lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri,  5 Aug 2005 15:34:04 -0600
From: Neil McKellar <mckellar@...usplanet.net>
To: Imran Ghory <imranghory@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: tar preserves setuid bit


Imran Ghory <imranghory@...il.com> wrote:
> If running as the root user tar restores the original permissions to
> extracted files, this includes the setuid bit. No warning is given to
> the user that this has happened.

>From the default man page for tar:

    The owner, modification time, and mode are restored (if possible);

This isn't specific to GNU, it's *expected behaviour* for every version of tar.
 In fact, a failure to conform to this behaviour breaks essential functionality
of tar.  If the root user doesn't know what this tool does or what it's for,
then don't run it.

What part of 'Tape ARchive' wasn't clear?  Would you be happy if your backup and
restore procedures failed to actually restore files in their original condition?
 Sheesh.
-- 
Neil (mckellar@...usplanet.net)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ