Re: .exrc file security risks
From: Benjamin A. Okopnik (ben_at_callahans.org)
Date: 05/01/03
- Previous message: Benjamin A. Okopnik: "Re: .exrc file security risks"
- In reply to: Reg Quinton: "Re: .exrc file security risks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 1 May 2003 11:58:53 -0400 To: focus-sun@securityfocus.com
On Wed, Apr 30, 2003 at 08:09:49AM -0400, Reg Quinton wrote:
> > external commands. So you have the situation where if a .exrc file is
> > compromised, a key could be maped to perform any command as the user
> running
> > vi...
>
> By the same token. If .login, .cshrc, .profile, etc. are compromised then
> you have similar issues -- you've lost control of your environment.
>
> Does anyone recommend one not use these files?
There's a cautionary note in the Vim help files that has to do with
".exrc" files in directories other than $HOME; those get read as default
behavior unless "secure" is set in EXINIT or "~/.exrc" (note that this
is standard for "vim"; I _believe_ it's also standard for "vi" but have
no way to test at the moment.) A user opening up an untrusted tarball is
all it would take.
Ben Okopnik
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Linux: The OS people choose without $200,000,000 of persuasion.
-- Mike Coleman
- Previous message: Benjamin A. Okopnik: "Re: .exrc file security risks"
- In reply to: Reg Quinton: "Re: .exrc file security risks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
