Package: sed
Version: 4.2.1-10
Severity: normal
It appears that sed -i tampers with the permissions on a file that has
ACLs in place. Below is an example of it granting group read access
to a given file (and revoking read access to another user):
0 dkg@pip:/srv/dkg$ getfacl test
# file: test
# owner: dkg
# group: adm
user::rw-
user:wt215:r--
group::---
mask::r--
other::---
0 dkg@pip:/srv/dkg$ sed -i 's/foo/bar/' test
0 dkg@pip:/srv/dkg$ getfacl test
# file: test
# owner: dkg
# group: adm
user::rw-
group::r--
other::---
0 dkg@pip:/srv/dkg$
This is potentially a security concern, if sed causes data to be
exposed to users or groups that should not have read access to it.
Consider, for example, a configuration file owned by user X that
contains a secret authentication token. If X has granted read access
to another user, and refused it for everyone else, and X then modifies
the config file with sed -i, it could leak the authentication token.
--dkg
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages sed depends on:
ii dpkg 1.16.9
ii install-info 4.13a.dfsg.1-10
ii libc6 2.13-37
ii libselinux1 2.1.9-5
sed recommends no packages.
sed suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
