On Do, 02 Nov 2017,
z5...@z5t1.com wrote:
>
> However, there is another problem with the swap file permissions that has not yet been discussed: when Vim creates swap files, the .swp file is created with the owner and group set to the user who is editing the file (hereafter referred to as the "editor") and the editor's primary group respectively. The permission bits on the swap file are the same as the original file.
>
> This is a problem, as the editor's primary group may be different from the group of the file being edited. Take /etc/shadow for example. That file is supposed to have the permissions 640 with owner: root, group: shadow as a quick `ls -l` shows:
>
> -rw-r----- 1 root shadow 1195 Sep 16 20:09 /etc/shadow
>
> However, shadow is not the root user's primary group; on this system it happens to be 'users', which every other user on the system is also a member of. Now if root goes to edit the file, a swap file is created in /etc/.shadow.swp with the following permissions:
>
> -rw-r----- 1 root users 4096 Nov 2 13:52 /etc/.shadow.swp
>
> This swap file is now readable by every user on the system. Keep in mind the /etc/shadow file contains hashes of every user's password, so now the password for every single user on the system may have been compromised.
That looks like a problem.
>
> --- Solution ---
>
> I have found this problem can be mitigated by changing the swap directory with the 'set directory' directive as Hanno originally suggested. I have added the following lines to my '/etc/vimrc':
>
> " Move the swap file location to protect against CVE-2017-1000382
> silent !install -d -m 700 ~/.vim/swap/ 2>&1 > /dev/null
you likely want to add a check if the directory exists, so that not
every time Vim is called, it needs to shell out. Note, there is also
`system()` available. See `:h isdirectory()` and `:h system()`
> set directory=~/.vim/swap/
,----[ :h 'directory' ]-
| - For Unix and Win32, if a directory ends in two path separators "//"
| or "\\", the swap file name will be built from the complete path to
| the file with all path separators substituted to percent '%' signs.
| This will ensure file name uniqueness in the preserve directory.
`----
> This safely sets the swap file directory to a directory that should
> not cause any security problems. For added security, the directory is
> created so that only the owner has access to it, regardless of how the
> system's umask or .swp file permissions are set.
What is with files that are edited by several users possibly at the same
time? They won't get a warning message now.
> Additionally, the swap file collision (if you edit both ~/foo/file and
> ~/bar/file at the same time) is not a major issue; Vim detects this
> and gives the second swap file a different file extension. When you go
> to restore from the swap file, you get a prompt asking which swap file
> you want to use (if there are two swap files with the same basename),
> which doesn't strike me as being terribly problematic. While this
> approach may have some minor issues/quirks, for me it seems far
> preferable to being vulnerable to this vulnerability.
And how do you know from which swap file to recover? Additionally, if
there is ~/.vim/swap/.foo.txt.swp and ~/.vim/swap/.foo.txt.swo and the
first swap file is removed (after the editing session finishes), you
won't get a swap file recovery message anymore when editing a file for
which only ~/.vim/swap/.foo.txt.swo exists.
> I have already applied this fix on Cucumber Linux and thought you may
> want to consider applying a similar fix upstream.
You might want to tweak your setting as mentioned above.
Christian
--
Die Welt ist eine Glocke, die einen Riss hat: Sie klappert, aber
klingt nicht.
-- Goethe, Maximen und Reflektionen, Nr. 333