Re: Fw: Security risk of vim swap files

[Apostolis Hardalias <ahardalias () census-labs com>]

Running :help swap-file will indicate that you may change where swap
files are stored by default by adding a :set dir=~/.vim/swap-files in
your ~/.vimrc file.

Also, adding *.swp in your global gitignore file will save you alot of
trouble in the future.


On 10/31/2017 02:23 PM, Hanno Böck wrote:
> I just sent this to the vim dev list, but I guess it's interesting for
> oss-security, too.
>
> Begin forwarded message:
>
> Date: Tue, 31 Oct 2017 11:30:50 +0100
> Subject: Security risk of vim swap files
>
>
> Hi,
>
> I wanted to point out an issue here with vim swap files that make them
> a security problem.
>
> By default vim creates a file with the name .filename.swp in the same
> directory while editing. They contain the full content of the edited
> file. This usually gets deleted upon exit, but not if vim crashes or
> gets killed (e.g. due to a reboot).
>
> On web servers this can be a severe security risk. One can e.g. scan
> for web hosts that have swap files of PHP configuration files and thus
> expose settings like database passwords. (e.g. wget
> http://example.com/.wp-config.php.swp )
>
> In a scan of the alexa top 1 million I found ~750 instances of such
> files. I tried to inform affected people as best as I could. I also
> discovered such scans in my own web server logs, so I assume black hats
> are already aware of this and it's actively exploitet.
>
> I was wondering how to best avoid this on my own servers and I first
> thought about saving the swap files to tmp ( with "set directory").
> However on multiuser systems this creates another security problem.
> These files are world readable, thus instead of leaking information to
> the world it's now leaking information to other users on the same
> system. Thus even if one is aware of the issue it's nontrivial to get
> secure settings (I've now worked around this by having per-user tmp
> dirs with secure permissions.)
>
> I think vim should change the behavior of swap files:
> 1. they should be stored in /tmp by default
> 2. they should have secure permissions (tmp file security is
> a tricky thing and needs careful consideration to avoid symlink attacks
> and the like, but there are dedicated functions for this like mkstemp).
> 3. Ideally they also shouldn't leak currently edited filenames (e.g.
> they shouldn't be called /tmp/.test.txt.swp, but more something
> like /tmp/.vim_swap.123782173)

Attachment: signature.asc
Description: OpenPGP digital signature