oss-sec mailing list archives
Re: Fw: Security risk of vim swap files
From: Christian Brabandt <cb () 256bit org>
Date: Thu, 2 Nov 2017 22:29:16 +0100
Kurt Seifried wrote:
There is a flaw here, it appears on some distros that vim (and emacs) will ignore a user's umask and go with less restrictive file permissions (ideally you think vi would use the files existing perms, plus any umask limitations as expected), for example vim failing: [kseifrie@...alhost vi]$ umask 0007 [kseifrie@...alhost vi]$ touch foo [kseifrie@...alhost vi]$ ls -la total 8 drwxrwxr-x. 2 kseifrie kseifrie 4096 Oct 31 10:50 . drwx--x---. 27 kseifrie kseifrie 4096 Oct 31 10:42 .. -rw-rw----. 1 kseifrie kseifrie 0 Oct 31 10:50 foo [kseifrie@...alhost vi]$ chmod o+r foo [kseifrie@...alhost vi]$ ls -la total 8 drwxrwxr-x. 2 kseifrie kseifrie 4096 Oct 31 10:50 . drwx--x---. 27 kseifrie kseifrie 4096 Oct 31 10:42 .. -rw-rw-r--. 1 kseifrie kseifrie 0 Oct 31 10:50 foo [kseifrie@...alhost vi]$ vi foo in another terminal: [kseifrie@...alhost vi]$ ls -la total 12 drwxrwxr-x. 2 kseifrie kseifrie 4096 Oct 31 10:50 . drwx--x---. 27 kseifrie kseifrie 4096 Oct 31 10:42 .. -rw-rw-r--. 1 kseifrie kseifrie 0 Oct 31 10:50 foo -rw-r--r--. 1 kseifrie kseifrie 4096 Oct 31 10:50 .foo.swp So vim ignores the umask of the user =(.
So from a CVE perspective we have a situation where a user has explicitly set a umask (of say 0007) which is to say they've made a security assertion of "any file I create I want the rwx permissions for "other" removed" which vim and emacs (and possibly others) are violating when they create swap files/backups/whatever. To add insult to injury most other utilities that create a file (e.g. cp, cat, dd) seem to respect umask. Please use CVE-2017-1000382 for VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.
Vim copies the permission from the file being edited. Although the swap file is readable by others this does not leak any information here, since the file being edited is already readable by others. Christian
Current thread:
- Re: Security risk of vim swap files, (continued)
- Re: Security risk of vim swap files Solar Designer (Nov 06)
- Re: Security risk of vim swap files Jakub Wilk (Nov 06)
- Re: Fw: Security risk of vim swap files Jakub Wilk (Nov 01)
- Re: Fw: Security risk of vim swap files Leonid Isaev (Nov 01)
- Re: Fw: Security risk of vim swap files Jan Pokorný (Nov 01)
- Re: Re: Fw: Security risk of vim swap files Michael Orlitzky (Nov 01)
- Re: Re: Fw: Security risk of vim swap files Florent Rougon (Nov 01)
- Re: Re: Fw: Security risk of vim swap files Kurt Seifried (Nov 02)
- Re: Re: Fw: Security risk of vim swap files Jakub Wilk (Nov 03)
- Re: Re: Fw: Security risk of vim swap files Scott Court (Nov 03)
- Re: Re: Fw: Security risk of vim swap files Nick Bowler (Nov 03)
- Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 03)
- Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 03)
- Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 05)
- Re: Fw: Security risk of vim swap files Solar Designer (Nov 05)
- Re: Fw: Security risk of vim swap files Scott Court (Nov 05)
- Re: Fw: Security risk of vim swap files Kurt Seifried (Nov 05)