oss-sec mailing list archives

Re: Fw: Security risk of vim swap files

From: Simon McVittie <smcv () debian org>
Date: Wed, 1 Nov 2017 10:04:59 +0000

On Tue, 31 Oct 2017 at 20:33:30 -0600, Leonid Isaev wrote:

1. vim creates a swap file applying user's umask.


More specifically, this should be (and does indeed seem to be) the
permissions of the file being edited, masked by the user's umask -
so that if have a loose umask and I edit a secret file, the swap file
doesn't leak its contents.

~/tmp/vim% umask
022
~/tmp/vim% ls -Al
total 4
-rw------- 1 smcv smcv 8 Nov  1 09:50 secret-file
~/tmp/vim% gvim secret-file
~/tmp/vim% ls -Al
total 16
-rw------- 1 smcv smcv 12288 Nov  1 09:50 .secret-file.swp
-rw------- 1 smcv smcv     8 Nov  1 09:50 secret-file

A more naive implementation might have created .secret-file.swp with
-rw-r--r-- permissions according to my umask, but that would have been
bad.

Regards,
    smcv

Current thread:

Re: Fw: Security risk of vim swap files, (continued)
- - - Re: Fw: Security risk of vim swap files Adam Shannon (Oct 31)
    - Re: Fw: Security risk of vim swap files Gordo Lowrey (Oct 31)
- Re: Fw: Security risk of vim swap files Jason Cooper (Oct 31)
- Re: Security risk of vim swap files Simon Waters (Surevine) (Oct 31)
  - Re: Security risk of vim swap files Matthias Luft (Nov 07)
- Re: Fw: Security risk of vim swap files Tim (Oct 31)
  - Re: Fw: Security risk of vim swap files Kurt H Maier (Oct 31)
    - Re: Fw: Security risk of vim swap files Tim (Oct 31)
  - Re: Fw: Security risk of vim swap files Steffen Nurpmeso (Oct 31)
  - Re: Fw: Security risk of vim swap files Leonid Isaev (Nov 01)
    - Re: Fw: Security risk of vim swap files Simon McVittie (Nov 01)
    - Re: Fw: Security risk of vim swap files Tim (Nov 01)
    - Re: Fw: Security risk of vim swap files Jeffrey Walton (Nov 01)
    - Re: Fw: Security risk of vim swap files Kurt Seifried (Nov 01)
    - Re: Fw: Security risk of vim swap files Jakub Wilk (Nov 01)
    - Re: Fw: Security risk of vim swap files Solar Designer (Nov 01)
    - Re: Security risk of vim swap files Ian Zimmerman (Nov 06)
    - Re: Security risk of vim swap files Solar Designer (Nov 06)
    - Re: Security risk of vim swap files Jakub Wilk (Nov 06)
    - Re: Fw: Security risk of vim swap files Jakub Wilk (Nov 01)
    - Re: Fw: Security risk of vim swap files Leonid Isaev (Nov 01)

(Thread continues...)