bug-tar
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-tar] tar 1.23 Solaris regression

From: Eric Blake
Subject: Re: [Bug-tar] tar 1.23 Solaris regression
Date: Tue, 03 Aug 2010 10:33:52 -0600
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100720 Red Hat/3.1.1-1.el6 Mnenhy/0.8.3 Thunderbird/3.1.1 
On 08/03/2010 03:24 AM, Joerg Schilling wrote:
> Paul Eggert <address@hidden> wrote:
> 
>> On 08/02/10 12:28, Eric Blake wrote:
>>> since tar does have the likelihood
>>> of creating children, yes, it should play nicely and restore privileges
>>> before exec()ing.
>>
>> Yes, that makes sense.  However, the proposed patch isn't quite
>> right, since it restores PRIV_SYS_LINKDIR even if the user had
>> removed that privilege before invoking 'tar'.
> 
> What is the reason for playing with privileges inside a tar implementaton?

As I said earlier:
http://lists.gnu.org/archive/html/bug-tar/2010-08/msg00002.html

>> I think the reason was to make sure that unlink on directories didn't
>> work, avoiding a stat call to check if the target was a directory.
> 
> Not only that, but to avoid _hosing_ your file system if it calls
> unlink() on what it thought was a file but in reality was a non-empty
> directory slipped into its place at the last minute by an attacker.
> That is, the inherent race between stat()ing a file and unlink()ing it
> can lead to some serious messes that fsck will just punt on; and the
> best way to avoid it is to ensure that unlink() atomically fails on
> directories, by (temporarily) giving up that extra privilege.

-- 
Eric Blake   address@hidden    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]