On Fri, Aug 05, 2005 at 12:52:50AM +0100, Imran Ghory wrote:
> The default behaviour of tar under root is not to change ownership of
> the file to root. However owner information is extracted from the tar
> file, so a trivialy modified tar file can ensure the owner of the
> extracted files is the root user.
>
> This allows for the creation of arbitary setuid executable owned by
> the root user if the root user extracts the files from a malliciously
> crafted tar file.
>
So what? When using tar to make backups this is what you need.
The default behavior of GNU tar (and others) not to change the ownership
of extracted files to self when running as root is well documented.
The only attack I see in your case is when the attacker is a local user
who gives root a tar with a setuid root program in it and root untars it
in a place where the attacker can run it. While I'm sure such situations
exist, I think they are rare, entirely the fault of the admin, and not
worth changing the default behavior of tar over.
> The default behaviour of tar under root is not to change ownership of
> the file to root. However owner information is extracted from the tar
> file, so a trivialy modified tar file can ensure the owner of the
> extracted files is the root user.
>
> This allows for the creation of arbitary setuid executable owned by
> the root user if the root user extracts the files from a malliciously
> crafted tar file.
>
So what? When using tar to make backups this is what you need.
The default behavior of GNU tar (and others) not to change the ownership
of extracted files to self when running as root is well documented.
The only attack I see in your case is when the attacker is a local user
who gives root a tar with a setuid root program in it and root untars it
in a place where the attacker can run it. While I'm sure such situations
exist, I think they are rare, entirely the fault of the admin, and not
worth changing the default behavior of tar over.
[ reply ]