bug#12366: [gnu-prog-discuss] bug#12366: Writing unwritable files

[Bob Proulx]

Paul Eggert wrote:
> Paolo Bonzini wrote:
> > Atomic file replacement is what matters for security.
> 
> Unfortunately, 'sed's use of atomic file replacement does not
> suffice for security.
> 
> For example, suppose sysadmins (mistakenly) followed the practice of
> using 'sed -i' to remove users from /etc/passwd.  And suppose there
> are two misbehaving users moe and larry, and two sysadmins bonzini and
> eggert.  bonzini discovers that moe's misbehaving, and types:
> 
>   sed -i '/^moe:/d' /etc/passwd

Using /etc/passwd isn't a good example because system convention
dictates that a /etc/passwd.lock must be observed for any edits there
specifically for the problem you are illustrating.  The above would
not be correct even if sed were fully atomic overall.

> Of course one could wrap 'sed -i' inside a larger script, that
> arranges for atomicity at the end-user level.

Right.  The 'vipw' script for example.  :-)

[I have abused the EDITOR variable for that purpose many times.  Set it
to either an inline script or to a real script and use it to safely
edit these types of files.  More with 'visudo' though.]

Bob