In article <20050511010429.GA16747@moray.salmi.ch>,
Jukka Salmi  <j+nbsd@2005.salmi.ch> wrote:
>Hello,
>
>since pax was [1]changed some weeks ago (the `--insecure' option was
>modified to "do something"), tar fails to overwrite symbolic links:
>
>$ mkdir /tmp/test && cd /tmp/test
>$ tar -xzf /sets/base.tgz
>$ ls -l dev/log
>lrwxr-xr-x  1 root  wheel  12 May  5 21:42 dev/log -> /var/run/log
>$ ln -sf /foo dev/log
>$ ls -l dev/log
>lrwxr-xr-x  1 root  wheel  4 May 11 01:30 dev/log -> /foo
>$ tar -xzf /sets/base.tgz
>tar: Attempt to write file `/foo' outside current working directory
>`/tmp/test' ignored
>[...]
>$ ls -l dev/log
>lrwxr-xr-x  1 root  wheel  4 May 11 01:34 dev/log -> /foo
>
>Of course using the `--insecure' option works around this problem:
>
>$ tar --insecure -xzf /sets/base.tgz
>$ ls -l dev/log
>lrwxr-xr-x  1 root  wheel  12 May  5 21:42 dev/log -> /var/run/log
>
>
>This happens because in in src/bin/pax/ar_subs.c's path_check(), realpath(3)
>resolves symbolic links if they exist in the file system, and thus not the
>link itself but the link's target is taken into account when checking whether
>it's outside the working directory or not.
>
>How should this be solved? Always use `--insecure'? Maybe a lrealpath(3)
>would be useful...
>
>Any hints?

Send-pr please.

christos