Possible security issue: [PATCH] viminfo: create fallback tempfile with restrictive umask

Tue, 07 Nov 2017 09:49:18 -0800 

If the initial tempfile creation fails, possibly during a race condition
with two parallel vims writing the tempfile, then a fallback code is
used. However while the normal code uses a restrictive umask (or the
mode of the existing viminfo), the fallback code uses the default umask
of the user. This can result in a viminfo which is readable by all
users possibly leaking sensitive information.
---
 src/ex_cmds.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

Hello,

We noticed this issue on a multi-user system where viminfos
became readable by other users from time to time. We think this
issue is caused by the fallback code in write_viminfo() which
doesn't enforce a strict umask. This patch should fix this issue.

However this patch won't help users which were already affected
by this race condition as write_viminfo() retains the permissions
of an existing viminfo. As the use-case for a viminfo readable by
others doesn't seem very relevant to me, I recommend changing the
viminfo code to always enforce 0600 permissions to prevent this
kind of information leak (for affected users and in general).

Regards
Simon

diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 154372883..cc50409cf 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -2012,8 +2012,15 @@ write_viminfo(char_u *file, int forceit)
            if (fp_out == NULL)
            {
                vim_free(tempname);
-               if ((tempname = vim_tempname('o', TRUE)) != NULL)
+               if ((tempname = vim_tempname('o', TRUE)) != NULL) {
+#if defined(UNIX) || defined(VMS)
+                   umask_save = umask(077);
+#endif
                    fp_out = mch_fopen((char *)tempname, WRITEBIN);
+#if defined(UNIX) || defined(VMS)
+                   (void)umask(umask_save);
+#endif
+               }
            }
 
 #if defined(UNIX) && defined(HAVE_FCHOWN)
-- 
2.15.0

-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Raspunde prin e-mail lui