2010/3/12 Mike Gerdts <mgerdts at gmail.com>:
> 2010/3/12 ????? ???????????? <olga.kryzhanovska at gmail.com>:
>> This one, right?
>>       -i[SUFFIX], --in-place[=SUFFIX]
>>              edit files in place (makes backup if extension supplied)
>>
>> -i copies the content to a temporary backup file, truncates the
>> original (keeping permissions, ACL flags etc) and starts processing
>> from backup to original file, right?
>
> This algorithm can introduce race conditions which could result in
> security problems and in disk full conditions can result in a
> partially written file.

Where do you see the race?

> A better approach would be the equivalent of:
>
> 1. ln $file $file.$suffix
> 2. newfile=$(mktemp $(dirname $file)/$(basename $file).XXXXXX
> 3. chown $user:$group $newfile
> 4. chmod $perms $newfile ; # plus more magic to do extended attributes
> 5. sed $sedprog $file > $newfile
> 6. rename $newfile $file
>
> Important points of the above are:
>
> 1. Takes no space (aside from a directory entry), preserves permissions
> 2. Secure creation of a temporary file in the same directory as the
> file to ensure that rename(2) works.  If a symlink is involved, this
> should be done in the directory where the file really exists.
> 3 - 4. Sets the permissions properly.  Use the same code or algorithm
> that cp -p@ uses.

This is a hard part which I like to avoid.
1. There is no libc function which does copy all ACL data the way cp
-p@ does. We have to copy much of cp's code.
2. It is not possible to set owner/group or all ACLs if we are not in
the same user/group, yet the original file may be writable for me but
not owned by me. Truncating the file avoids the requirement to copy
the ACL or owner/group totally.

Olga
-- 
      ,   _                                    _   ,
     { \/`o;====-    Olga Kryzhanovska   -====;o`\/ }
.----'-/`-/     olga.kryzhanovska at gmail.com   \-`\-'----.
 `'-..-| /     Solaris/BSD//C/C++ programmer   \ |-..-'`
      /\/\                                     /\/\
      `--`                                      `--`

Reply via email to