Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Tar extract behaviour changed



On Tue, Oct 22, 2019 at 06:37:44AM +0700, Robert Elz wrote:
>     Date:        Mon, 21 Oct 2019 21:20:25 +0200
>     From:        Joerg Sonnenberger <joerg%bec.de@localhost>
>     Message-ID:  <20191021192025.GA33725%bec.de@localhost>
> 
>   | That said, I don't really see a point in
>   | allowing one form of arbitrary file replacement and not another.
> 
> If we're thinking of it purely as protection against potentially
> malicious archives obtained from some random internet site, then
> nor do I

I am not sure. Clearly / and .. are protecting against malicious archives.
But in my view a directory entry in the (potential malicious) archive
overwriting an existing symlink is something where the explicit wish of the
user running the extraction is not honored.

The attack vector here would be someone modifying my file system
placing malicious symlinks somewhere and later me running the
extraction of the archive - which is very different from not trusting
the archive in the first place.

The other open question is: given that we only have -P, we need to either:

 - make sysinst list all directories in the archive and check them for
   existing symlinks, then ask the user wether the existing symlink should
   be kept (and then add -P to the tar command line) or
 - simply use -P always on set extractions (where we already know that no
   .. or / should exist and we kind of trust the archives anyway)

The current state silently breaks existing valid setups ("valid" of course
in my view, as I personally ran into one that I created myself).

Martin


Home | Main Index | Thread Index | Old Index