On 2012-12-04 13:57 -0500, Daniel Kahn Gillmor wrote:
> Package: sed
> Version: 4.2.1-10
> Severity: normal
>
> It appears that sed -i tampers with the permissions on a file that has
> ACLs in place. Below is an example of it granting group read access
> to a given file (and revoking read access to another user):
>
> 0 dkg@pip:/srv/dkg$ getfacl test
> # file: test
> # owner: dkg
> # group: adm
> user::rw-
> user:wt215:r--
> group::---
> mask::r--
> other::---
>
> 0 dkg@pip:/srv/dkg$ sed -i 's/foo/bar/' test
> 0 dkg@pip:/srv/dkg$ getfacl test
> # file: test
> # owner: dkg
> # group: adm
> user::rw-
> group::r--
> other::---
>
> 0 dkg@pip:/srv/dkg$
>
> This is potentially a security concern, if sed causes data to be
> exposed to users or groups that should not have read access to it.
>
> Consider, for example, a configuration file owned by user X that
> contains a secret authentication token. If X has granted read access
> to another user, and refused it for everyone else, and X then modifies
> the config file with sed -i, it could leak the authentication token.
Support for preserving ACLs has been in sed since version 4.2, but the
Debian package lacks it. I presume adding libacl1-dev to Build-Depends
should be sufficient to fix that, but have not tested it.
>From the latest build log on amd64[1]:
,----
| checking sys/acl.h usability... no
| checking sys/acl.h presence... no
| checking for sys/acl.h... no
| configure: WARNING: libacl development library was not found or not usable.
| configure: WARNING: GNU sed will be built without ACL support.
`----
Cheers,
Sven
1.
https://buildd.debian.org/status/fetch.php?pkg=sed&arch=amd64&ver=4.5-1&stamp=1530726731&raw=0
