Bug 798645

Summary: Security Lack using vim in a read-only file
Product: Red Hat Enterprise Linux 6 Reporter: Anderson Kaiser <akaiser>
Component: vimAssignee: Karsten Hopp <karsten>
Status: CLOSED NOTABUG QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: high Docs Contact:
Priority: high    
Version: 6.2   
Target Milestone: rc   
Target Release: 6.2   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-09 13:11:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Anderson Kaiser 2012-02-29 13:44:18 UTC 
Description of problem:

When a user that have only read-only privilege in a file edit this file through vim, he are able to change the content of it.

Version-Release number of selected component (if applicable):

# rpm -qa | grep -i vim
vim-enhanced-7.2.411-1.6.el6.x86_64
vim-common-7.2.411-1.6.el6.x86_64
vim-minimal-7.2.411-1.6.el6.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Created a test directory

# mkdir /test

2. Created a group and a user to perform this test:

# groupadd test
# adduser user
# passwd user
Changing password for user user.
New password: 
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password: 
passwd: all authentication tokens updated successfully.

3. Set the SGID permission in this directory and change the group from this directory to test

# chgrp test /test
# chmod 2770 /test 

# ls -ld test
drwxrws---. 2 root test 4096 Feb 29 10:23 test

4. Make sure that the created user is part of the new group

# id user
uid=501(user) gid=503(user) groups=503(user),502(test)

5. With root user created a file in the /test directory that root is owner and the group is set to 'test' since we are using SGID in the main directory:

# cd /test/
# touch file.txt
# echo "root test" >> file.txt 
# ls -ld file.txt 

-rw-r--r--. 1 root test 10 Feb 29 10:30 file.txt

# cat file.txt 
root test

6. Using the 'user' to perform tests in this file. Do not used the su - to change user, opened a new shell:

$ ssh user@rhel62 -X
user@rhel62's password: 
/usr/bin/xauth:  creating new authority file /home/user/.Xauthority

$ cd /test/
$ cat file.txt 
root test

$ echo "user test" >> file.txt 
-bash: file.txt: Permission denied

If tried to use gedit or other editor, the file is opened as read-only (expected behaviour).

7. Using the vim to edit the file:

$ ls -ld file.txt 
-rw-r--r--. 1 root test 10 Feb 29 10:30 file.txt

$ vim file.txt 

vim interface show the following message:

"file.txt" [readonly] 1L, 10C
-- INSERT -- W10: Warning: Changing a readonly

But after insert a new text and perform a forced exit (:wq!), we are able to change the content:

$ cat file.txt 
root test
user test

And the file owner is changed to user instead root:

$ ls -ld file.txt 
-rw-r--r--. 1 user test 20 Feb 29 10:39 file.txt
  
Actual results:

user is able to change the content of a read-only file or a file that he have onlu read permission.

Expected results:

User do not be able to change the content unless he has write permission. 

Additional info:

I think that it is a very bad behaviour because user withou the write permission is able to change the content of the file, and it can figure a very serious security lack in system.
Comment 3 Anderson Kaiser 2012-03-09 13:11:03 UTC 
Basically this is a expected behaviour from the vim.

It will respect the directory permission and will make a Kernel call named sys_unlink(). It is the same call that rm do. And the directory have permission to remove files. No mather the file permission.

[]'s
Anderson Kaiser