Date: Fri, 03 Nov 2017 18:11:12 -0400 From: Daniel Micay <danielmicay@...il.com> To: oss-security@...ts.openwall.com Subject: Re: nvi crash recovery (was Re: Re: Security risk of server side text editing in general and vim.tiny specifically) On Fri, 2017-11-03 at 21:26 +0100, Hanno Böck wrote: > On Fri, 3 Nov 2017 11:12:43 -0700 > Ian Zimmerman <itz@...y.loosely.org> wrote: > > > How much of this (and the parallel thread of course) applies to nvi? > > This is actually interesting: > nvi saves recovery files to /var/tmp/vi.recover and creates them with > 600 permissions. > So all the problems discussed don't really apply here. > However the dir itself gets created by the first user using nvi. Not > sure if that causes any other problems (permissions are rwx for all > and > sticky bit). It's strange it's using /var/tmp instead of ~/.cache but at least it can be protected with PAM's per-user isolated directory support rather than relying on it being done securely. In /etc/security/namespace.conf, for per-user isolated /tmp and /var/tmp: /tmp /tmp-inst/ level /var/tmp /var/tmp-inst/ level In /etc/pam.d/system-auth: session required pam_namespace.so Likely also want to mount /tmp-inst as tmpfs (mode=000) if /tmp was tmpfs rather than just using the root directory pam will create.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.