798645 – Security Lack using vim in a read-only file

Bug 798645 - Security Lack using vim in a read-only file

Summary: Security Lack using vim in a read-only file

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	vim
Sub Component:
Version:	6.2
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	6.2
Assignee:	Karsten Hopp
QA Contact:	BaseOS QE - Apps
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-29 13:44 UTC by Anderson Kaiser
Modified:	2018-11-27 20:36 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-09 13:11:03 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Anderson Kaiser 2012-02-29 13:44:18 UTC

Description of problem:

When a user that have only read-only privilege in a file edit this file through vim, he are able to change the content of it.

Version-Release number of selected component (if applicable):

# rpm -qa | grep -i vim
vim-enhanced-7.2.411-1.6.el6.x86_64
vim-common-7.2.411-1.6.el6.x86_64
vim-minimal-7.2.411-1.6.el6.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Created a test directory

# mkdir /test

2. Created a group and a user to perform this test:

# groupadd test
# adduser user
# passwd user
Changing password for user user.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.

3. Set the SGID permission in this directory and change the group from this directory to test

# chgrp test /test
# chmod 2770 /test

# ls -ld test
drwxrws---. 2 root test 4096 Feb 29 10:23 test

4. Make sure that the created user is part of the new group

# id user
uid=501(user) gid=503(user) groups=503(user),502(test)

5. With root user created a file in the /test directory that root is owner and the group is set to 'test' since we are using SGID in the main directory:

# cd /test/
# touch file.txt
# echo "root test" >> file.txt
# ls -ld file.txt

-rw-r--r--. 1 root test 10 Feb 29 10:30 file.txt

# cat file.txt
root test

6. Using the 'user' to perform tests in this file. Do not used the su - to change user, opened a new shell:

$ ssh user@rhel62 -X
user@rhel62's password:
/usr/bin/xauth: creating new authority file /home/user/.Xauthority

$ cd /test/
$ cat file.txt
root test

$ echo "user test" >> file.txt
-bash: file.txt: Permission denied

If tried to use gedit or other editor, the file is opened as read-only (expected behaviour).

7. Using the vim to edit the file:

$ ls -ld file.txt
-rw-r--r--. 1 root test 10 Feb 29 10:30 file.txt

$ vim file.txt

vim interface show the following message:

"file.txt" [readonly] 1L, 10C
-- INSERT -- W10: Warning: Changing a readonly

But after insert a new text and perform a forced exit (:wq!), we are able to change the content:

$ cat file.txt
root test
user test

And the file owner is changed to user instead root:

$ ls -ld file.txt
-rw-r--r--. 1 user test 20 Feb 29 10:39 file.txt

Actual results:

user is able to change the content of a read-only file or a file that he have onlu read permission.

Expected results:

User do not be able to change the content unless he has write permission.

Additional info:

I think that it is a very bad behaviour because user withou the write permission is able to change the content of the file, and it can figure a very serious security lack in system.

Comment 3 Anderson Kaiser 2012-03-09 13:11:03 UTC

Basically this is a expected behaviour from the vim.

It will respect the directory permission and will make a Kernel call named sys_unlink(). It is the same call that rm do. And the directory have permission to remove files. No mather the file permission.

[]'s
Anderson Kaiser

Note You need to log in before you can comment on or make changes to this bug.