Re: [Bug-tar] [Fwd: Bug#328228: tar: CAN-2005-2541: Should warn when ex

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-tar] [Fwd: Bug#328228: tar: CAN-2005-2541: Should warn when ex

From:	Joerg Schilling
Subject:	Re: [Bug-tar] [Fwd: Bug#328228: tar: CAN-2005-2541: Should warn when extracting setuid/setgid files]
Date:	Wed, 14 Sep 2005 17:04:05 +0200
User-agent:	nail 11.2 8/15/04

Bdale Garbee <address@hidden> wrote:

> Hello.
>
> As per the attached, tar's default behavior regarding setuid/setgid bits
> has been identified as a security issue and submitted to the Debian bug
> tracking system, among other places.
>
> My initial reaction was to be concerned that changing the default would
> violate user expectations, but I understand the motivation for this
> class of behavioral change request.
>
> I would prefer to not deviate the Debian tar default behavior from
> "stock".  What's your take on this?
>
> Please preserve the CC in replies so that our bug tracking system can
> keep a record of the conversation.

The claim in http://marc.theaimsgroup.com/?l=bugtraq&m=112327628230258&w=2
is wrong!

Neither the deafault behavior of "tar" is mentioned correcty nor does this
mean that the standard is quoted correctly.

Here is the standard:

x       Extract the named file or files from the archive. If a named file 
matches a 
        directory whose contents had been written onto the archive, this
        directory is (recursively) extracted. If a named file in the archive 
        does not exist on the system, the file is created with the same mode as 
the
        one in the archive, except that the set-user-ID and set-group-ID 
        modes are not set unless the user has appropriate privileges. If the 
files
        exist, their modes are not changed except as described above. The 
        owner, group, and modification time are restored (if possible). If no 
file
        operand is given, the entire content of the archive is extracted. 
        Note that if several files with the same name are in the archive, the 
last one
        overwrites all earlier ones. 

Jörg

-- 
 EMail:address@hidden (home) Jörg Schilling D-13353 Berlin
       address@hidden           (uni)  
       address@hidden   (work) Blog: http://schily.blogspot.com/
 URL:  http://cdrecord.berlios.de/old/private/ ftp://ftp.berlios.de/pub/schily

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-tar] [Fwd: Bug#328228: tar: CAN-2005-2541: Should warn when extracting setuid/setgid files], Bdale Garbee, 2005/09/14
- Re: [Bug-tar] [Fwd: Bug#328228: tar: CAN-2005-2541: Should warn when extracting setuid/setgid files], Joerg Schilling <=
- Re: [Bug-tar] [Fwd: Bug#328228: tar: CAN-2005-2541: Should warn when extracting setuid/setgid files], Sergey Poznyakoff, 2005/09/14

Prev by Date: [Bug-tar] [Fwd: Bug#328228: tar: CAN-2005-2541: Should warn when extracting setuid/setgid files]
Next by Date: Re: [Bug-tar] [Fwd: Bug#328228: tar: CAN-2005-2541: Should warn when extracting setuid/setgid files]
Previous by thread: [Bug-tar] [Fwd: Bug#328228: tar: CAN-2005-2541: Should warn when extracting setuid/setgid files]
Next by thread: Re: [Bug-tar] [Fwd: Bug#328228: tar: CAN-2005-2541: Should warn when extracting setuid/setgid files]
Index(es):
- Date
- Thread