Bug#479060: vim: README.Denian modeline suggestion contains security concern
Osamu Aoki
osamu at debian.org
Fri May 2 13:46:30 UTC 2008
Package: vim
Version: 1:7.1.293-2
Severity: wishlist
I think README.Debian on modeline needs more attention for security.
Disabling modeline as default is good idea for security. But defaeting
it by suggesting solution for normal user is not so good. It gives
false sense of security.
If the method in README.Debian is used for user's .vimrc and vim is run
under sudo, use of "sudo vim foo" will use modeline. This is still
security concern. This goes same for other feature like swapfile.
Basically, I suggest to replace recommendation to something along.
(This is my first vim script. So check it please.)
---.vimrc---
if $USER == "root"
set nomodeline
set noswapfile
else
set modeline
set swapfile
endif
(FYI: $UID did not work)
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.24-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages vim depends on:
ii libacl1 2.2.47-2 Access control list shared library
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libgpmg1 1.20.3~pre3-3 General Purpose Mouse - shared lib
ii libncurses5 5.6+20080419-2 Shared libraries for terminal hand
ii libselinux1 2.0.59-1 SELinux shared libraries
ii vim-common 1:7.1.293-2 Vi IMproved - Common files
ii vim-runtime 1:7.1.293-2 Vi IMproved - Runtime files
vim recommends no packages.
-- no debconf information
More information about the pkg-vim-maintainers
mailing list