WingNews logo WingNews
top | item 40179528

(no title)

webreac | 1 year ago

What do you mean by "The attack surface of Vim is admittedly small" ? Recently I had to access a file owned by root. The IT gave me the permission to do sudo /bin/less /etc/the_file. That was enough to launch a shell with root permissions. If someone can send commands to Vim, he can launch any command and own your computer.

discuss

order

Bu9818|1 year ago

They're talking about the attack surface to get accidental code execution from opening files that try to exploit vim. Integrating shell commands with vim/less is a valid feature.

samus|1 year ago

That was indeed a bit silly by IT. They could have written a script that gives you a copy of the file and then deletes it after you're done with it, sort of like what sudoedit does. Or just let you sudoedit that file since they obviously had no problem effectively granting you write access.