Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 798645

Summary: Security Lack using vim in a read-only file
Product: Red Hat Enterprise Linux 6 Reporter: Anderson Kaiser <akaiser>
Component: vimAssignee: Karsten Hopp <karsten>
Status: CLOSED NOTABUG QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: high Docs Contact:
Priority: high    
Version: 6.2   
Target Milestone: rc   
Target Release: 6.2   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-09 13:11:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anderson Kaiser 2012-02-29 13:44:18 UTC 
Description of problem:

When a user that have only read-only privilege in a file edit this file through vim, he are able to change the content of it.

Version-Release number of selected component (if applicable):

# rpm -qa | grep -i vim
vim-enhanced-7.2.411-1.6.el6.x86_64
vim-common-7.2.411-1.6.el6.x86_64
vim-minimal-7.2.411-1.6.el6.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Created a test directory

# mkdir /test

2. Created a group and a user to perform this test:

# groupadd test
# adduser user
# passwd user
Changing password for user user.
New password: 
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password: 
passwd: all authentication tokens updated successfully.

3. Set the SGID permission in this directory and change the group from this directory to test

# chgrp test /test
# chmod 2770 /test 

# ls -ld test
drwxrws---. 2 root test 4096 Feb 29 10:23 test

4. Make sure that the created user is part of the new group

# id user
uid=501(user) gid=503(user) groups=503(user),502(test)

5. With root user created a file in the /test directory that root is owner and the group is set to 'test' since we are using SGID in the main directory:

# cd /test/
# touch file.txt
# echo "root test" >> file.txt 
# ls -ld file.txt 

-rw-r--r--. 1 root test 10 Feb 29 10:30 file.txt

# cat file.txt 
root test

6. Using the 'user' to perform tests in this file. Do not used the su - to change user, opened a new shell:

$ ssh user@rhel62 -X
user@rhel62's password: 
/usr/bin/xauth:  creating new authority file /home/user/.Xauthority

$ cd /test/
$ cat file.txt 
root test

$ echo "user test" >> file.txt 
-bash: file.txt: Permission denied

If tried to use gedit or other editor, the file is opened as read-only (expected behaviour).

7. Using the vim to edit the file:

$ ls -ld file.txt 
-rw-r--r--. 1 root test 10 Feb 29 10:30 file.txt

$ vim file.txt 

vim interface show the following message:

"file.txt" [readonly] 1L, 10C
-- INSERT -- W10: Warning: Changing a readonly

But after insert a new text and perform a forced exit (:wq!), we are able to change the content:

$ cat file.txt 
root test
user test

And the file owner is changed to user instead root:

$ ls -ld file.txt 
-rw-r--r--. 1 user test 20 Feb 29 10:39 file.txt
  
Actual results:

user is able to change the content of a read-only file or a file that he have onlu read permission.

Expected results:

User do not be able to change the content unless he has write permission. 

Additional info:

I think that it is a very bad behaviour because user withou the write permission is able to change the content of the file, and it can figure a very serious security lack in system.
Comment 3 Anderson Kaiser 2012-03-09 13:11:03 UTC 
Basically this is a expected behaviour from the vim.

It will respect the directory permission and will make a Kernel call named sys_unlink(). It is the same call that rm do. And the directory have permission to remove files. No mather the file permission.

[]'s
Anderson Kaiser