Loading ...
Sorry, an error occurred while loading the content.

Re: rvim "paranoid" mode? New feature

Expand Messages
  • Bram Moolenaar
    ... I think it s useful in some situations. Would you still allow access to the help files? Are you 99.9% sure it s impossible to edit another file? I am
    Message 1 of 34 , Mar 1, 2005
    • 0 Attachment
      Kevin Collins wrote:

      > a couple of years ago, I hacked the vim 6.1 source code to
      > "enhance" rvim to have what I call "paranoid" mode. This mode prevents a
      > user from operating on any file than the one(s) on the command line. It
      > disallows the :e otherfile and :w otherfile and :redir commands.
      >
      > While I realize this may not be useful for a lot of people, it is very
      > nice when granting permissions to a command from a privilege manager
      > such as sudo. If there is any interest in adding this enhancement, I can
      > provide my changes to a real programmer so they can be integrated... I'd
      > love to not have to worry about getting too far out of date with my
      > custom code, too!

      I think it's useful in some situations. Would you still allow access to
      the help files?

      Are you 99.9% sure it's impossible to edit another file? I am careful
      not to give a false sense of security.

      --
      hundred-and-one symptoms of being an internet addict:
      10E. You start counting in hex.

      /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
      /// Sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
      \\\ Project leader for A-A-P -- http://www.A-A-P.org ///
      \\\ Buy LOTR 3 and help AIDS victims -- http://ICCF.nl/lotr.html ///
    • Collins, Kevin (MindWorks)
      Ok, after further prompting from Tony, I re-worked these changes into the latest patched revision of vim (6.3.062) and I m once again asking for folks to see
      Message 34 of 34 , Mar 7, 2005
      • 0 Attachment
        Ok, after further prompting from Tony, I re-worked these changes into
        the latest patched revision of vim (6.3.062) and I'm once again asking
        for folks to see if they can subvert rvim.

        Thanks,

        Kevin

        -----Original Message-----
        From: Collins, Kevin (MindWorks)
        Sent: Thursday, March 03, 2005 4:03 PM
        To: vim-dev@...
        Cc: Bram@...
        Subject: RE: rvim "paranoid" mode? New feature


        Hi again,

        I've applied all of my code changes against the vim63 source. If
        anyone feels like testing this more hardened version of rvim for
        exploitation, I would be happy to hear feedback - especially if you
        manage to subvert it and access another file directly or indirectly.

        These diffs can be applied to the original source like this:

        patch ex_cmds.c ex_cmds.c.diff

        Thanks,

        Kevin

        -----Original Message-----
        From: Collins, Kevin (MindWorks)
        Sent: Wednesday, March 02, 2005 8:40 AM
        To: Bram@...
        Cc: vim-dev@...
        Subject: RE: rvim "paranoid" mode? New feature


        Thanks, Bram. As I've mentioned indirectly, I am not a C programmer -
        I'm a sysadmin with a lot of advanced shell, perl, php, etc (you name
        it) scripting experience, and vim has a lot of source :)

        As evidenced by some of the replies I have received on this list, there
        are a few more things I've missed ('{A-Z0-9}, :arg*, etc).

        However, I did just mention in a previous post that I should probably be
        looking for the "generic" file open (and write) functions, as opposed to
        trying to fix every subroutine :)

        I did incorporate my changes into 6.3 last night and things are still
        working there, but I'll spend more time looking at the fuctions you
        mentioned, although it may be beyond my skill level to do this
        correctly.

        Thanks,

        Kevin

        -----Original Message-----
        From: Bram@... [mailto:Bram@...]
        Sent: Wednesday, March 02, 2005 3:19 AM
        To: Collins, Kevin (MindWorks)
        Cc: vim-dev@...
        Subject: RE: rvim "paranoid" mode? New feature



        Kevin Collins wrote:

        > The help still works fine. I am pretty certain its impossible to
        > edit/squash another file, but I am not a vim expert :)
        >
        > Besides :e, :w, :!, :r! and :redir what other methods are available to
        > edit (or otherwise stomp on) another file or start a subshell? I read
        a
        > lot of the docs and couldn't find any.

        You don't sound very sure that there can't be another way. Instead of
        looking in the docs, perhaps you should check the source code where
        readfile() and buf_write() are used (indirectly).

        > I can send the 2 source files I modified or diff output or something
        > else if you'd care to look. The changes are relatively minor. One
        issue
        > that my code doesn't handle correctly (but I'm sure you could fix
        > easily) is that if you do:
        >
        > rvim myfile
        >
        > you can do :w or :w! but can't do :w myfile - in other words, my hack
        > disallows any filename argument to :w... Don't know why you would
        really
        > want to do it, but it should be allowed.

        I would say that this would be intentional. This mode is to edit one
        file, thus you don't need to specify a file name. You certainly don't
        want to write elsewhere.

        I suppose you do allow copy/paste?

        --
        We're knights of the Round Table
        Our shows are formidable
        But many times
        We're given rhymes
        That are quite unsingable
        We're opera mad in Camelot
        We sing from the diaphragm a lot.
        "Monty Python and the Holy Grail" PYTHON (MONTY)
        PICTURES LTD

        /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net
        \\\
        /// Sponsor Vim, vote for features -- http://www.Vim.org/sponsor/
        \\\
        \\\ Project leader for A-A-P -- http://www.A-A-P.org
        ///
        \\\ Buy LOTR 3 and help AIDS victims -- http://ICCF.nl/lotr.html
        ///
      Your message has been successfully submitted and would be delivered to recipients shortly.