Loading ...
Sorry, an error occurred while loading the content.

security=safer breaks elvis -client somefile

Expand Messages
  • Steve Kirkendall
    I just discovered that the security=safer setting is too strict. I need to think this through, and I m also hoping that some of you can offer comments as well.
    Message 1 of 3 , Jan 31, 2004
    • 0 Attachment
      I just discovered that the security=safer setting is too strict.
      I need to think this through, and I'm also hoping that some of
      you can offer comments as well.

      When you run "elvis -client foo", the client process sends a
      ":sp foo" command to the server elvis, which then runs the command
      with security=safer. However, security=safer won't allow ":sp" to
      run with a filename argument. So the only thing that happens is,
      you get an error message in the server elvis' window.

      Obviously, the ":w somefile" command has to be disabled because it
      would be a huge security hole. But ":w" without a filename should
      be allowed; otherwise it doesn't make sense to run the editor at all.

      The purpose for disabling ":sp somefile" (and ":e somefile" and
      other variations) is prevent two-stage attacks, where you first
      use ":sp /etc/passwd", then clobber the edit buffer, and finally
      use ":w" to write the clobbered version.

      I may need to add a new security=client setting, which does allow
      ":sp somefile" but totally disables any command which could possible
      write anything out.

      Or maybe that's what the security=safer setting should really be
      doing. The security=safer setting was originally intended to make
      modelines safe. Modelines shouldn't need to write anything, ever,
      but they also shouldn't need to read files as far as I can see.

      Opinions?

      In other news, I've fixed a surprisingly large number of bugs, and
      added a basic interface to the gdb debugger.

      --
      Steve Kirkendall |A:It is confusing, since people don't read that way
      kirkenda@... |Q:Why is top-posting bad?
      |A:It is adding comments to the top of a message
      |Q:What is top-posting?


      [Non-text portions of this message have been removed]
    • Sven Guckes
      ... what if someone uses elvis as a pager (maybe to hold the output of a command, makes some changes (for whatever silly reason) - and in between a client
      Message 2 of 3 , Jan 31, 2004
      • 0 Attachment
        * Steve Kirkendall <skirkendall@...> [2004-01-31 19:35]:
        > I just discovered that the security=safer setting is too strict.
        > I need to think this through, and I'm also hoping that some of
        > you can offer comments as well.
        >
        > When you run "elvis -client foo", the client process sends a
        > ":sp foo" command to the server elvis, which then runs the command
        > with security=safer. However, security=safer won't allow ":sp" to
        > run with a filename argument. So the only thing that happens is,
        > you get an error message in the server elvis' window.
        >
        > Obviously, the ":w somefile" command has to be disabled because it
        > would be a huge security hole. But ":w" without a filename should
        > be allowed; otherwise it doesn't make sense to run the editor at all.

        what if someone uses elvis as a pager (maybe to hold the output
        of a command, makes some changes (for whatever silly reason) -
        and in between a client makes it write the data to disk?
        then again - why would anyone use elvis as a pager and a server? dunno. ;-)

        don't forget to turn off spawning of subshells, too.
        (but i guess you probably did, anyway.)

        > Opinions?

        well, you can always misuse commands.. can't help that, can you?

        > In other news, I've fixed a surprisingly large number of
        > bugs, and added a basic interface to the gdb debugger.

        :-)

        > [Non-text portions of this message have been removed]

        hmm...

        Sven
      • Georg Neis
        ... I ve played a little bit around with the security option (never used it before) and came across a problem: The manual says about security=safer: Some
        Message 3 of 3 , Feb 9, 2004
        • 0 Attachment
          * Steve Kirkendall <skirkendall@...> wrote:
          > I just discovered that the security=safer setting is too strict.
          > I need to think this through, and I'm also hoping that some of
          > you can offer comments as well.

          I've played a little bit around with the security option (never used
          it before) and came across a problem:

          The manual says about security=safer:

          Some commands are allowed only when invoked without a filename
          argument. These are :edit, :ex, :file, :open, :push, :split,
          :visual, :wquit, and :xit.

          However, when I run e.g. 'elvis -S foo' and do :wq, I get the
          error message "wquit filename is unsafe" although I didn't supply an
          argument.

          > In other news, I've fixed a surprisingly large number of bugs, and
          > added a basic interface to the gdb debugger.

          Good news!

          Gruß, Georg
        Your message has been successfully submitted and would be delivered to recipients shortly.