Date: Wed, 1 Nov 2017 10:04:59 +0000 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: Fw: Security risk of vim swap files On Tue, 31 Oct 2017 at 20:33:30 -0600, Leonid Isaev wrote: > 1. vim creates a swap file applying user's umask. More specifically, this should be (and does indeed seem to be) the permissions of the file being edited, masked by the user's umask - so that if have a loose umask and I edit a secret file, the swap file doesn't leak its contents. ~/tmp/vim% umask 022 ~/tmp/vim% ls -Al total 4 -rw------- 1 smcv smcv 8 Nov 1 09:50 secret-file ~/tmp/vim% gvim secret-file ~/tmp/vim% ls -Al total 16 -rw------- 1 smcv smcv 12288 Nov 1 09:50 .secret-file.swp -rw------- 1 smcv smcv 8 Nov 1 09:50 secret-file A more naive implementation might have created .secret-file.swp with -rw-r--r-- permissions according to my umask, but that would have been bad. Regards, smcv
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.