From owner-freebsd-security Thu Jun 6 23: 8:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from sdns.kv.ukrtel.net (sdns.kv.ukrtel.net [195.5.27.246]) by hub.freebsd.org (Postfix) with ESMTP id DE4B437B40B; Thu, 6 Jun 2002 23:07:59 -0700 (PDT) Received: from vega.vega.com (195.5.51.243 [195.5.51.243]) by sdns.kv.ukrtel.net with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id M2L7DMW7; Fri, 7 Jun 2002 09:09:58 +0300 Received: (from max@localhost) by vega.vega.com (8.11.6/8.11.3) id g57682M20849; Fri, 7 Jun 2002 09:08:02 +0300 (EEST) (envelope-from sobomax@FreeBSD.org) From: Maxim Sobolev Message-Id: <200206070608.g57682M20849@vega.vega.com> Subject: Re: WARNING! New GNU Tar in 5-CURRENT could erroneously create world writeable dirs To: sobomax@FreeBSD.org (Maxim Sobolev) Date: Fri, 7 Jun 2002 09:08:02 +0300 (EEST) Cc: sobomax@FreeBSD.org (Maxim Sobolev), security@FreeBSD.org, current@FreeBSD.org In-Reply-To: from "Maxim Sobolev" at Jun 07, 2002 03:05:51 AM X-Mailer: ELM [version 2.5 PL5] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > > > Hi, > > > > I've just noticed that something wrong with the new tar in the base > > system (1.13.25) - when extracting some archives it creates 777 dirs, > > while permissions in the archive itself are OK (for example GNU make > > make-3.79.1.tar.gz - top level dir gets 777 as well as several > > other lowel level dirs). The issue is under investigation. > > Should be solved now. Stupid GNU folks for some reason decided that > when tar is executed as uid 0 then by default umask(2) should not be > applied to files and dirs being extracted. That said, anybody who runs 5.0-CURRENT with the new tar is advised to clean up all ports' WRKDIRs she might have, to avoid being trojaned by a local user. -Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message