<<< Date Index >>>     <<< Thread Index >>>

Re: tar preserves setuid bit



On Fri, 5 Aug 2005, Imran Ghory wrote:

I'm not saying that it shouldn't have the behaviour, rather that it
should warn the user.

Howeber the only reason I posted this "bug" was because a number of
unix/linux vendors have decided that the same issue in unzip (which I
cited earlier : CAN-2005-0602) should be considered a vulnerability
and have issued patches to change the behaviour. Hence they may (or
may not) decide to take similar action with tar,

I thought this was a little different. According to unzip advisory, normal unzip does this behaviour. But with tar you usually use the -p switch -- so you have to make a simple effort to do the setuid/setgid. Also you'd need to be root to set it to setuid.

It is not documented well in the gtar manual page:

         -p, --same-permissions, --preserve-permissions
              extract all protection information

But then I read GNU tar-1.15.1 README which says:

 About *security*, it is probable that future releases of `tar' will have
 some behavior changed.  There are many pending suggestions to choose  from.
 Today, extracting an archive not being `root', `tar' will restore  suid/sgid
 bits on files but owned by the extracting user.  `root' automatically gets
 a lot of special privileges, `-p' might later become required to get them.

I tested and as root it did automatically preserve the setuid and I was surprised by this behaviour as I had always used -p switch before.

The man page for tar from NetBSD (not gtar) says:

   -p, --preserve-permissions, --preserve
               Preserve user and group ID as well as file mode regardless
               of the current umask(2).  The setuid and setgid bits are
               only preserved if the user is the superuser.  Only meaning-
               ful in conjunction with the -x flag.

With NetBSD's tar you are required to use the -p switch.

I don't know when GNU tar changed -- or maybe I had always used some patched GNU tar that forced this -- but maybe it should expect -p also.

 Jeremy C. Reed

                         BSD News, BSD tutorials, BSD links
                         http://www.bsdnewsletter.com/