# TPE+Hardened, Vim plugins, and user-owned custom scripts

## Tatsh

So far hardened is relatively normal and on the system I have it on it is not much slower than before.

I've run into a few things that I wonder if RBAC rules can be made for. All items before are from not running as root.

All of my binary plugins for Vim are installed via Portage. Could this be a plugin written in VimScript?

```

Feb 23 14:04:05 tatsh kernel: grsec: From 192.168.1.116: denied RWX mmap of <anonymous mapping> by /usr/bin/vim[vim:15458] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:15082] uid/euid:1000/1000 gid/egid:1000/1000

```

One of my Vim plugins seems to create 'temporary' Bash scripts in /tmp and due to TPE, those will not execute. Maybe this does not make the plugin fail, it does not make Vim crash, but it makes Vim take a little longer to start.

```

Feb 23 14:04:06 tatsh kernel: grsec: From 192.168.1.116: denied untrusted exec (due to being in untrusted group and file in world-writable directory) of /tmp/ffiIzSh7c by /usr/bin/vim[vim:15458] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:15082] uid/euid:1000/1000 gid/egid:1000/1000

Feb 23 14:04:06 tatsh kernel: grsec: From 192.168.1.116: denied untrusted exec (due to being in untrusted group and file in world-writable directory) of /var/tmp/ffiUo3W4h by /usr/bin/vim[vim:15458] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:15082] uid/euid:1000/1000 gid/egid:1000/1000

```

Finally, I had some scripts I had in crontab that use personal virtualenvs and those do not execute because Python executable's directory referenced is not owned by root:root.

```

Feb 23 14:10:02 tatsh kernel: grsec: denied untrusted exec (due to being in untrusted group and file in non-root-owned directory) of /home/tatsh/.virtualenvs/random3.3/bin/python3.3 by /home/tatsh/.virtualenvs/random3.3/bin/python3.3[sh:15556] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:15554] uid/euid:1000/1000 gid/egid:1000/1000

```

Or is there just a 'better' practise here, or should I just become part of the TPE group (simplest solution I guess)?

----------

## Hu

For the Vim case, does it work if you direct your plugin to write the scripts in a temporary directory that is not world-writable?

----------

## khayyam

 *Tatsh wrote:*   

> Or is there just a 'better' practise here, or should I just become part of the TPE group (simplest solution I guess)?

 

Tatsh ... it may be that the script in question supports the TMPDIR variable

```
$ mkdir ~/tmp

# TMPDIR=~/tmp

# vim
```

If that works then its simply a matter of adding 'export TMPDIR=~/tmp' to your shell profile, if not then the script in question can probably be modified to check TMPDIR and use it.

Note that the presence of TMPDIR will cause tmux, and others apps, to use this rather than /tmp ... so you may need to do some clean up on logout (not sure if bash uses .{z,}logout or not ... zsh does).

edit: corrected

best ... khayLast edited by khayyam on Tue Feb 24, 2015 9:43 am; edited 1 time in total

----------

## Tatsh

Thanks for the tip but it appears the script will not respect $TEMPDIR. This is definitely the YouCompleteMe plugin as I completely disabled vundle in my ~/.vimrc and still got these errors. vim --noplugins does not show these errors. Not sure what to do next if I want to keep YCM in my local profile (I do).

----------

## khayyam

 *Tatsh wrote:*   

> Thanks for the tip but it appears the script will not respect $TEMPDIR. This is definitely the YouCompleteMe plugin as I completely disabled vundle in my ~/.vimrc and still got these errors. vim --noplugins does not show these errors. Not sure what to do next if I want to keep YCM in my local profile (I do).

 

Tash ... sorry, there is actually a typo above its 'TMPDIR' ... vim should respect this var, so YouCompleteMe should follow vim's lead and do so to.

best ... khay

----------

