From owner-freebsd-security Tue Oct 1 18:30:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40B4437B401 for ; Tue, 1 Oct 2002 18:30:53 -0700 (PDT) Received: from hyperreal.org (taz3.hyperreal.org [209.133.83.22]) by mx1.FreeBSD.org (Postfix) with SMTP id D7A2543E65 for ; Tue, 1 Oct 2002 18:30:52 -0700 (PDT) (envelope-from brian@hyperreal.org) Received: (qmail 12671 invoked from network); 2 Oct 2002 01:30:39 -0000 Received: from localhost.hyperreal.org (HELO yez.hyperreal.org) (127.0.0.1) by localhost.hyperreal.org with SMTP; 2 Oct 2002 01:30:39 -0000 Received: (qmail 76388 invoked by uid 1000); 2 Oct 2002 01:31:28 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Oct 2002 01:31:28 -0000 Date: Tue, 1 Oct 2002 18:31:28 -0700 (PDT) From: Brian Behlendorf To: Klaus Steden Cc: security@FreeBSD.ORG Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) In-Reply-To: <20021001193024.A24818@cthulu.compt.com> Message-ID: <20021001183010.E58068-100000@yez.hyperreal.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost.hyperreal.org 1.6.2 900/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Klaus Steden wrote: > With all due respect, running 'tar tf' before extracting a tarball as root is > a good idea, and a good habit to get into. So, fix the ports system then to include a step whereby someone has to pause the installation process to review the output of tar before allowing it to proceed. Oh, that would be a pain, wouldn't it? Like someone said, POLA. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message