Re: World writable tarballs
From: Alistair John Strachan
Date: Sun Apr 30 2006 - 08:03:04 EST
On Sunday 30 April 2006 10:15, Heikki Orsila wrote:
> On Sun, Apr 30, 2006 at 01:48:12AM +0100, Alistair John Strachan wrote:
> > There's no need to repeatedly discuss it.
> I think there is. Sorry for wasting bandwidth.
> It's a big security hole deliberately caused by the kernel people (files
> in the tar ball have og+w, so it's not problem in roots umask or tar).
> Real security needs _simplicity_ but current file modes require
> unnecessary _tricks_ for admins. There should be nothing against
> untarring files as root. In this case it makes sense too, because only
> the tar balls are crypto signed, not the individual files inside the tar
> ball, so root can conveniently just verify the crypto signature and
> untar the file without any race conditions or trusting other users. The
> only real alternative is to create an _unnecessary_ trusted user to do
> tar ball handling.
> PS. this file permission bug almost bit me. People make errors and this
> one is potentially a big privilege escalation, because it potentially
> turns normal application bugs into root privileges.
Going over old ground again, any administrator a) compiling the kernel as root
or b) relying on GNU tar to make _security policy decisions_ is completely
The only "trick" here is tar's decision to not apply umask, or root uid/gid,
to files in a tar when extracted as root. This might make sense for tars that
you created and want to extract again (say restoring a backup), but it
certainly NEVER makes sense for files downloaded off the Internet.
If people are insistent that they must extract and compile things as root, at
the very least you should have the following in root's ~/.bashrc:
alias tar='tar --no-same-permissions --no-same-owner '
Then if you want the default (imo flawed) tar behaviour, you can just call tar
Really, people that complain about security should have a modicum of a clue;
allowing a tar file that _somebody else_ applied _their_ security policy, to
define yours, is a deeply flawed concept. umask is there for a reason.
Third year Computer Science undergraduate.
1F2 55 South Clerk Street, Edinburgh, UK.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/