[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Nov 2017 17:39:36 +0100
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Fw: Security risk of vim swap files
* Christian Brabandt <cb@...bit.org>, 2017-11-02, 22:29:
>Vim copies the permission from the file being edited. Although the swap
>file is readable by others this does not leak any information here,
>since the file being edited is already readable by others.
In general, what vim does (copying mode bits) in not enough to ensure
that the swapfile is readable only by the users who had access to the
original file. It would have to copy also group ownership and ACLs.
Also, keep in mind how this thread started. Somebody edited
wp-config.php, which was readable by the web server, of course; then vim
created .wp-config.php.swp with the same-ish permissions, which made the
file readable to the whole (external) world. Oops.
--
Jakub Wilk
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
