How to build Emacs for Servers?

emacs stunnel gnutls server
server
Deutsch

Who?

Difficulty: medium.

You know how to maintain remote servers and you should know a bit of:

  • shell (sh, bash or similar)
  • build processes (GNU make, auto tools)
  • editing files
GNU Emacs 27.1 FreeBSD 12.1
GNU Emacs 27.1 FreeBSD 12.1

Why?

Emacs has been there before the earth was formed. To use it even in environments like your servers where you can’t or don’t want to simply install it you might want to build it from sources.

This sounds heavy as Emacs sounds heavy. But it’s not!

Just leave out the GNU TLS and the X windows system part (what X on your headless servers, huh?) and you can now view and edit even those huge files directly where they are. But to do so you want to install those helpful packages, don’t you? We want to do this without that strange feeling when not using TLS, that’s why we will use a lightweight secure tunnel.

Tldr;

  • Get Emacs sources
  • Configure and make install in home directory without X and GNUTLS
  • Install stunnel
  • Configure stunnel to tunnel to elpa + melpa
  • Update ~/.emacs

Prerequisites

Emacs Sources

Download (and extract if it’s a tar.xz) the Emacs sources from GNU via git or tar.xz, below works for Emacs >= 27.1. If available please compare checksums and validate the signature with gpg.

Stunnel

To avoid building GNU TLS and its dependencies we will take the shortcut through stunnel. Stunnel is a TLS tunneling server which will tunnel the plain text http requests from Emacs to the update servers in a secure way. It sits between the local http request and the https server outside.

Stunnel is lightweight and doesn’t need any further dependencies. It builds quickly. I recommend to install it like you usually do on your server so it becomes part of the update cycle.

Prepare Emacs Build

mkdir $HOME/myemacs

In the downloaded and extracted Emacs directory do:

./autogen.sh
./configure --without-gnutls --with-sound=no --without-x --prefix=$HOME/myemacs/ --exec-prefix=$HOME/myemacs/

Check for warnings and errors.

Build Emacs

On a Linux please use “make” instead of “gmake”.

gmake # build
gmake install # install into the myemacs directory structure, please make sure it exists and is writable

If you have a bin directory in your search path you might want to create symbolic links to the executables:

cd $HOME/bin
ln -s $HOME/myemacs/bin/* .

Configure Stunnel

On FreeBSD you might want to install stunnel through the ports collection and append STUNNEL_ENABLE=YES to /etc/rc.conf. Please consider not running it as root.

Create a certificate to authenticate stunnel against the remote server as a PEM file.

In the configuration file add (please check the ports and the cert location):

[emacs-melpa]
client = yes
accept = 9902
sni = melpa.org
connect = melpa.org:443
cert = /usr/local/etc/stunnel/stunnel.pem

[emacs-elpa]
client = yes
accept = 9901
sni = elpa.gnu.org
connect = elpa.gnu.org:443
cert = /usr/local/etc/stunnel/stunnel.pem

Start stunnel (manually by having the above configuration file as the first argument). Stunnel doesn’t need a privileges account as we have not configured to run it as a server with ports < 1024 so you should be able to run it as a normal user.

Configure Emacs

We need to tell Emacs that it now has to look for package updates locally.

Modify your ~/.emacs file that the following lines will be the first lines:

(require 'package)
(let* ((no-ssl (and (memq system-type '(windows-nt ms-dos))
                    (not (gnutls-available-p))))
       (proto (if no-ssl "http" "https")))
  (add-to-list 'package-archives (cons "melpa" "http://localhost:9902/packages/"))
  (add-to-list 'package-archives (cons "gnu" "http://localhost:9901/packages/"))
  )
(package-initialize)

Run

Now you should be ready to run Emacs and install packages. Updating Emacs doesn’t need the steps above anymore except for the build and install process.

Security

You can now use your favourite piece of software for viewing and editing files.

Older GNU Emacs versions allowed remote attackers to execute arbitrary code via email with specially crafted data. Although this had been addressed and corrected please don’t use this version of Emacs for browsing websites or reading emails on your servers.

Check your /.emacs configuration file for suspicious entries.