[1427] in linux-security and linux-alert archive
[linux-security] Re: GNU tar vulnerability
daemon@ATHENA.MIT.EDU (Paul-Joseph de Werk)
Wed Feb 5 02:38:30 1997
To: "bugtraq@netspace.org" <bugtraq@netspace.org>,
"linux-security@redhat.com" <linux-security@redhat.com>
Date: Mon, 03 Feb 97 09:50:14 -0800
From: Paul-Joseph de Werk <Paul.deWerk@MCI.Com>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
-- [ From: Paul-Joseph de Werk * EMC.Ver #3.2 ] --
> Date: Saturday, 25-Jan-97 09:37 AM
> From: linux-security@redhat.com \ Internet: (linux-security@redhat.com)
> To: bugtraq@netspace.org \ Internet: (bugtraq@netspace.org)
> To: linux-security@redhat.com \ Internet: (linux-security@redhat.com)
> Subject: [linux-security] GNU tar vulnerability
>
> I reported the following vulnerability to AUSCERT, but they weren't
> interested. People on this list might be, though!
>
> GNU tar is lazy about file creation modes and file owners when unpacking
> a tar file. Because GNU tar defaults to creating files owned by the
> userid running tar when the username is not found on your system, it can
> be possible to inadvertantly create setuid root programs.
[[...snip...]]
> It's very, very easy to get caught out by this. I'd like to see GNU tar
> strip the setuid bit off files it has to revert the ownership for due to
> an unknown original owner.
I'd prefer to see GNU tar add an option that basically says "I trust any
setuid/setgid flags in this tar, keep them." If the option isn't specified when
de-tarring then it should strip the flags for safety.
--
#include <stddiscl.h> | Quote:
Paul-Joseph de Werk, BSCS |
Sr. Systems Programmer | Every accomplishment
MCI Telecommunications Corporation | starts with the decision
State Government and University Markets | to try.
mailto:Paul.deWerk@MCI.Com |
pdewerk@campus.mci.net | --Unknown
http://www.campus.mci.net/~pdewerk/ |