Comment 1 for bug 25921

Message-ID: <email address hidden>
Date: Fri, 18 Nov 2005 22:01:31 +0100
From: Pierre THIERRY <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: sed: In-place editing (-i flag) drops EA (ACLs and user-defined)

--nSQp8DZZn7gZbDHt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: sed
Version: 4.1.2-8
Severity: grave
Tags: security
Justification: user security hole

When doing in-place editing, sed creates a new file without copying ACLs
and user-defined EA. It's not only a loss of maybe precious data
(user-defined EA) but a security hole, because dropping the ACLs can
give back some rights on the file.

For detailed information about the problem and the solution in general,
see:

http://www.suse.de/~agruen/ea-acl-copy/

As sed is a very common tool, the problem also is it will probably be
used on files without the knowledge of the user (e.g. by the way of
shell scripts).

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-k7
Locale: LANG=3Dfr_FR@euro, LC_CTYPE=3Dfr_FR@euro (charmap=3DISO-8859-15)

Versions of packages sed depends on:
ii libc6 2.3.5-6 GNU C Library: Shared librarie=
s an

sed recommends no packages.

-- no debconf information

--=20
<email address hidden>
OpenPGP 0xD9D50D8A

--nSQp8DZZn7gZbDHt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDfkErxe13INnVDYoRArt5AKDApE2J/GBwmBP+y+pNxSMraaX+DgCg8nxR
oy3nx5BUEoGiEAG0hOnS8B8=
=fbbm
-----END PGP SIGNATURE-----

--nSQp8DZZn7gZbDHt--