lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 6 Aug 2005 16:22:48 +0100
From: David Watson <baikie@...hat.freeserve.co.uk>
To: bugtraq@...urityfocus.com
Subject: Re: GNU tar and the setuid bit


On Friday 05 Aug 2005 12:52 am, Imran Ghory wrote:
> If running as the root user tar restores the original permissions to
> extracted files, this includes the setuid bit. No warning is given to
> the user that this has happened.
>
> The default behaviour of tar under root is not to change ownership of
> the file to root. However owner information is extracted from the tar
> file, so a trivialy modified tar file can ensure the owner of the
> extracted files is the root user.
>
> This allows for the creation of arbitary setuid executable owned by
> the root user if the root user extracts the files from a malliciously
> crafted tar file.

With GNU tar (which you seem to be referring to), using --no-same-permissions 
when extracting clears all of the setuid, setgid and sticky bits in addition 
to subtracting the umask (undocumented behaviour, but logical enough). It's 
advisable to use this along with -o when extracting random archives as root. 
(Although as I've just noticed, -o alone will turn any setuid executable into 
a setuid-root executable - now that *is* a bug!) Or of course, you could 
extract them as someone else ;)

It looks as if they're planning to make --no-same-permissions the default for 
root in future, but 'alias tar="tar --no-same-permissions"' does the trick 
for now, if you don't mind breaking the old-style option syntax (-p reenables 
the full permissions from the archive, of course).

(By the way, -o is broken in version 1.14 at least, but --no-same-owner 
works.)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ