lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 9 Sep 2006 11:47:36 -0400
From: Tim <tim-security@...tinelchicken.org>
To: darren kirby <bulliver@...computer.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Re: tar alternative

> What tar are you using? With every tarball I download the files within are 
> given the owner:group of the user I extract them as.
>
> I have never seen a developer's username or group disclosed... 

Yes, as a normal user, you can't create files locally owned by another
user, so they aren't, but the username/group are indeed in the tar file.
>>From a couple of tarballs I have lying around my system:

  me@...alhost:/usr/local/src> tar tjvf nmap-3.50.tar.bz2 
  drwxr-xr-x fyodor/fyodor     0 2004-01-18 22:04 nmap-3.50/
  -rw-r--r-- fyodor/fyodor 15318 2003-09-10 22:12 nmap-3.50/main.cc
  -rw-r--r-- fyodor/fyodor 75134 2003-12-01 20:09 nmap-3.50/nmap.cc
  -rw-r--r-- fyodor/fyodor 50952 2003-09-16 02:04 nmap-3.50/targets.cc
  -rw-r--r-- fyodor/fyodor 67425 2003-09-20 05:03 nmap-3.50/tcpip.cc
  -rw-r--r-- fyodor/fyodor  7490 2003-09-10 22:12 nmap-3.50/nmap_error.cc
  -rw-r--r-- fyodor/fyodor 22068 2003-09-10 22:12 nmap-3.50/utils.cc
  -rw-r--r-- fyodor/fyodor 41675 2003-09-10 22:12 nmap-3.50/idle_scan.cc
  -rw-r--r-- fyodor/fyodor 68759 2003-09-10 22:12 nmap-3.50/osscan.cc
  -rw-r--r-- fyodor/fyodor 46270 2003-12-18 16:42 nmap-3.50/output.cc
  -rw-r--r-- fyodor/fyodor 71462 2003-12-01 20:09 nmap-3.50/scan_engine.cc
  ...

and

  me@...alhost:/usr/local/src> tar tzvf wget-1.9.1.tar.gz 
  drwxr-xr-x hniksic/hniksic     0 2003-11-11 18:42 wget-1.9.1/
  drwxr-xr-x hniksic/hniksic     0 2003-11-11 18:42 wget-1.9.1/doc/
  drwxr-xr-x hniksic/hniksic     0 2003-11-11 18:42 wget-1.9.1/doc/ChangeLog-branches/
  -rw-r--r-- hniksic/hniksic 12928 2001-01-06 04:26 wget-1.9.1/doc/ChangeLog-branches/1.6_branch.ChangeLog
  -rw-r--r-- hniksic/hniksic 23252 2003-11-08 18:46 wget-1.9.1/doc/ChangeLog
  -rw-r--r-- hniksic/hniksic  4854 2003-10-23 18:53 wget-1.9.1/doc/Makefile.in
  -rw-r--r-- hniksic/hniksic  1529 2003-10-04 06:34 wget-1.9.1/doc/ansi2knr.1
  -rw-r--r-- hniksic/hniksic  4022 2001-11-30 02:32 wget-1.9.1/doc/sample.wgetrc
  ...



> Sure they are important. Would you want to manually chmod +x all executables 
> and scripts? Manually chmod +r all documentation? Even stipulating that we 
> could use the umask value to decide permissions it is still a PITA.

Using umask is perfectly fine, except in the case of executables, so
that is a good point.


> This can be mitigated if you don't blindly extract tarballs as root, and you 
> only extract in safe locations. If you unpack stuff to '/' you deserve to 
> hose your system. 

Well, personally, I think it's just a joke that I can't extract the
contents of an archive as root and feel safe.  I mean, think about it
for a second... It's not like I'm downloading a random executable and
running it without some trust.  Sure, you shouldn't run programs
unnecessarily as root.  That goes for any program, but that's a
precaution that's supposed to prevent unforseen vulnerabilities, and
shouldn't be needed to work around braindead default behavior.  It's
like saying: never open emails from people you don't know.  Yeah, it
might be a good idea, but it's a total failure of the software involved
to rely on that recommendation for security.

Now, beyond the root user issue, isn't it true that if I untar a
malicious archive as a normal user, that my own files could be squashed
too?  If I always unpack source files in ~/src as a normal user, and
compile them in their own subdirectories as my own user, I could still
be at risk if I'm not careful.  Suppose one day, I unpack foo-0.1.tar.gz
to the directory ~/src/foo-0.1.  Then, the next day I download
bar-0.1.tar.gz, which I don't really trust.  I just want to unpack it
and take a look at the source before I compile and install.  So, I untar
it in ~/src.  Let's suppose bar-0.1.tar.gz contains the following files:

  bar-0.1/
  foo-0.1/evil.c
  bar-0.1/benign.c
  ...


So, this could inject evil code into my other program.  If I were naive
enough to extract an archive in my home directory, my .profile could
receive a lovely shellcode.


> True, some boneheads don't package their stuff in a top-level directory 
> potentially overwriting existing files in the pwd. Perhaps the GNU folks 
> should add a 'noclobber' option....

Yes, I guess what I just described is what you were getting at.
noclobber would be great and all, except not all archive extractors
would behave this way, and if noclobber isn't the default, it will leave
new users vulnerable.

I just think it would be better to have a format that makes it easy to
enforce a top level directory for all files, and removes the leaks
mentioned above.  I've searched around since my first posting, and I've
yet to find one, unfortunately.

cheers,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ