GNU bug report logs - #12366
[gnu-prog-discuss] Writing unwritable files

Previous Next

Full log

View this message in rfc822 format

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Paolo Bonzini <bonzini <at> gnu.org>
Cc: 12366 <at> debbugs.gnu.org, gnu-prog-discuss <at> gnu.org, John Darrington <john <at> darrington.wattle.id.au>
Subject: bug#12366: [gnu-prog-discuss] bug#12366:  Writing unwritable files
Date: Fri, 07 Sep 2012 12:46:39 -0700

On 09/07/2012 09:38 AM, Paolo Bonzini wrote:

> Atomic file replacement is what matters for security.

Unfortunately, 'sed's use of atomic file replacement does not
suffice for security.

For example, suppose sysadmins (mistakenly) followed the practice of
using 'sed -i' to remove users from /etc/passwd.  And suppose there
are two misbehaving users moe and larry, and two sysadmins bonzini and
eggert.  bonzini discovers that moe's misbehaving, and types:

  sed -i '/^moe:/d' /etc/passwd

and thinks, "Great! moe can't log in any more."  Similarly eggert
discovers that larry's misbehaving, and types:

  sed -i '/^larry:/d' /etc/passwd

and thinks, "All right!  I've done my job too."

Unfortunately, it could be that moe can still log in afterwards.  Or
maybe larry can.  We don't know, because 'sed -i' is not atomic, which
means /etc/passwd might contain moe afterwards, or maybe larry.

Of course one could wrap 'sed -i' inside a larger script, that
arranges for atomicity at the end-user level.  But the same is true
for 'sort -o'.  Perhaps the method of 'sed -i' buys the user
*something*, but whatever that something is, isn't immediately
obvious.  When it comes to security mechanisms, simplicity and clarity
are critical, and unfortunately 'sed -i' has problems in this area,
just as 'sort -o' does.
 

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.