Bugtraq mailing list archives
tar preserves setuid bit
From: Imran Ghory <imranghory () gmail com>
Date: Fri, 5 Aug 2005 00:52:50 +0100
(essentially the same as the unzip vulnerability CAN-2005-0602 except that it only works against the root user) ================================ tar preserves setuid bit ================================ Software: tar Version: 1.15.1 Software URL: <www.gnu.org/software/tar/tar.html> Platform: Unix, Linux. Severity: Medium Vulnerable software ==================== tar 1.15.1 and previous versions running on unix. Vulnerability ============== If running as the root user tar restores the original permissions to extracted files, this includes the setuid bit. No warning is given to the user that this has happened. The default behaviour of tar under root is not to change ownership of the file to root. However owner information is extracted from the tar file, so a trivialy modified tar file can ensure the owner of the extracted files is the root user. This allows for the creation of arbitary setuid executable owned by the root user if the root user extracts the files from a malliciously crafted tar file. --- Imran Ghory
Current thread:
- tar preserves setuid bit Imran Ghory (Aug 05)
- Re: tar preserves setuid bit Neil McKellar (Aug 09)
- Re: tar preserves setuid bit Imran Ghory (Aug 09)
- Re: tar preserves setuid bit Jeremy C. Reed (Aug 09)
- Re: tar preserves setuid bit Imran Ghory (Aug 09)
- Re: tar preserves setuid bit Sean Comeau (Aug 09)
- Re: GNU tar and the setuid bit David Watson (Aug 09)
- Re: GNU tar and the setuid bit David Watson (Aug 09)
- Re: tar preserves setuid bit Neil McKellar (Aug 09)