Re: GNU tar vulnerability

[mouse () HOLO RODENTS MONTREAL QC CA (der Mouse)]

> GNU tar is lazy about file creation modes and file owners when
> unpacking a tar file.  Because GNU tar defaults to creating files
> owned by the userid running tar when the username is not found on
> your system, it can be possible to inadvertantly create setuid root
> programs.  [scenario]

Whaaaaat?  If GNU tar, by default, uses a private header format that
contains string names instead of the numeric UID and GID info a
standard tar header block holds, IMO that is a crippling bug, because
it will render it uninteroperable.

> It's very, very easy to get caught out by this.  I'd like to see GNU
> tar strip the setuid bit off files it has to revert the ownership for
> due to an unknown original owner.

I'd rather see it use standard header blocks by default, containing
normal numeric UID and GID info.  (If it is using header blocks
containing numeric ownership info and refusing to chown files to a UID
that does not correspond to any user on the extracting system, IMO that
is another bug (and also a pretty critical one).)

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B