root+tar's '--same-owner --preserve' options

Kevin Day thekevinday at gmail.com
Sat Mar 8 16:32:02 PST 2008


On Sat, Mar 8, 2008 at 3:33 PM, Robert Connolly
<robert at linuxfromscratch.org> wrote:
> Hi. I just sent this to gnutar's mailing list:
>  http://www.linuxfromscratch.org/~robert/new/patches/tar-1.19-no_preserve.patch2
>
>  This patch adds --disable-default-root-preserve to Tar, so root will not
>  preserve file modes or ownership by default. The --same-owner and --preserve
>  options still work. Root's umask is used by default.
>
>  This resolves a vulnerability in hlfs. Many packages extract with world
>  writable directories and files, which are vulnerable to modification by any
>  user on the host. Many packages extract with uid's which may exist on the
>  host, making an unintended user the file's owner.
>
>  An alternative way of dealing with this would be
>  using '--no-same-owner --no-same-permissions' whenever root run's tar. This
>  is how almost everyone else deals with this. The patch is more straight
>  forward.
>
>  Comments?
>
>  robert

Are there --same-owner and --same-permissions flags?
For purposes of having root user archive a system where the permission
do in fact need to be preserved.

Other than that, I cannot think of anything else.

-- 
Kevin Day



More information about the hlfs-dev mailing list