Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 Nov 2017 18:59:59 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Bram@...lenaar.net
Subject: Re: Fw: Security risk of vim swap files

On Sun, Nov 05, 2017 at 06:17:04PM +0100, Christian Brabandt wrote:
> On Fr, 03 Nov 2017, Jakub Wilk wrote:
> 
> > In general, what vim does (copying mode bits) in not enough to ensure that
> > the swapfile is readable only by the users who had access to the original
> > file. It would have to copy also group ownership and ACLs.
> 
> I think patch https://github.com/vim/vim/releases/tag/v8.0.1263 fixes 
> the group ownership problem.

That's some effort and code complexity for a fix that is not even trying
to address the problem Hanno pointed out. :-(  What we really need is
simply forcing the permissions to 0600 no matter what.  I do notice that,
non-surprisingly, Bram said:

| Why would a web server expose and serve such a file?  That clearly is
| the problem, not that Vim happens to create swap files (and undo and
| backup files, depending on your configuration).
| 
| You probably also create new files and copies of files that should not
| be served.  If you care about security, the web server must always use
| whitelisting, only serve files that were intentionally made public.

This makes sense, yet Vim can and should also do its part to make things
safer when that does not conflict with its other goals nor introduce
complexity.  Simply using mode 0600 is a win-win: addresses the problem
Hanno reported for the common special case of web server running as a
different user than the file owner, does not break any functionality,
and makes Vim's code simpler.

Yes, let's also force 0600 for "undo and backup files", please.

Even without a web server or whatever other external interaction
aspects, copying the original file's permissions and/or obeying umask is
just wrong in this case because those files are created implicitly,
often without the user's intent and knowledge, and because they might
stay around for longer than the original file does.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.