Re: [Bug-tar] bad treatment of symlinks

[Andries E. Brouwer]

On Tue, Oct 18, 2011 at 09:22:59AM -0700, Paul Eggert wrote:
> On 10/18/11 02:26, Andries E. Brouwer wrote:
> > It would be nice if tar treated symlinks for just
> > what they are: small files that contain a filename,
> > and restored file and mode at the moment of extraction.
> 
> Tar used to do that, but it led to security holes.
> If you want the old behavior, use the -P option, but
> I suggest first reading the "Reliability and Security"
> part of the tar manual.

Thanks!

Some remarks:

(i) Good! So the option exists, only is undocumented.
(I would have to test, or read the source. The description of -P
does not suggest to me that it might have this effect.)

(ii) "tar manual" - my default Ubuntu system does not have it.
It is a pity that GNU software is badly documented (namely,
using info files, disliked by everyone).
It is a pity that people invented a kludge turning the help message
into a man page, so that most GNU software has poor man pages.
It is a pity that GNU software is badly documented (namely,
with a license that makes it difficult to distribute documentation).

(iii)
tar is used to archive and unarchive filesystem trees.
In such a situation following symlinks is a very bad idea,
both when packing and when unpacking.

This "Reliability and Security" part of the manual, just like the
"Integrity" part, talks about the problems of following symlinks.
Following symlinks is a security problem, but also a usability problem.
For tar, following symlinks is harmful.

"While a superuser is extracting from an archive into a live file system,
an untrusted user might replace a directory with a symbolic link,
in hopes that tar will follow the symbolic link"

"If the working directory contains a symbolic link to another directory, the
untrusted user can also write into any file under the referenced directory."

No - tar should exit with the error message "not extracting over symlinks -
give the --foobar option to enable this".


Andries