Robert Lee wrote:
A.J.Mechelynck wrote:
Micah Cowan wrote:
A.J.Mechelynck wrote:
Micah Cowan wrote:
Bram Moolenaar wrote:
[...]
The solution is simple: Don't create a link in place of the .viminfo
file. And certainly not to /dev/null.
Background info: When Vim finds an existing .viminfo file, it
writes the
new info into a temp file (since it's still reading from the existing
one it can't be overwritten). When finished the temp file is
moved in
place of the old .viminfo and owner and protection are set to
match the
original.
Vim intentionally doesn't follow symlinks for .viminfo, because
that can
be used for a symlink attack, a security issue.
How so? The user won't be able to attack files he doesn't have write
permission to, and other users wouldn't be running from his .viminfo,
AFAICT. And the user shouldn't have permission to replace other users'
.viminfo's with a symlink... so I'm missing something.
Maybe you're missing the fact that /dev/null is crw-rw-rw- i.e.
world-readable and -writable?
No, I'm not missing that. Why should that make a difference? It is,
after all, a special file; and only root would be able to replace it
with something else.
Anyway, Bram was saying that it's a general security hole, not just for
when /dev/null is the target.
Yes, but when a viminfo exists, Vim re-creates it with the same
permissions. IIUC, a link inherits the permissions of the target:
here, rw-rw-rw-.
Instead of linking to /dev/null, make sure your viminfo is not
world-writable, and it will stay that way.
Best regards,
Tony.
Tony,
Out of curiosity, what would vim do in this case:
cp -f /dev/null ~/.viminfo
chmod 400 ~/.viminfo
? Would it give any write errors? Would it delete and recreate? Would
the file be left blank on exit?
I guess intuitively I would expect the file to be left blank
(unmodified) without vim giving me any errors. But IIUC, vim would, on
exit, actually silently delete the blank file, and create a new one with
new contents with the permissions set to r--------. Is this correct?
Thanks!
-Robert
Let's find out (and, first, move my usual viminfo out of the way by renaming...)
Logged-in as root: the viminfo is overwritten with non-zero length and
-rw-------. But root can write anything. Let's retry with a different login.
At Vim shutdown:
E137: viminfo file is not writable: /home/tonymec/.viminfo
ls -l .viminfo
-r-------- 1 tonymec users 0 2007-05-12 23:52 .viminfo
The file remains zero-length and readonly.
Best regards,
Tony.
--
"Last week a cop stopped me in my car. He asked me if I had a police
record. I said, no, but I have the new DEVO album. Cops have no sense
of humor."
