Bug#290507: vim does not close file upon :sh

James Vega jamessan at debian.org
Mon Jul 27 21:33:36 UTC 2009 

On Sat, Oct 07, 2006 at 03:32:45PM +0200, Bram Moolenaar wrote:
> > here comes another bug report from the Debian bug tracking system, with
> > a small security issue.
> > 
> > Quoting from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=290507:
> > 
> > >  Vim does not close temporary file (.file.swp) when executing shell, so
> > > program executed in shell can read and write from/to that file, even if
> > > It is not possible with normal command invocation. Not sure wheter it is
> > > really recurity problem though.
> > > 
> > >  Example:
> > > 
> > > # cd
> > > # vim file
> > > [edit file and enter :sh to run shell]
> > > # su user
> > > $ ls -l .file.swp
> > > ls: .file.swp: Permission denied
> > > $ ls -l /proc/self/fd
> > > ...
> > > lrwx------  1 user user 64 2005-01-14 15:55 11 -> /root/.file.swp
> > > ...
> > > $ echo -e '\nqwerty' >&11
> > > $ ^D
> > > # tail -1 .file.swp
> > > qwerty
> > > #
> > 
> > What's your opinion on this? Do you consider it a bug or not?
> 
> It's very normal for a program to keep files open when executing a shell
> command.  I don't see why Vim should close files before executing a
> shell command.
> 
> If there is a security issue it's that Linux allows writing directly
> into a file descriptor from another process.  In my opinion only a
> process itself should be able to do that.
> 
> Hmm, perhaps the problem is that system() or execvp() doesn't close the
> file descriptors in a child process?

Indeed, that is the case.  Children inherit their parent's file
descriptors unless the file descriptors are set to close on exec().
Attached patch does that.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cloexec.diff
Type: text/x-diff
Size: 2553 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20090727/9086cdd7/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20090727/9086cdd7/attachment.pgp>

More information about the pkg-vim-maintainers mailing list