On 09/07/2012 09:38 AM, Paolo Bonzini wrote: > Atomic file replacement is what matters for security.
Unfortunately, 'sed's use of atomic file replacement does not suffice for security. For example, suppose sysadmins (mistakenly) followed the practice of using 'sed -i' to remove users from /etc/passwd. And suppose there are two misbehaving users moe and larry, and two sysadmins bonzini and eggert. bonzini discovers that moe's misbehaving, and types: sed -i '/^moe:/d' /etc/passwd and thinks, "Great! moe can't log in any more." Similarly eggert discovers that larry's misbehaving, and types: sed -i '/^larry:/d' /etc/passwd and thinks, "All right! I've done my job too." Unfortunately, it could be that moe can still log in afterwards. Or maybe larry can. We don't know, because 'sed -i' is not atomic, which means /etc/passwd might contain moe afterwards, or maybe larry. Of course one could wrap 'sed -i' inside a larger script, that arranges for atomicity at the end-user level. But the same is true for 'sort -o'. Perhaps the method of 'sed -i' buys the user *something*, but whatever that something is, isn't immediately obvious. When it comes to security mechanisms, simplicity and clarity are critical, and unfortunately 'sed -i' has problems in this area, just as 'sort -o' does.