Full Disclosure mailing list archives
Re: tar alternative
From: Jon Hart <jhart () spoofed org>
Date: Wed, 20 Sep 2006 13:37:22 -0700
On Wed, Sep 20, 2006 at 03:53:06PM -0400, Tim wrote:
Well, the whole idea that having to use a non-root account to unpack some files has always been rediculous to me. Sure, given the way tar behaves, it is insane not to, but for a software distribution tool, making this a requirement is pretty lame. Changing tar's behavior to be safer is possible, but would likely degrade the ability of tar to be a good backup tool. The use cases for each type of tool are simply different.
I've been following this since it started, but never actually looked into how to make tar "safer" or if there is a better alternative out there. Think of some of the risks here. tar archives that unpack into . or ../../../some/sensitive/dir -- raise your hand if you've been bit by this. I was, once, and ever since tar -ztvf all the archives I handle before actually unpacking. Doing a pentest and need some usernames? Crawl for .tar.* and parse out the usernames. One option here is to use the --numeric-owner options, or better yet, the --owner and --group option: $ tar --numeric-owner -cvf - foo |tar -tvf - foo -rw-r--r-- 1000/1000 0 2006-06-30 15:19 foo $ tar --owner 65535 --group 65535 -cvf - foo |tar -tvf - foo -rw-r--r-- 65535/65535 0 2006-06-30 15:19 foo Obviously, this only solves part of the problem. -jon _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re: Linux kernel source archive vulnerable, (continued)
- Re: Re: Linux kernel source archive vulnerable Valdis . Kletnieks (Sep 09)
- Re: Linux kernel source archive vulnerable Ron (Sep 24)
- Re: Re: Linux kernel source archive vulnerable Jurjen Oskam (Sep 08)
- tar alternative Tim (Sep 08)
- Re: tar alternative Cristi Mitrana (Sep 08)
- Re: Re: tar alternative Tim (Sep 09)
- Re: Re: tar alternative darren kirby (Sep 09)
- Re: Re: tar alternative Tim (Sep 09)
- Re: tar alternative Aaron Gray (Sep 15)
- Re: tar alternative Tim (Sep 20)
- Re: tar alternative Jon Hart (Sep 20)
- Re: tar alternative Tonnerre Lombard (Sep 20)
- Re: Linux kernel source archive vulnerable Joe Feise (Sep 11)
- Re: Linux kernel source archive vulnerable coderpunk (Sep 12)
- Re: Re: Linux kernel source archive vulnerable Chris Umphress (Sep 12)
- Re: Linux kernel source archive vulnerable Schanulleke (Sep 15)
- Re: Linux kernel source archive vulnerable Troy Cregger (Sep 22)