Emacs RPC security (was: Emacs RPC)

[Ted Zlatanov]

On Sat, 23 Apr 2011 20:54:28 +0200 Lars Magne Ingebrigtsen <address@hidden> 
wrote: 

LMI> I'm running a lot of Emacs-based servers here and there, and I
LMI> communicate with them via "emacsclient --eval".  But it just occurred to
LMI> me that it would be much more elegant to have an `emacs-client-rpc'
LMI> function, so that I wouldn't have to parse the output from emacsclient
LMI> in a shell.

On Mon, 25 Apr 2011 09:57:15 -0300 Stefan Monnier <address@hidden> wrote: 

>> Please, please implement this securely from the start.  emacsclient is
>> terribly insecure and we don't need to repeat that.

SM> Lars's proposal has nothing to do with the network communication level.

If we're going to provide *RPC*, we should worry about security at all
levels, not just at the transport level.  Otherwise it's just "run any
code remotely on an Emacs instance" which doesn't sound as fun, right?

SM> So, please take this security issue to another thread.

I've changed the subject as requested.

I think RPC support needs two things:

1) authentication: the server should be able to verify the client's
identity and the client should be able to verify the server's identity.
This can be accomplished with SSL certificates and GnuTLS or by signing
each message.

2) authorization: the server should be able to associate each client
identity with only certain functions it can invoke directly.

The above should work across platforms and between any two networked
machines with as few external dependencies as possible.  I think the
GnuTLS support can handle (1), plus it can encrypt the network traffic
which improves security.  (2) needs to happen in the server's eval loop.

Ted