Micah Cowan wrote:
A.J.Mechelynck wrote:
Micah Cowan wrote:
Bram Moolenaar wrote:
[...]
The solution is simple: Don't create a link in place of the .viminfo
file. And certainly not to /dev/null.
Background info: When Vim finds an existing .viminfo file, it writes the
new info into a temp file (since it's still reading from the existing
one it can't be overwritten). When finished the temp file is moved in
place of the old .viminfo and owner and protection are set to match the
original.
Vim intentionally doesn't follow symlinks for .viminfo, because that can
be used for a symlink attack, a security issue.
How so? The user won't be able to attack files he doesn't have write
permission to, and other users wouldn't be running from his .viminfo,
AFAICT. And the user shouldn't have permission to replace other users'
.viminfo's with a symlink... so I'm missing something.
Maybe you're missing the fact that /dev/null is crw-rw-rw- i.e.
world-readable and -writable?
No, I'm not missing that. Why should that make a difference? It is,
after all, a special file; and only root would be able to replace it
with something else.
Anyway, Bram was saying that it's a general security hole, not just for
when /dev/null is the target.
Yes, but when a viminfo exists, Vim re-creates it with the same permissions.
IIUC, a link inherits the permissions of the target: here, rw-rw-rw-.
Instead of linking to /dev/null, make sure your viminfo is not world-writable,
and it will stay that way.
Best regards,
Tony.
--
hundred-and-one symptoms of being an internet addict:
231. You sprinkle Carpet Fresh on the rugs and put your vacuum cleaner
in the front doorway permanently so it always looks like you are
actually attempting to do something about that mess that has amassed
since you discovered the Internet.
