Frank Victor Fischer wrote:
> I have my home directory mounted via a kerberos - secured NFS4. All the user
> and groups of the files are mapped to nobody/nobody, so when trying to write
> to .viminfo, vim fails with the error:
> E137: Viminfo file is not writable
>
> The problem is resides in ex_cmds.c:
> if (mch_stat((char *)fname, &st_old) == 0 && getuid()
> && !(st_old.st_uid == getuid()
> ? (st_old.st_mode & 0200)
> : (st_old.st_gid == getgid()
> ? (st_old.st_mode & 0020)
> : (st_old.st_mode & 0002))))
> {
>
> which only checks for the main unix permissions and ignores any ACLs set or
> security means like kerberized NFS.
Right. This works for all normal Unix systems. You will either have to
make your system compatible with normal Unix applications or if you use
fancy new features you will have to look for applications that support
them. Perhaps one day someone will check out all the file access in Vim
and make a patch for it. But this isn't simple, thus don't count on it.
> Workaround: Ignore the error
No, because it's very well possible that we can write to the file even
though we should not do it. Specific case is after doing "su", you can
write the viminfo file and make it unreadable for the actual user. I
have no idea what would happen when using ACL stuff.
> Solution:
> 1) Instead of the check above, use access((char *)fname, W_OK) to determine
> whether the file is writable. However, this has some security implications as
> shown by the access(2) manpage of FreeBSD:
That does not do the same thing. Read the comment above the code.
> SECURITY CONSIDERATIONS
> The access() system call is a potential security hole due to race condi-
> tions and should never be used. Set-user-ID and set-group-ID applica-
> tions should restore the effective user or group ID, and perform actions
> directly rather than use access() to simulate access checks for the real
> user or group ID. The eaccess() system call likewise may be subject to
> races if used inappropriately.
>
> This section cannot be found in the the access(2) manpage in linux.
And it probably doesn't apply here.
> 2) open() the file and see if it works ...
That doesn't do the same thing.
--
Emacs is a nice OS - but it lacks a good text editor.
That's why I am using Vim. --Anonymous
/// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
