Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Nov 2017 17:39:36 +0100
From: Jakub Wilk <>
Subject: Re: Re: Fw: Security risk of vim swap files

* Christian Brabandt <>, 2017-11-02, 22:29:
>Vim copies the permission from the file being edited. Although the swap 
>file is readable by others this does not leak any information here, 
>since the file being edited is already readable by others.

In general, what vim does (copying mode bits) in not enough to ensure 
that the swapfile is readable only by the users who had access to the 
original file. It would have to copy also group ownership and ACLs.

Also, keep in mind how this thread started. Somebody edited 
wp-config.php, which was readable by the web server, of course; then vim 
created .wp-config.php.swp with the same-ish permissions, which made the 
file readable to the whole (external) world. Oops.

Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.