Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 1 Nov 2017 10:04:59 +0000
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Fw: Security risk of vim swap files

On Tue, 31 Oct 2017 at 20:33:30 -0600, Leonid Isaev wrote:
> 1. vim creates a swap file applying user's umask.

More specifically, this should be (and does indeed seem to be) the
permissions of the file being edited, masked by the user's umask -
so that if have a loose umask and I edit a secret file, the swap file
doesn't leak its contents.

~/tmp/vim% umask
022
~/tmp/vim% ls -Al
total 4
-rw------- 1 smcv smcv 8 Nov  1 09:50 secret-file
~/tmp/vim% gvim secret-file
~/tmp/vim% ls -Al
total 16
-rw------- 1 smcv smcv 12288 Nov  1 09:50 .secret-file.swp
-rw------- 1 smcv smcv     8 Nov  1 09:50 secret-file

A more naive implementation might have created .secret-file.swp with
-rw-r--r-- permissions according to my umask, but that would have been
bad.

Regards,
    smcv

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.