[ On Thursday, October 31, 2002 at 19:12:38 (+0100), Marton Fabo wrote: ]
> Subject: Re: tar ignores filenames that contain `..'
>
> If I understand correctly, this tar "exploit" per se doesn't allow 
> anyone to do anything she couldn't do anyway. It just harnesses the 
> possibility to have a *powerful user* do something she doesn't know 
> about (overwrite files outside the tree the untarring is supposed to 
> happen in).

Yes, though the relative privileges of the user doing the untarring are
really irrelevant.

Whatever the damage is, it can obviously be done by the user doing the
unarchiving.  Since lots of semi-automated systems "hide" the actions of
the unarchiver or the amount of output about what's happening may be
overwhelming and/or meaningless to the user, the damage can be done in
such a way that whomever does it is none the wiser until it's far too
late.  A trojan command in my ~/bin could even lead to a root backdoor
being installed since I might accidentally run that command after 'su'.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>