Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 03 Nov 2017 18:11:12 -0400
From: Daniel Micay <danielmicay@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: nvi crash recovery (was Re: Re:
 Security risk of server side text editing in general and vim.tiny
 specifically)

On Fri, 2017-11-03 at 21:26 +0100, Hanno Böck wrote:
> On Fri, 3 Nov 2017 11:12:43 -0700
> Ian Zimmerman <itz@...y.loosely.org> wrote:
> 
> > How much of this (and the parallel thread of course) applies to nvi?
> 
> This is actually interesting:
> nvi saves recovery files to /var/tmp/vi.recover and creates them with
> 600 permissions.
> So all the problems discussed don't really apply here.
> However the dir itself gets created by the first user using nvi. Not
> sure if that causes any other problems (permissions are rwx for all
> and
> sticky bit).

It's strange it's using /var/tmp instead of ~/.cache but at least it can
be protected with PAM's per-user isolated directory support rather than
relying on it being done securely.

In /etc/security/namespace.conf, for per-user isolated /tmp and /var/tmp:

    /tmp     /tmp-inst/     level
    /var/tmp /var/tmp-inst/ level

In /etc/pam.d/system-auth:

    session   required  pam_namespace.so

Likely also want to mount /tmp-inst as tmpfs (mode=000) if /tmp was
tmpfs rather than just using the root directory pam will create.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.