| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Sep 2006 07:57:53 -0700 From: darren kirby <bulliver@...computer.org> To: full-disclosure@...ts.grok.org.uk Subject: Re: Re: tar alternative quoth the Tim: > > What problems ? > > 1. tar archives contain information about the user and group of a file. > This is critical for backups, but quite unnecessary for software > distribution in the vast majority of cases. It is a common pitfall > for software authors to leak information about their systems this > way. What tar are you using? With every tarball I download the files within are given the owner:group of the user I extract them as. I have never seen a developer's username or group disclosed... > 2. As discussed in this thread, tar archives contain permissions for > files. Also important for backups, not important for software > distribution IMHO. Sure they are important. Would you want to manually chmod +x all executables and scripts? Manually chmod +r all documentation? Even stipulating that we could use the umask value to decide permissions it is still a PITA. > 3. tar traditionally allows files to be extracted to any directory, > which can be dangerous. This can be mitigated if you don't blindly extract tarballs as root, and you only extract in safe locations. If you unpack stuff to '/' you deserve to hose your system. True, some boneheads don't package their stuff in a top-level directory potentially overwriting existing files in the pwd. Perhaps the GNU folks should add a 'noclobber' option.... > > True, these behaviors can be overridden, or a tool developed that has > safe defaults, but then the tool would be less useful for backups. The > point is, the Unix community has been using a backup tool for software > distribution for many years. Perhaps having the right tool for the job > would be safer. > > For instance, a format that only contained filenames and timestamps, and > is built to only output all files under a specific directory tree would > be nice. > > > I would say cpio, but you don't want any backup designed archivers. > > Yeah, I had thought of that as well, but it likely has the same issues. > > thanks, > tim -d -- darren kirby :: Part of the problem since 1976 :: http://badcomputer.org "...the number of UNIX installations has grown to 10, with more expected..." - Dennis Ritchie and Ken Thompson, June 1972 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists