How to disable vim commands in vimrc to secure vim

Question

I'm trying to disable the 'r' and 'o' commands in vim so people who use it can't open other files from within vim. I tried to use the cmap r <Nop> and cmap o <Nop>, which work but have an undesirable side-effect... those 2 letters can never be used in vim command line nor when searching for something... If you try to search for the word, "word" the search line displays: /wd.

So is there another way to disable opening files from with vimrc ?

Even with those cmaps you *can* input `r` with `r`. – ZyX Nov 05 '12 at 13:38 — ZyX, Nov 05 '12 at 13:38

score 3 · Answer 1 · edited Nov 05 '12 at 11:41

3

You can launch Vim with a flag:

$ vim -R (readonly)
$ vim -Z (restricted)
$ vim -m (no writing)
$ vim -M (no text modification)

But none of those will block :e or :r or any of the myriad of similar commands. And… the ~/.vimrc could probably be edited with nano or whatever to remove any eventual command anyway.

What about completely sandboxing Vim or its user?

What about explaining why you would want that?

edited Nov 05 '12 at 11:41

Lieven Keersmaekers

57,207
13
112
146

answered Nov 05 '12 at 11:09

romainl

186,200
21
280
313

Well, what I want to do is allow editing of a specific file with sudo (root permissions) on vim, but not allow anyone to open another file from within vim nor execute commands (although for commands I have used rvim already). vim opens through another script and vim is the editor choice since everyone that is going to use the script knows vim. Can't think of anything else to add.. – Giannis Nohj Nov 05 '12 at 13:44
3

If you give the user root, then you're already doomed. No amount of screwing around with vim mappings is going to save you. – d11wtq Nov 05 '12 at 15:00

score 3 · Answer 2 · answered Nov 05 '12 at 11:40

3

If you really want to secure Vim (and not just provide a superficial appearance of certain disallowed features), you have to remove those features from the source code and compile (and test!) a limited version of Vim. (Or maybe you can use a operating-system wrapper that sandboxes the Vim process and filters certain system calls, but I don't know any such thing.)

Any Vimscript obstruction can be circumvented: Your remappings can be undone via :cunmap, any more elaborate protection in Vimscript can be stopped by pressing <C-c> at the right time.

answered Nov 05 '12 at 11:40

Ingo Karkat

167,457
16
250
324

Thanks, I've already thought about that and I'm trying to avoid compiling my own version of vim. What do you mean when you say "sandboxing the vim process"? – Giannis Nohj Nov 05 '12 at 13:47
I want to see how you are going to stop `while 1 | echo getchar() | endwhile`. Though you have a point: using vim from that loop with a bunch of hacks for preventing execution from stopping while not inside `getchar()` call (maybe just writing all the code in python or other language and eventually calling vim will work), another bunch of hacks to get it work (with autocommands, mappings and all other stuff) and third bunch of hacks to get it look at least somewhat near usable, not saying about conditions to enforce restrictions is, well, somewhat beyond the skill of most vim hackers. – ZyX Nov 05 '12 at 13:48
@GiannisNohj Search for “linux sandboxing”. [This](http://stackoverflow.com/questions/4249063/how-can-i-run-an-untrusted-c-program-in-a-sandbox-in-linux) is a top result and it appears to have a good enough overview, without any details though. Hope Ingo Karkat knows more. – ZyX Nov 05 '12 at 13:55

score 0 · Answer 3 · answered Nov 05 '12 at 14:52

If you want to allow editing of a specific file with root permissions, without allowing commands or editing of other files (as you've now indicated in a separate comment), why don't you do this as outlined in man 8 sudoedit:

Temporary copies are made of the files to be edited with the owner set to the invoking user.

The editor specified by the policy is run to edit the temporary files. The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order). If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers(5) option is used.

If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed.

It is much safer to launch the editor in the user's context, not root context. (Plus, the user get's his Vim settings, not the unmaintained ones from the root account!) Just the sync back of the edited temp file must be done with root priviledges; with the help of sudo, all of this can be implemented in a few lines of shell script.

How to disable vim commands in vimrc to secure vim

3 Answers3