????? ???????????? wrote:
> 2010/3/12 Mike Gerdts <mgerdts at gmail.com>:
>> 2010/3/12 ????? ???????????? <olga.kryzhanovska at gmail.com>:
>>> This one, right?
>>> -i[SUFFIX], --in-place[=SUFFIX]
>>> edit files in place (makes backup if extension supplied)
>>>
>>> -i copies the content to a temporary backup file, truncates the
>>> original (keeping permissions, ACL flags etc) and starts processing
>>> from backup to original file, right?
>> This algorithm can introduce race conditions which could result in
>> security problems and in disk full conditions can result in a
>> partially written file.
>
> Where do you see the race?
TOCTTOU. Root does this:
find /tmp -type f -print | xargs sed -i 's/this/that/'
Bad guy does something like this in a loop:
while true; do
touch /tmp/gotcha
rm /tmp/gotcha
ln -s /etc/passwd /tmp/gotcha
rm /tmp/gotcha
done
If you hit it just right, "find" sees the regular file, but "sed" gets
fed a symlink. Boom.
--
James Carlson 42.703N 71.076W <carlsonj at workingcode.com>
