Ubuntu
sed package

sed: In-place editing (-i flag) drops EA (ACLs and user-defined)

Bug #25921 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
sed (Debian)
Fix Released
Unknown
sed (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Automatically imported from Debian bug report #339793 http://bugs.debian.org/339793

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 18 Nov 2005 22:01:31 +0100
From: Pierre THIERRY <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: sed: In-place editing (-i flag) drops EA (ACLs and user-defined)

--nSQp8DZZn7gZbDHt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: sed
Version: 4.1.2-8
Severity: grave
Tags: security
Justification: user security hole

When doing in-place editing, sed creates a new file without copying ACLs
and user-defined EA. It's not only a loss of maybe precious data
(user-defined EA) but a security hole, because dropping the ACLs can
give back some rights on the file.

For detailed information about the problem and the solution in general,
see:

http://www.suse.de/~agruen/ea-acl-copy/

As sed is a very common tool, the problem also is it will probably be
used on files without the knowledge of the user (e.g. by the way of
shell scripts).

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-k7
Locale: LANG=3Dfr_FR@euro, LC_CTYPE=3Dfr_FR@euro (charmap=3DISO-8859-15)

Versions of packages sed depends on:
ii libc6 2.3.5-6 GNU C Library: Shared librarie=
s an

sed recommends no packages.

-- no debconf information

--=20
<email address hidden>
OpenPGP 0xD9D50D8A

--nSQp8DZZn7gZbDHt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDfkErxe13INnVDYoRArt5AKDApE2J/GBwmBP+y+pNxSMraaX+DgCg8nxR
oy3nx5BUEoGiEAG0hOnS8B8=
=fbbm
-----END PGP SIGNATURE-----

--nSQp8DZZn7gZbDHt--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 18 Nov 2005 18:19:09 -0800
From: Steve Langasek <email address hidden>
To: Pierre THIERRY <email address hidden>,
 <email address hidden>
Subject: Re: Bug#339793: sed: In-place editing (-i flag) drops EA (ACLs and user-defined)

--Ycz6tD7Th1CMF4v7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

severity 339793 important
tags 339793 -security
thanks

On Fri, Nov 18, 2005 at 10:01:31PM +0100, Pierre THIERRY wrote:
> When doing in-place editing, sed creates a new file without copying ACLs
> and user-defined EA. It's not only a loss of maybe precious data
> (user-defined EA) but a security hole, because dropping the ACLs can
> give back some rights on the file.

> For detailed information about the problem and the solution in general,
> see:

> http://www.suse.de/~agruen/ea-acl-copy/

> As sed is a very common tool, the problem also is it will probably be
> used on files without the knowledge of the user (e.g. by the way of
> shell scripts).

While it is desirable to have sed preserve EAs and ACLs when used with -i, I
think this severity is overinflated and the security tag is incorrect.
There are lots of ways that one can manage to lose ACLs and EAs on files
using traditional Unix tools; you can move the file to a filesystem that
doesn't support them, you can create a new file and try to set permissions
using chmod --reference, you can use perl -i which has the same problem as
sed -i. Given that most users are going to get this wrong when *not* using
the -i option to sed for in-place editing, I don't see any grounds for
treating this as a grave bug.

--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--Ycz6tD7Th1CMF4v7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDfoudKN6ufymYLloRAoZfAKC7ZrplYUoiQ3WCbJfyx3+kGxNTYQCcDrYl
R81tvWDP5BuAThwhu3Ag1Tk=
=3T+w
-----END PGP SIGNATURE-----

--Ycz6tD7Th1CMF4v7--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 19 Nov 2005 11:35:09 +0100
From: Pierre THIERRY <email address hidden>
To: Steve Langasek <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#339793: sed: In-place editing (-i flag) drops EA (ACLs and user-defined)

--YZ5djTAD1cGYuMQK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Scribit Steve Langasek dies 18/11/2005 hora 18:19:
> While it is desirable to have sed preserve EAs and ACLs when used with
> -i, I think this severity is overinflated and the security tag is
> incorrect.

I won't argue on the severity (I was not really sure which I had to
choose), but the bug indeed affects the security of the user's account.

> There are lots of ways that one can manage to lose ACLs and EAs on
> files using traditional Unix tools;

But shouldn't simply *all* problematic packages be filed a security bug?

> Given that most users are going to get this wrong when *not* using the
> -i option to sed for in-place editing, I don't see any grounds for
> treating this as a grave bug.

I see this the opposite way: that make the bug and it's little brothers
more serious, because it's not isolated...

Quickly,
Nowhere man
--=20
<email address hidden>
OpenPGP 0xD9D50D8A

--YZ5djTAD1cGYuMQK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDfv/dxe13INnVDYoRAouBAKCVV3iCc859e/m53a7wvEOxLLuTLACg0Rlh
z4Br3uTSBrh1JVuZOUFDNQo=
=ntJC
-----END PGP SIGNATURE-----

--YZ5djTAD1cGYuMQK--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 19 Nov 2005 03:17:12 -0800
From: Steve Langasek <email address hidden>
To: Pierre THIERRY <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#339793: sed: In-place editing (-i flag) drops EA (ACLs and user-defined)

--Bn2rw/3z4jIqBvZU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 19, 2005 at 11:35:09AM +0100, Pierre THIERRY wrote:
> > There are lots of ways that one can manage to lose ACLs and EAs on
> > files using traditional Unix tools;

> But shouldn't simply *all* problematic packages be filed a security bug?

The BTS definition of the security tag is:

 This bug describes a security problem in a package (e.g., bad permissions
 allowing access to data that shouldn't be accessible; buffer overruns
 allowing people to control a system in ways they shouldn't be able to;
 denial of service attacks that should be fixed, etc). Most security bugs
 should also be set at critical or grave severity.

I don't think this bug really qualifies; it may *lead* to bad permissions as
a result of a user using sed -i without understanding the consequences, but
it's not a hole in the package that an attacker is exploiting directly
(which is how I understand the "security" tag). This bug only manifests if
the user assumes that standard Unix tools work out-of-the-box with ACLs and
EAs -- a very foolish assumption at this point.

Tagging this bug 'security' also doesn't help our security team, as this
isn't a bug they're going to be trying to fix.

Anyway, as far as security is concerned, I would expect anyone using
extended ACLs that need to *block* access to users that would otherwise be
permitted to set appropriate default ACLs on the parent directory, so that
files are automatically created with appropriately strict permissions.

> > Given that most users are going to get this wrong when *not* using the
> > -i option to sed for in-place editing, I don't see any grounds for
> > treating this as a grave bug.

> I see this the opposite way: that make the bug and it's little brothers
> more serious, because it's not isolated...

I don't think that's realistic. I suspect there are quite a number of
package maintainer scripts that don't even preserve *basic* Unix permissions
when making changes to config files. These are certainly bugs, I agree with
that, but it just doesn't make any sense to treat them as release-critical
AFAICS.

--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--Bn2rw/3z4jIqBvZU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDfwm4KN6ufymYLloRAlR/AJ46VkkKFP11G/kpEUm/Bb/pGT9wTACfeolb
bIt0TfBcoLS9pt56QN5oJk0=
=ER4+
-----END PGP SIGNATURE-----

--Bn2rw/3z4jIqBvZU--

Matt Zimmerman (mdz)
Changed in sed:
status: Unconfirmed → Confirmed
Revision history for this message
Paolo Bonzini (bonzini) wrote :

Fixed in 4.2.1 which is included in karmic.

Changed in sed (Ubuntu):
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in sed (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.