Subject: Re: tar ignores filenames that contain `..'
To: NetBSD tech-pkg <>
From: Marton Fabo <>
List: tech-pkg
Date: 10/31/2002 19:12:38
>>A normal user can't overwrite anything (very) improtant.
> Untrue. Many break-ins succeed by getting normal users to do things...

Yes, for example by having *root* extract some malicious tarfile which 
overwrites something the person doing the untarring doesn't know about.

If I understand correctly, this tar "exploit" per se doesn't allow 
anyone to do anything she couldn't do anyway. It just harnesses the 
possibility to have a *powerful user* do something she doesn't know 
about (overwrite files outside the tree the untarring is supposed to 
happen in).

Correct me if I'm wrong.