Date: Sun, 15 Aug 2004 13:51:24 -0700 From: Tim Kientzle <kientzle@freebsd.org> To: Kris Kennaway <kris@obsecurity.org> Cc: current@freebsd.org Subject: bsdtar's security restrictions (was Re: Spurious EACCES errors from apache) Message-ID: <411FCCCC.8040508@freebsd.org> In-Reply-To: <20040814063541.GA43063@xor.obsecurity.org> References: <20040813235434.GA75875@xor.obsecurity.org> <20040814063541.GA43063@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: > On Fri, Aug 13, 2004 at 04:54:34PM -0700, Kris Kennaway wrote: > >>Since a recent world+kernel update, apache is frequently reporting >>errors like: >> >> ... (13)Permission denied: access to /errorlogs/i386-4-packages-latest/All/pkgconfig-0.15.0_1.tgz failed because search permissions are missing on a component of the path > > With help from rwatson we tracked it down to bsdtar, which seems to be > setting and resetting permissions on every path component when > extracting a tarball. Yes, bsdtar does protect dirs that it is currently extracting to in an attempt to close certain security races. (Otherwise, there are windows during the process of setting permissions, ownership, ACLs, file flags, etc, when a file being extracted may be vulnerable to another process.) This is done for any directory explicitly mentioned in the archive and any implicit directory that is actually created. Directories that already exist and are only referenced implicitly shouldn't have their permissions edited. > This is bad when some of those directories > already exist, because other processes trying to access files in the > directory hierarchy may lose the race and fail. <scratching head> I don't think I understand what exactly you're trying to do. You are extracting archives over an existing directory that is currently being served by an Apache process in order to refresh some (presumably) small number of files? Give me some more details about your situation and I'll see what I can come up with. Tim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?411FCCCC.8040508>