Bug#479060: vim: README.Denian modeline suggestion contains security concern

Osamu Aoki osamu at debian.org
Fri May 2 13:46:30 UTC 2008


Package: vim
Version: 1:7.1.293-2
Severity: wishlist

I think README.Debian on modeline needs more attention for security.

Disabling modeline as default is good idea for security. But defaeting
it by suggesting solution for normal user is not so good.  It gives
false sense of security.

If the method in README.Debian is used for user's .vimrc and vim is run
under sudo,  use of "sudo vim foo" will use modeline.  This is still
security concern.  This goes same for other feature like swapfile.

Basically, I suggest to replace recommendation to something along.
(This is my first vim script.  So check it please.)

---.vimrc---
if $USER == "root"
 set nomodeline
 set noswapfile
else
 set modeline
 set swapfile
endif

(FYI: $UID did not work)

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages vim depends on:
ii  libacl1                   2.2.47-2       Access control list shared library
ii  libc6                     2.7-10         GNU C Library: Shared libraries
ii  libgpmg1                  1.20.3~pre3-3  General Purpose Mouse - shared lib
ii  libncurses5               5.6+20080419-2 Shared libraries for terminal hand
ii  libselinux1               2.0.59-1       SELinux shared libraries
ii  vim-common                1:7.1.293-2    Vi IMproved - Common files
ii  vim-runtime               1:7.1.293-2    Vi IMproved - Runtime files

vim recommends no packages.

-- no debconf information





More information about the pkg-vim-maintainers mailing list