+wtPN tXdMVBVgmsvi/5vGJJyDt8iPY2yZOYs= X-Google-Smtp-Source: ABdhPJw0IFf0cRkoLUICMmZ8mwTJO4WRWOyXUZVcXuTaMxyMwLAZZwRygEns9TEdOT5RgXsHDrerbA== X-Received: by 2002:a17:902:f2c2:b029:f0:d72f:4f97 with SMTP id h2-20020a170902f2c2b02900f0d72f4f97mr3046763plc.65.1622120561560; Thu, 27 May 2021 06:02:41 -0700 (PDT) Received: from tim-desktop (106-69-64-54.dyn.iinet.net.au. [106.69.64.54]) by smtp.gmail.com with ESMTPSA id n6sm1936232pgm.79.2021.05.27.06.02.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 May 2021 06:02:41 -0700 (PDT) References: <2nk0nl7asb.fsf@fencepost.gnu.org> User-agent: mu4e 1.5.13; emacs 27.2.50 From: Tim Cross To: emacs-orgmode@gnu.org Subject: Re: bug#48676: Arbitrary code execution in Org export macros Date: Thu, 27 May 2021 22:55:56 +1000 In-reply-to: Message-ID: <87r1hsmis2.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2607:f8b0:4864:20::102f; envelope-from=theophilusx@gmail.com; helo=mail-pj1-x102f.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1622121335; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=VTuMm58W35RJrjrVZvlrZNnmWjugkZtv+MVbZvcMfYI=; b=ORqJ1Ev/IqA5U9hYJU0W4nGRARDmT5LoE/UHg3GJ/rnlstDteYZXoO/z9yQCkGeimI+OY5 lrOGZo75+rFbTKqS5mcCSpla8XmRhiEFMIoFSrqurqhpMgb+jrkDil3AGKP8V2RkfswzwE 8nYJadjwd/ytw/qDCtXeYTXoTEEG3GQbPxKAl/FOILS+8MoP9eWtKRncR9/3TjFAoFG+V+ QrX3ralOlAE6d4eh6sarOH4Z72UPLUSOtRlMNYIhx35MNK4d+5tMHGBrPOTXynytSCU9Sz qNLhpI+d1B7Pmh8BTmkLAEpYo8vT3othfoP+Gjc2pTbgxWVtBDfT4zC/ekgGbA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1622121335; a=rsa-sha256; cv=none; b=gD+vMyKpYbO1Yh+DQn6D6BC7kGY749egeaDJVdt5ooaex3hZyzpsFcI48V+bpeKeZDurj8 c6WpEeSFl70oTcuBfnxZ3ylRtNWCcLlLcKMKKyCkjBrF1LQGZF5k0Lj9UFhpTwk0jvIqME qg4o4fvri1mtdVPlAPqLbYuNRwzZqusb37R12Kh54MEh2rilVzPAa1eT/BBgDVXn0Bh+20 DdJvC+H433CImLjDiAXRHhOV0Urxd1giw4OcH4sJusBgl54+HKsJ5TUNSqhbFeF2sl9T7I 9S6XxFaAmNxvGNkJ1Z2/hX+wboVJrBNx2NSCFbt7f+hRTe3uOKQogfn8sUgm8w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=YfDkzPq9; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Migadu-Spam-Score: -3.13 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=YfDkzPq9; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Migadu-Queue-Id: 6AB3D26277 X-Spam-Score: -3.13 X-Migadu-Scanner: scn0.migadu.com X-TUID: jJbWFKEkgWQ3 Rafael Ramirez Morales writes: > Just a couple of questions: > who is the owner of the HELLO file? > OR > who is the owner of the "touch" process? > > Is the owner the unprivileged user or the "emacs" system? > > Thanks. > Not clear exactly what your asking. The process which will execute the 'touch' will be a sub-process of the process running Emacs. This will typically be the user who executes Emacs and willl have the same permissions and access rights as the user running Emacs. There is no 'emacs' system and the privileges will be the same as the user who runs Emacs. This is assuming a 'normal' installation, not some unusual setup which uses setuid or similar to alter the way Emacs runs or the ownership of files in a directory etc.