Re: RE: Is FreeBSD's tar susceptible to this?

From: Don Lewis (dl-freebsd@catspoiler.org)
Date: 10/02/02


Date: Tue, 1 Oct 2002 17:12:27 -0700 (PDT)
From: Don Lewis <dl-freebsd@catspoiler.org>
To: jan@caustic.org

On 1 Oct, f.johan.beisser wrote:
> On Tue, 1 Oct 2002, Don Lewis wrote:
>
>> On 1 Oct, f.johan.beisser wrote:
>> > i don't believe that tar(1) will allow you to do that by default.
>>
>> I don't have an easy way of creating a malicious tarball to do this all
>> in one shot, but it does look like our tar follows symlinks.

I forgot about tar's "r" option ...

> it doesn't include them by default, though. well, the symlink, yes; the
> contents of the symlink, no.
>
> in your example, overwriting a given simlink works because it's
> pre-existing, before the untarring of the file. essentially, it's like
> cd'ing in to a symlinked directory:

The symlink doesn't have to exist ahead of time.

% rm -rf foo baz
% ls foo baz
ls: baz: No such file or directory
ls: foo: No such file or directory
% ln -s baz foo
% tar cvf foo.tar foo
foo
% rm foo
% mkdir foo baz
% touch foo/bar
% tar rvf foo.tar foo/bar
foo/bar
% rm -r foo
% tar xvf foo.tar
foo
foo/bar
% ls -al foo baz
lrwxr-xr-x 1 dl dl 3 Oct 1 17:01 foo -> baz

baz:
total 28
drwxr-xr-x 2 dl dl 512 Oct 1 17:01 .
drwxr-xr-x 64 dl dl 27648 Oct 1 17:01 ..
-rw-r--r-- 1 dl dl 0 Oct 1 17:00 bar

>> The only safe way of preventing symlinks from being followed would be to
>> lstat() each component of each path name in the tarball (which is still
>> not safe if there is a hostile process running that could substitute a
>> symlink for something that has already been checked).
>
> if you have a hostile process, you tend to be forced in to assuming the
> machine is hostile anyway, yes?

Yes, I just didn't want anyone to get the impression that the checks
that I mentioned above are safe in all cases. In the general case, even
those checks are vulnerable to things like /tmp races.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: RE: Is FreeBSDs tar susceptible to this?
    ... >> What if the tarball installs a symlink to / under the current directory ... I don't have an easy way of creating a malicious tarball to do this all ... > mkdir foo ... > tar cvf foo.tar foo/bar ...
    (FreeBSD-Security)
  • Re: unexplained bianry "diff"
    ... What does "cmp" say about the files? ... $ ./testit.py foo ... $ cp -v foo bar ... $ ls -l foo baz ...
    (comp.os.linux.misc)
  • Re: get obsolute path with file
    ... In which case you may want to use readlink -m ... Also note that if $file is a symlink but you don't have search ... $ chmod 677 foo ... $ readlink -f foo/bar ...
    (comp.unix.shell)
  • Re: Is this example in the Forth200x draft 11.1 correct?
    ... forward foo ... That's how bigForth does it; IMHO the feature is orthogonal to DEFER. ...
    (comp.lang.forth)
  • Re: /etc/init.d/ - add/remove services
    ... > Note that the expectation of the System V init system is ... If there is no symlink for a service in a particular ... > runlevel then the behavior of sysv's invoke-rc.d is undefined ... as a foo script even though it links to foo. ...
    (Debian-User)