Date: Tue, 1 Oct 2002 15:56:48 -0700 (PDT) From: "f.johan.beisser" <jan@caustic.org> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) Message-ID: <20021001154626.M67581-100000@pogo.caustic.org> In-Reply-To: <4.3.2.7.2.20021001162821.036c0530@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 1 Oct 2002, Brett Glass wrote: > Most people look at what's being untarred as it happens. They don't > expect upward directory traversal to be possible, so they don't > anticipate being hit in the way that this bug allows. i tend to do the same thing, from a temp directory within $HOME. i don't expect an attacker to be able to get to my crontab (your example) or modify something else (perhaps /etc/inetd.conf) if the permissions aren't there anyway. it's rare i'll do much as root. exceedingly rare. best practice is to NOT do much as root if you don't have too. > Also, even if one does list the contents of a large archive (say, > a complete distribution of Apache), you'd need to list it slowly > and read it critically. Even a really long file name will scroll > by FAST during a listing and could be missed. "tar tvf <filename> | [more || less]" doesn't seem that hard to me. this is about best practice after all. if it's a modified tarball, it won't match the MD5 signature anyway, and shouldn't be trusted by the ports system. if you're building on your own, you shouldn't be handling the untar and build as root. there's little reason to have root access untill the install. i guess i would be more worried about this having the ability to execute arbitrary code as the user; which it doesn't seem to have. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021001154626.M67581-100000>