Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 15 Aug 2004 15:21:46 -0700
From:      Tim Kientzle <kientzle@freebsd.org>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        current@freebsd.org
Subject:   Re: bsdtar's security restrictions (was Re: Spurious EACCES errors from apache)
Message-ID:  <411FE1FA.5070703@freebsd.org>
In-Reply-To: <20040815205946.GA18580@xor.obsecurity.org>
References:  <20040813235434.GA75875@xor.obsecurity.org> <20040814063541.GA43063@xor.obsecurity.org> <411FCCCC.8040508@freebsd.org> <20040815205946.GA18580@xor.obsecurity.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote:
> On Sun, Aug 15, 2004 at 01:51:24PM -0700, Tim Kientzle wrote:
>
>>>This is bad when some of those directories
>>>already exist, because other processes trying to access files in the
>>>directory hierarchy may lose the race and fail.
>>
>>Give me some more details about your situation and I'll
>>see what I can come up with.
> 
> I pull in packages from package build clients with
> ssh client tar | tar.  It creates archives like this:
> 
> packages
> packages/All
> packages/All/uzap-1.0.tgz
> packages/editors
> packages/editors/uzap-1.0.tgz
> packages/Latest
> packages/Latest/uzap.tgz
> 
> packages/ is supposed to have these permissions:
> 
> drwxr-xr-x  93 ports-i386  portmgr  2048 Aug 14 23:12 packages/
> 
> But while the archive is being extracted it is changed to
> 
> drwx------  93 ports-i386  portmgr  2048 Aug 14 23:12 packages/

If you can change it to contain only the files
(and not the directories), then this should no
longer be a problem.  As I mentioned earlier, the
editing of dir permissions is done for "packages/"
here because it's explicitly listed as an archive
entry.

In the meantime, I'll see about adding an option
to relax the security constraints for situations
like this.

Tim



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?411FE1FA.5070703>