oss-sec mailing list archives
Re: Fw: Security risk of vim swap files
From: Simon McVittie <smcv () debian org>
Date: Wed, 1 Nov 2017 10:04:59 +0000
On Tue, 31 Oct 2017 at 20:33:30 -0600, Leonid Isaev wrote:
1. vim creates a swap file applying user's umask.
More specifically, this should be (and does indeed seem to be) the permissions of the file being edited, masked by the user's umask - so that if have a loose umask and I edit a secret file, the swap file doesn't leak its contents. ~/tmp/vim% umask 022 ~/tmp/vim% ls -Al total 4 -rw------- 1 smcv smcv 8 Nov 1 09:50 secret-file ~/tmp/vim% gvim secret-file ~/tmp/vim% ls -Al total 16 -rw------- 1 smcv smcv 12288 Nov 1 09:50 .secret-file.swp -rw------- 1 smcv smcv 8 Nov 1 09:50 secret-file A more naive implementation might have created .secret-file.swp with -rw-r--r-- permissions according to my umask, but that would have been bad. Regards, smcv
Current thread:
- Re: Fw: Security risk of vim swap files, (continued)
- Re: Fw: Security risk of vim swap files Adam Shannon (Oct 31)
- Re: Fw: Security risk of vim swap files Gordo Lowrey (Oct 31)
- Re: Fw: Security risk of vim swap files Jason Cooper (Oct 31)
- Re: Security risk of vim swap files Simon Waters (Surevine) (Oct 31)
- Re: Security risk of vim swap files Matthias Luft (Nov 07)
- Re: Fw: Security risk of vim swap files Tim (Oct 31)
- Re: Fw: Security risk of vim swap files Kurt H Maier (Oct 31)
- Re: Fw: Security risk of vim swap files Tim (Oct 31)
- Re: Fw: Security risk of vim swap files Steffen Nurpmeso (Oct 31)
- Re: Fw: Security risk of vim swap files Leonid Isaev (Nov 01)
- Re: Fw: Security risk of vim swap files Simon McVittie (Nov 01)
- Re: Fw: Security risk of vim swap files Tim (Nov 01)
- Re: Fw: Security risk of vim swap files Jeffrey Walton (Nov 01)
- Re: Fw: Security risk of vim swap files Kurt Seifried (Nov 01)
- Re: Fw: Security risk of vim swap files Jakub Wilk (Nov 01)
- Re: Fw: Security risk of vim swap files Solar Designer (Nov 01)
- Re: Security risk of vim swap files Ian Zimmerman (Nov 06)
- Re: Security risk of vim swap files Solar Designer (Nov 06)
- Re: Security risk of vim swap files Jakub Wilk (Nov 06)
- Re: Fw: Security risk of vim swap files Kurt H Maier (Oct 31)
- Re: Fw: Security risk of vim swap files Jakub Wilk (Nov 01)
- Re: Fw: Security risk of vim swap files Leonid Isaev (Nov 01)