bug#12366: [gnu-prog-discuss] bug#12366: Writing unwritable files

[Paul Eggert]

On 09/07/2012 09:38 AM, Paolo Bonzini wrote:

> Atomic file replacement is what matters for security.

Unfortunately, 'sed's use of atomic file replacement does not
suffice for security.

For example, suppose sysadmins (mistakenly) followed the practice of
using 'sed -i' to remove users from /etc/passwd.  And suppose there
are two misbehaving users moe and larry, and two sysadmins bonzini and
eggert.  bonzini discovers that moe's misbehaving, and types:

  sed -i '/^moe:/d' /etc/passwd

and thinks, "Great! moe can't log in any more."  Similarly eggert
discovers that larry's misbehaving, and types:

  sed -i '/^larry:/d' /etc/passwd

and thinks, "All right!  I've done my job too."

Unfortunately, it could be that moe can still log in afterwards.  Or
maybe larry can.  We don't know, because 'sed -i' is not atomic, which
means /etc/passwd might contain moe afterwards, or maybe larry.

Of course one could wrap 'sed -i' inside a larger script, that
arranges for atomicity at the end-user level.  But the same is true
for 'sort -o'.  Perhaps the method of 'sed -i' buys the user
*something*, but whatever that something is, isn't immediately
obvious.  When it comes to security mechanisms, simplicity and clarity
are critical, and unfortunately 'sed -i' has problems in this area,
just as 'sort -o' does.