[3968] in bugtraq
Re: GNU tar vulnerability
daemon@ATHENA.MIT.EDU (der Mouse)
Sun Jan 26 15:33:08 1997
Date: Sat, 25 Jan 1997 16:37:49 -0500
Reply-To: der Mouse <mouse@HOLO.RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@HOLO.RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@netspace.org
> GNU tar is lazy about file creation modes and file owners when
> unpacking a tar file. Because GNU tar defaults to creating files
> owned by the userid running tar when the username is not found on
> your system, it can be possible to inadvertantly create setuid root
> programs. [scenario]
Whaaaaat? If GNU tar, by default, uses a private header format that
contains string names instead of the numeric UID and GID info a
standard tar header block holds, IMO that is a crippling bug, because
it will render it uninteroperable.
> It's very, very easy to get caught out by this. I'd like to see GNU
> tar strip the setuid bit off files it has to revert the ownership for
> due to an unknown original owner.
I'd rather see it use standard header blocks by default, containing
normal numeric UID and GID info. (If it is using header blocks
containing numeric ownership info and refusing to chown files to a UID
that does not correspond to any user on the extracting system, IMO that
is another bug (and also a pretty critical one).)
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
