Bug#308258: vim: 'set secure' isn't for own files; docs misleading.
Adrian Irving-Beer
Adrian Irving-Beer <wisq-deb@wisq.net>, 308258@bugs.debian.org
Sun, 08 May 2005 21:07:44 -0400
Package: vim
Version: 1:6.3-058+1
Severity: normal
Taken from the help docs for the 'secure' option:
[. . .] On Unix this option is only used if the ".vimrc" or
".exrc" is not owned by you. This can be dangerous if the systems
allows users to do a "chown". You better set 'secure' at the end
of your ~/.vimrc then.
The last sentence doesn't make any sense; no matter where or when you
set it, it has no effect on the execution of one's own .vimrc or
.exrc files.
Unpacking a tarball, checking out files via CVS or any other SCM,
etc., all create files owned only by the current user. These can
contain .vimrc's or .exrc's with malicious instructions that will be
executed without restriction.
The docs are misleading in this regard; I thought I was "secure" (so
to speak) for years, and only just discovered I was an accident
waiting to happen.
Wishlist item:
There's currently no way to distinguish a 'benign' .vimrc (e.g.
official project indent settings) from a 'hostile' .vimrc (shell
and write commands). The 'secure' option would be ideal for this,
if only it or a new sister option would enforce 'secure' rules on
*all* .vimrc and .exrc files.
(If the doc bug is fixed without a true self-included 'secure' mode,
we can rename this report and reclassify it as a wishlist item, or I
can just submit a new one.)
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Versions of packages vim depends on:
ii dpkg 1.10.27 Package maintenance system for Deb
ii libc6 2.3.2.ds1-21 GNU C Library: Shared libraries an
ii libgpmg1 1.19.6-19 General Purpose Mouse - shared lib
ii libncurses5 5.4-4 Shared libraries for terminal hand
ii vim-common 1:6.3-058+1 Vi IMproved - Common files
-- no debconf information