lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 9 Aug 2005 09:12:02 -0700 (PDT)
From: "Jeremy C. Reed" <reed@...dmedia.net>
To: Imran Ghory <imranghory@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: tar preserves setuid bit


On Fri, 5 Aug 2005, Imran Ghory wrote:

> I'm not saying that it shouldn't have the behaviour, rather that it
> should warn the user.
>
> Howeber the only reason I posted this "bug" was because a number of
> unix/linux vendors have decided that the same issue in unzip (which I
> cited earlier : CAN-2005-0602) should be considered a vulnerability
> and have issued patches to change the behaviour. Hence they may (or
> may not) decide to take similar action with tar,

I thought this was a little different. According to unzip advisory, normal 
unzip does this behaviour. But with tar you usually use the -p switch -- 
so you have to make a simple effort to do the setuid/setgid. Also you'd 
need to be root to set it to setuid.

It is not documented well in the gtar manual page:

          -p, --same-permissions, --preserve-permissions
               extract all protection information

But then I read GNU tar-1.15.1 README which says:

  About *security*, it is probable that future releases of `tar' will have
  some behavior changed.  There are many pending suggestions to choose  from.
  Today, extracting an archive not being `root', `tar' will restore  suid/sgid
  bits on files but owned by the extracting user.  `root' automatically gets
  a lot of special privileges, `-p' might later become required to get them.

I tested and as root it did automatically preserve the setuid and I was 
surprised by this behaviour as I had always used -p switch before.

The man page for tar from NetBSD (not gtar) says:

    -p, --preserve-permissions, --preserve
                Preserve user and group ID as well as file mode regardless
                of the current umask(2).  The setuid and setgid bits are
                only preserved if the user is the superuser.  Only meaning-
                ful in conjunction with the -x flag.

With NetBSD's tar you are required to use the -p switch.

I don't know when GNU tar changed -- or maybe I had always used some 
patched GNU tar that forced this -- but maybe it should expect -p also.

  Jeremy C. Reed

  	  	 	 BSD News, BSD tutorials, BSD links
 	  	 	 http://www.bsdnewsletter.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ