severity 339793 important tags 339793 -security thanks On Fri, Nov 18, 2005 at 10:01:31PM +0100, Pierre THIERRY wrote: > When doing in-place editing, sed creates a new file without copying ACLs > and user-defined EA. It's not only a loss of maybe precious data > (user-defined EA) but a security hole, because dropping the ACLs can > give back some rights on the file.
> For detailed information about the problem and the solution in general, > see: > http://www.suse.de/~agruen/ea-acl-copy/ > As sed is a very common tool, the problem also is it will probably be > used on files without the knowledge of the user (e.g. by the way of > shell scripts). While it is desirable to have sed preserve EAs and ACLs when used with -i, I think this severity is overinflated and the security tag is incorrect. There are lots of ways that one can manage to lose ACLs and EAs on files using traditional Unix tools; you can move the file to a filesystem that doesn't support them, you can create a new file and try to set permissions using chmod --reference, you can use perl -i which has the same problem as sed -i. Given that most users are going to get this wrong when *not* using the -i option to sed for in-place editing, I don't see any grounds for treating this as a grave bug. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature
