Bug#308258: vim: 'set secure' isn't for own files; docs misleading.

Adrian Irving-Beer Adrian Irving-Beer <wisq-deb@wisq.net>, 308258@bugs.debian.org
Sun, 08 May 2005 21:07:44 -0400


Package: vim
Version: 1:6.3-058+1
Severity: normal

Taken from the help docs for the 'secure' option:

    [. . .] On Unix this option is only used if the ".vimrc" or
    ".exrc" is not owned by you.  This can be dangerous if the systems
    allows users to do a "chown".  You better set 'secure' at the end
    of your ~/.vimrc then.

The last sentence doesn't make any sense; no matter where or when you
set it, it has no effect on the execution of one's own .vimrc or
.exrc files.

Unpacking a tarball, checking out files via CVS or any other SCM,
etc., all create files owned only by the current user.  These can
contain .vimrc's or .exrc's with malicious instructions that will be
executed without restriction.

The docs are misleading in this regard; I thought I was "secure" (so
to speak) for years, and only just discovered I was an accident
waiting to happen.

Wishlist item:

   There's currently no way to distinguish a 'benign' .vimrc (e.g.
   official project indent settings) from a 'hostile' .vimrc (shell
   and write commands).  The 'secure' option would be ideal for this,
   if only it or a new sister option would enforce 'secure' rules on
   *all* .vimrc and .exrc files.

(If the doc bug is fixed without a true self-included 'secure' mode,
we can rename this report and reclassify it as a wishlist item, or I
can just submit a new one.)

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)

Versions of packages vim depends on:
ii  dpkg                        1.10.27      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-21 GNU C Library: Shared libraries an
ii  libgpmg1                    1.19.6-19    General Purpose Mouse - shared lib
ii  libncurses5                 5.4-4        Shared libraries for terminal hand
ii  vim-common                  1:6.3-058+1  Vi IMproved - Common files

-- no debconf information