Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 1 Nov 2017 11:41:54 -0400
From: Z5T1 <z5t1@...1.com>
To: oss-security@...ts.openwall.com
Subject: Re: Fw: Security risk of vim swap files

Hello All. I'd just like to add my two sense to this conversation.

I have reproduced this on Centos 6 and Cucumber Linux 1.0. It appears
that the umask plays no role in the permissions on swap files; Vim
creates its swap files with the same permissions as the file being
edited. This is still a problem though, as configuration files in
/var/www are usually readable by the httpd user, so the Vim .swp will
also be readable by the httpd user and consequentially anyone connecting
to the webserver.

Storing the swap files in /tmp is a bad idea for all the reasons
previously discussed; /tmp gets wiped on reboot on most (but not all)
Linux distributions and storing the swap files in a location that is
readable by every user on the system has is own security problems. For
instance, what if root goes to edit /etc/shadow and the swap file is
placed in /tmp?

I have found this problem can be mitigated by changing the swap
directory with the 'set directory' directive as Hanno originally
suggested. I have added the following lines to my '/etc/vimrc':

" Move the swap file location to protect against CVE-2017-1000382
silent !install -d -m 700 ~/.vim/swap/ 2>&1 > /dev/null
set directory=~/.vim/swap/

This safely sets the swap file directory to a directory that should not
cause any security problems. For added security, the directory is
created so that only the owner has access to it, regardless of how the
system's umask is set.

Additionally, the swap file collision (if you edit both ~/foo/file and
~/bar/file at the same time) is not a major issue; Vim detects this and
gives the second swap file a different file extension. When you go to
restore from the swap file, you get a prompt asking which swap file you
want to use (if there are two swap files with the same basename), which
doesn't strike me as being terribly problematic.

I will be adding this to the default '/etc/vimrc' on Cucumber Linux in
the next few hours. I thought it may be helpful for other distro
maintainers to know as well.

    - Scott




Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.