Ubuntu
sed package

Bug #25921
Comment #2

Comment 2 for bug 25921

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-11-19:

Message-ID: <email address hidden>
Date: Fri, 18 Nov 2005 18:19:09 -0800
From: Steve Langasek <email address hidden>
To: Pierre THIERRY <email address hidden>,
<email address hidden>
Subject: Re: Bug#339793: sed: In-place editing (-i flag) drops EA (ACLs and user-defined)

--Ycz6tD7Th1CMF4v7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

severity 339793 important
tags 339793 -security
thanks

On Fri, Nov 18, 2005 at 10:01:31PM +0100, Pierre THIERRY wrote:
> When doing in-place editing, sed creates a new file without copying ACLs
> and user-defined EA. It's not only a loss of maybe precious data
> (user-defined EA) but a security hole, because dropping the ACLs can
> give back some rights on the file.

> For detailed information about the problem and the solution in general,
> see:

> http://www.suse.de/~agruen/ea-acl-copy/

> As sed is a very common tool, the problem also is it will probably be
> used on files without the knowledge of the user (e.g. by the way of
> shell scripts).

While it is desirable to have sed preserve EAs and ACLs when used with -i, I
think this severity is overinflated and the security tag is incorrect.
There are lots of ways that one can manage to lose ACLs and EAs on files
using traditional Unix tools; you can move the file to a filesystem that
doesn't support them, you can create a new file and try to set permissions
using chmod --reference, you can use perl -i which has the same problem as
sed -i. Given that most users are going to get this wrong when *not* using
the -i option to sed for in-place editing, I don't see any grounds for
treating this as a grave bug.

--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--Ycz6tD7Th1CMF4v7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDfoudKN6ufymYLloRAoZfAKC7ZrplYUoiQ3WCbJfyx3+kGxNTYQCcDrYl
R81tvWDP5BuAThwhu3Ag1Tk=
=3T+w
-----END PGP SIGNATURE-----

--Ycz6tD7Th1CMF4v7--

Message-ID: <20051119021909.GD8747@tennyson.dodds.net>
Date: Fri, 18 Nov 2005 18:19:09 -0800
From: Steve Langasek <vorlon@debian.org>
To: Pierre THIERRY <nowhere.man@levallois.eu.org>,
	339793@bugs.debian.org
Subject: Re: Bug#339793: sed: In-place editing (-i flag) drops EA (ACLs and user-defined)

--Ycz6tD7Th1CMF4v7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

severity 339793 important
tags 339793 -security
thanks

> For detailed information about the problem and the solution in general,
> see:

> http://www.suse.de/~agruen/ea-acl-copy/

> As sed is a very common tool, the problem also is it will probably be
> used on files without the knowledge of the user (e.g. by the way of
> shell scripts).

While it is desirable to have sed preserve EAs and ACLs when used with -i, I
think this severity is overinflated and the security tag is incorrect.
There are lots of ways that one can manage to lose ACLs and EAs on files
using traditional Unix tools; you can move the file to a filesystem that
doesn't support them, you can create a new file and try to set permissions
using chmod --reference, you can use perl -i which has the same problem as
sed -i.  Given that most users are going to get this wrong when *not* using
the -i option to sed for in-place editing, I don't see any grounds for
treating this as a grave bug.

--=20
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

--Ycz6tD7Th1CMF4v7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDfoudKN6ufymYLloRAoZfAKC7ZrplYUoiQ3WCbJfyx3+kGxNTYQCcDrYl
R81tvWDP5BuAThwhu3Ag1Tk=
=3T+w
-----END PGP SIGNATURE-----

--Ycz6tD7Th1CMF4v7--

Ubuntused package

Comment 2 for bug 25921

Ubuntu
sed package