[1430] in linux-security and linux-alert archive
[linux-security] Re: Re: Re: GNU tar vulnerability
daemon@ATHENA.MIT.EDU (Dave Kinchlea)
Wed Feb 5 05:06:26 1997
Date: Tue, 4 Feb 1997 17:42:58 -0800 (PST)
From: Dave Kinchlea <security@kinch.ark.com>
Reply-To: Dave Kinchlea <security@kinch.ark.com>
To: linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.91.970204224436.32285A-100000@reptile.rug.ac.be>
Resent-From: linux-security@redhat.com
>
> [Mod: Lets consider this topic closed as it is clearly a case of
> misconfigured system -- alex]
I'm sorry but it is not a case of a misconfigured system at all, the
original complaint is valid and should not be dissmissed at all. In my
opinion, GNU tar is broken, it SHOULD be creating the file with the
UID/GID of the original file but it is not. (see my other post to this).
Try it yourself if you don't believe me: create a new user, call it foo.
Create a suid(foo) file (/bin/bash is as good a choice as any) and
create a tar file of that suid binary. remove the user foo and untar the
file in /tmp -- check to see that the file is now suid(root). It
*should* have been suid(uid-of-foo).
To really see this as the bug that it is, do the same as above but don't
create the user first, you will then see the proper behaviour. GNU Tar
gets this wrong and it is a concern.
cheers, kinch
[mod: I was going to write this blurb myself, but you beat me to it....
One more note: Gnu tar here does something unexpected. You may keep
shouting "USER ERROR", but unix tries to be as consistent as it can,
to keep surprises to a minimum. That's what this is about.
Suppose you have a system full of students. One student needs to be
moved to another system. suppose you do this:
m1:/home # tar cf - stud1 | rsh m2 "cd /home;tar xvf -"
m1:/home # grep ^stud1: /etc/passwd | rsh m2 "cat >> /etc/passwd"
You should have done this the other way around. Did you expect to give
"root" away with this? No. At least I didn't. This resulted in the
users's account having "root" as the owner, which allows him just
limited access to his account. The user will come back asking for:
m2:/home # chmod -R stud1 stud1
But all setuid-stud1 files were suddenly setuid-root.... You've
unknowingly given "root" access away..... Not good. -- REW]