Bugtraq mailing list archives
Re: vulnerability in vi under AIX 3.2 (IN LINUX)
From: zblaxell () myrus com (Zygo Blaxell)
Date: Thu, 25 Jul 1996 10:18:22 -0400
In article <199607241812.TAA00349 () datasys underground pt>, Nelson N. Escravana <BUGTRAQ () NETSPACE ORG> wrote:
Marina Buitrago Bravo wrote:Hello all. I have found out that under AIX 3.2 the vi editor interprets the file ./.exrc, even if you are root and this file is not owned by you. This vulnerability seems rather obvious to me, do you know if a patch exists for this? SunOS 4.1.3 has a similar feature, but the file is interpreted only if root owns the file ./.exrc.I Have tested it on Slakcware 3.0 and it also executes .exrc even if you are root, and the file doesnt belongs to you.
Errr...is that elvis, vim, nvi, or something else? I think Slackware uses elvis by default, but I can't be sure. 'nvi' won't read ~/.exrc unless you own it (it also reports the existence of other-owned .exrc files, if any). If you want to read ./.exrc, you have to enable that feature in ~/.exrc; it's off by default. I don't know about the behavior of vim or elvis; I 'rm -f'ed them a long time ago. nvi has /var/tmp/vi.recover, a mode 1777 directory for its recovery files, owned by whoever runs nvi first. However, it's pretty smart about using this directory (as long as your OS kernel isn't braindead), and you can override the choice of directory if you want to be really secure. elvis and vim both do highly dangerous things at various points in their execution. elvis has 'elvprsv', which you shouldn't run as root at bootup and definitely shouldn't setuid to root, despite what the docs say. 'vim file' will happily scribble all over 'file.swp', without regard to who owns it, what it's a symlink to, etc. Further, in the event of a system crash, the .swp file is left lying around, causing unpredictable results if you use vim to edit files in SysV-style init runlevel directories. -- Zygo Blaxell. Unix/soft/hardware guru, was for U of Waterloo CS Club, now for (name withheld by request). 10th place, ACM Intl Collegiate Programming Contest Finals, 1994. Admin Linux/TCP/IP for food, clothing, anime. Pager: 1 (613) 760 8572. "I gave up $1000 to avoid working on windoze... *sigh*" - Amy Fong
Current thread:
- Re: vulnerability in vi under AIX 3.2 (IN LINUX) Zygo Blaxell (Jul 25)
- Re: vulnerability in vi under AIX 3.2 (IN LINUX) Nelson N. Escravana (Jul 25)
- Re: vulnerability in vi under AIX 3.2 (IN LINUX) kay hashimoto (Jul 25)
- Re: vulnerability in vi under AIX 3.2 (IN LINUX) Zygo Blaxell (Jul 26)