Subject: Re: tar ignores filenames that contain `..'
To: David Laight <david@l8s.co.uk>
From: Greg A. Woods <woods@weird.com>
List: tech-pkg
Date: 10/31/2002 14:22:23
[ On Thursday, October 31, 2002 at 16:12:18 (+0000), David Laight wrote: ]
> Subject: Re: tar ignores filenames that contain `..'
>
> > can't chroot as a normal user?
>
> A normal user can't overwrite anything (very) improtant.
I wish that were true, but it's most certainly not. There are several
important scenarios.
A normal user can overwrite his own ~/.profile or whatever, and if that
user is in the wheel group, well all bets are off.
A normal user can overwrite his own ~/.ssh*/* files, and so as part of a
sophisticated and co-ordinated attack there could be an opportunity to
successfully spoof an SSH server to that user.
Besides, try explaining to your boss why one of his most important files
was deleted just because he unpacked some rogue archive file. There's
"important", and then there's "Important"! :-)
Pax (and other like archivers) must not ever overwrite files outside the
hierarchy from where it was started, and it really should not ever
overwrite any files if it's asked not to or if it is tricked into
following symlinks added by another local attacker at runtime (both of
the latter mean making sure it doesn't fall trap to symlink races too).
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>