Re: Fw: Security risk of vim swap files

[Leonid Isaev <leonid.isaev () jila colorado edu>]

On Wed, Nov 01, 2017 at 03:55:38PM +0100, Jakub Wilk wrote:
> * Leonid Isaev <leonid.isaev () jila colorado edu>, 2017-10-31, 20:33:
> > Just to clarify:
> > 1. vim creates a swap file applying user's umask.
>
> I reproduced Kurt's findings on Debian unstable. Vim chmods the swapfile
> without honouring umask.
>
> It does seem to keep read permissions of the original file, which is not the
> same thing as honouring umask, and which is a rather dubious behavior,
> especially when editing files belonging to other users.

Hmm, my umask is 0077, and vim creates swap files with permissions 600. But I
never used debian, so dunno...

> > 2. It is totally OK to edit files in /tmp or /dev/shm or /var/tmp.
>
> No, it's not.

Except when you want to avoid writes to the /home filesystem...

> > The described "attack" when someone plants a /tmp/file.swp before
> > another user edits /tmp/file is not going to work because vim will
> > complain that the swap file already exists.
>
> Sounds like a successful (albeit mild) DoS attack to me.
> But it's worse than that. vim attempts to read the swapfile before showing
> you the complaint:
>
> $ mkfifo -m 644 /tmp/.bar.swp
> $ vim /tmp/bar
> [hangs forever]

Yes, I agree there are some inconveniences, but there is no information
disclosure others seem to have pointed out.

Cheers,
-- 
Leonid Isaev