Ubuntu
sed package

Bug #25921
Comment #4

Comment 4 for bug 25921

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-11-19:

Message-ID: <email address hidden>
Date: Sat, 19 Nov 2005 03:17:12 -0800
From: Steve Langasek <email address hidden>
To: Pierre THIERRY <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#339793: sed: In-place editing (-i flag) drops EA (ACLs and user-defined)

--Bn2rw/3z4jIqBvZU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 19, 2005 at 11:35:09AM +0100, Pierre THIERRY wrote:
> > There are lots of ways that one can manage to lose ACLs and EAs on
> > files using traditional Unix tools;

> But shouldn't simply *all* problematic packages be filed a security bug?

The BTS definition of the security tag is:

This bug describes a security problem in a package (e.g., bad permissions
allowing access to data that shouldn't be accessible; buffer overruns
allowing people to control a system in ways they shouldn't be able to;
denial of service attacks that should be fixed, etc). Most security bugs
should also be set at critical or grave severity.

I don't think this bug really qualifies; it may *lead* to bad permissions as
a result of a user using sed -i without understanding the consequences, but
it's not a hole in the package that an attacker is exploiting directly
(which is how I understand the "security" tag). This bug only manifests if
the user assumes that standard Unix tools work out-of-the-box with ACLs and
EAs -- a very foolish assumption at this point.

Tagging this bug 'security' also doesn't help our security team, as this
isn't a bug they're going to be trying to fix.

Anyway, as far as security is concerned, I would expect anyone using
extended ACLs that need to *block* access to users that would otherwise be
permitted to set appropriate default ACLs on the parent directory, so that
files are automatically created with appropriately strict permissions.

> > Given that most users are going to get this wrong when *not* using the
> > -i option to sed for in-place editing, I don't see any grounds for
> > treating this as a grave bug.

> I see this the opposite way: that make the bug and it's little brothers
> more serious, because it's not isolated...

I don't think that's realistic. I suspect there are quite a number of
package maintainer scripts that don't even preserve *basic* Unix permissions
when making changes to config files. These are certainly bugs, I agree with
that, but it just doesn't make any sense to treat them as release-critical
AFAICS.

--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--Bn2rw/3z4jIqBvZU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDfwm4KN6ufymYLloRAlR/AJ46VkkKFP11G/kpEUm/Bb/pGT9wTACfeolb
bIt0TfBcoLS9pt56QN5oJk0=
=ER4+
-----END PGP SIGNATURE-----

--Bn2rw/3z4jIqBvZU--

Message-ID: <20051119111712.GB13694@tennyson.dodds.net>
Date: Sat, 19 Nov 2005 03:17:12 -0800
From: Steve Langasek <vorlon@debian.org>
To: Pierre THIERRY <nowhere.man@levallois.eu.org>
Cc: 339793@bugs.debian.org
Subject: Re: Bug#339793: sed: In-place editing (-i flag) drops EA (ACLs and user-defined)

--Bn2rw/3z4jIqBvZU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 19, 2005 at 11:35:09AM +0100, Pierre THIERRY wrote:
> > There are lots of ways that one can manage to lose ACLs and EAs on
> > files using traditional Unix tools;

> But shouldn't simply *all* problematic packages be filed a security bug?

The BTS definition of the security tag is:

This bug describes a security problem in a package (e.g., bad permissions
 allowing access to data that shouldn't be accessible; buffer overruns
 allowing people to control a system in ways they shouldn't be able to;
 denial of service attacks that should be fixed, etc). Most security bugs
 should also be set at critical or grave severity.

I don't think this bug really qualifies; it may *lead* to bad permissions as
a result of a user using sed -i without understanding the consequences, but
it's not a hole in the package that an attacker is exploiting directly
(which is how I understand the "security" tag).  This bug only manifests if
the user assumes that standard Unix tools work out-of-the-box with ACLs and
EAs -- a very foolish assumption at this point.

Tagging this bug 'security' also doesn't help our security team, as this
isn't a bug they're going to be trying to fix.

> > Given that most users are going to get this wrong when *not* using the
> > -i option to sed for in-place editing, I don't see any grounds for
> > treating this as a grave bug.

> I see this the opposite way: that make the bug and it's little brothers
> more serious, because it's not isolated...

I don't think that's realistic.  I suspect there are quite a number of
package maintainer scripts that don't even preserve *basic* Unix permissions
when making changes to config files.  These are certainly bugs, I agree with
that, but it just doesn't make any sense to treat them as release-critical
AFAICS.

--=20
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

--Bn2rw/3z4jIqBvZU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDfwm4KN6ufymYLloRAlR/AJ46VkkKFP11G/kpEUm/Bb/pGT9wTACfeolb
bIt0TfBcoLS9pt56QN5oJk0=
=ER4+
-----END PGP SIGNATURE-----

--Bn2rw/3z4jIqBvZU--

Ubuntused package

Comment 4 for bug 25921

Ubuntu
sed package