Paul Eggert wrote: > Paolo Bonzini wrote: > > Atomic file replacement is what matters for security. > > Unfortunately, 'sed's use of atomic file replacement does not > suffice for security. > > For example, suppose sysadmins (mistakenly) followed the practice of > using 'sed -i' to remove users from /etc/passwd. And suppose there > are two misbehaving users moe and larry, and two sysadmins bonzini and > eggert. bonzini discovers that moe's misbehaving, and types: > > sed -i '/^moe:/d' /etc/passwd
Using /etc/passwd isn't a good example because system convention dictates that a /etc/passwd.lock must be observed for any edits there specifically for the problem you are illustrating. The above would not be correct even if sed were fully atomic overall. > Of course one could wrap 'sed -i' inside a larger script, that > arranges for atomicity at the end-user level. Right. The 'vipw' script for example. :-) [I have abused the EDITOR variable for that purpose many times. Set it to either an inline script or to a real script and use it to safely edit these types of files. More with 'visudo' though.] Bob
