Subject: Re: tar ignores filenames that contain `..'
To: NetBSD tech-pkg <firstname.lastname@example.org>
From: Marton Fabo <email@example.com>
Date: 10/31/2002 19:12:38
>>A normal user can't overwrite anything (very) improtant.
> Untrue. Many break-ins succeed by getting normal users to do things...
Yes, for example by having *root* extract some malicious tarfile which
overwrites something the person doing the untarring doesn't know about.
If I understand correctly, this tar "exploit" per se doesn't allow
anyone to do anything she couldn't do anyway. It just harnesses the
possibility to have a *powerful user* do something she doesn't know
about (overwrite files outside the tree the untarring is supposed to
Correct me if I'm wrong.