root+tar's '--same-owner --preserve' options
thekevinday at gmail.com
Sat Mar 8 16:32:02 PST 2008
On Sat, Mar 8, 2008 at 3:33 PM, Robert Connolly
<robert at linuxfromscratch.org> wrote:
> Hi. I just sent this to gnutar's mailing list:
> This patch adds --disable-default-root-preserve to Tar, so root will not
> preserve file modes or ownership by default. The --same-owner and --preserve
> options still work. Root's umask is used by default.
> This resolves a vulnerability in hlfs. Many packages extract with world
> writable directories and files, which are vulnerable to modification by any
> user on the host. Many packages extract with uid's which may exist on the
> host, making an unintended user the file's owner.
> An alternative way of dealing with this would be
> using '--no-same-owner --no-same-permissions' whenever root run's tar. This
> is how almost everyone else deals with this. The patch is more straight
Are there --same-owner and --same-permissions flags?
For purposes of having root user archive a system where the permission
do in fact need to be preserved.
Other than that, I cannot think of anything else.
More information about the hlfs-dev