[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-tar] Unexpected symlink attack due to change in link following
From: |
Joerg Schilling |
Subject: |
Re: [Bug-tar] Unexpected symlink attack due to change in link following behaviour |
Date: |
Mon, 12 Sep 2005 15:36:50 +0200 |
User-agent: |
nail 11.2 8/15/04 |
Clarence Dang <address@hidden> wrote:
> But that's just the problem: In general, not everyone is on the list and
> almost nobody reads documentation.
>
> Changing subtle behaviour is dangerous as DOSEMU has shown. But ultimately,
> this is up to you.
The problem here is DOSEMU and the fact that sysadmins should not unpack
unknown tar archives into a non empty directory in case he owns too much
permissions.
So first, you should make a bugreport against dosemu.
Tar did alwas behaver the way you don't seem to like..... GNU tar-1.13
did introduce the incompatible behavior and GNU tar did even fail
to become more secure this way.
Let me quote a part from the star man page:
SECURITY NOTES
If you unpack a tar archive in a non empty directory, any
file in that directory may be overwritten unless you specify
the -k option. If the archive contains symbolic links or
hard links, star may even overwrite files outside the
current directory. As many other commands, star usually has
all possible permissions when run as root. Unpacking
archives as root thus may have fatal results to any file on
your system. Be very careful when you try to extract an
archive that has not been created by you. It is possible to
create hand crafted tar archives that may overwrite critical
files (like /etc/passwd) on your system. In addition all
tar archives that have been created with the list= option
and tar archives where the C= option was not specified
before all file type arguments may be critical.
A good advise is to extract all doubtful archives as non
root in an empty directory and to specify the -secure-links
option. If you get a warning, you should unpack the archive
a second time and specify the options -k, -w and -nowarn in
addition to the options used for the first run.
.......
Related options (see complete man page) are:
-/
-..
-secure-links
-secure-links
Do not extract hard links or symbolic links if the link
name (the target of the link) starts with a slash (/)
or if /../ is contained in the link name. Tar archives
containing such links could be used to compromise the
system. If they are unpacked together with a lot of
other files, this may not even be noticed.
As the usability of a tar archiver would be limited if
-secure-links checking would be done by default, star
makes link checking optional.
If you unpacked a tar archive using the -secure-links
and did not get a security warning at the end of the
star run, all files and links have been extracted. If
you get a warning, you should unpack the archive a
second time and specify the options -k, -w and -nowarn
in addition to the options used for the first run. See
SECURITY NOTES for more information.
Note that GNU tar still does not check hardlinks which also are a
security problem.
Jörg
--
EMail:address@hidden (home) Jörg Schilling D-13353 Berlin
address@hidden (uni)
address@hidden (work) Blog: http://schily.blogspot.com/
URL: http://cdrecord.berlios.de/old/private/ ftp://ftp.berlios.de/pub/schily