Date: Sun, 15 Aug 2004 13:59:46 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Tim Kientzle <kientzle@freebsd.org> Cc: Kris Kennaway <kris@obsecurity.org> Subject: Re: bsdtar's security restrictions (was Re: Spurious EACCES errors from apache) Message-ID: <20040815205946.GA18580@xor.obsecurity.org> In-Reply-To: <411FCCCC.8040508@freebsd.org> References: <20040813235434.GA75875@xor.obsecurity.org> <20040814063541.GA43063@xor.obsecurity.org> <411FCCCC.8040508@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Aug 15, 2004 at 01:51:24PM -0700, Tim Kientzle wrote: > >With help from rwatson we tracked it down to bsdtar, which seems to be > >setting and resetting permissions on every path component when > >extracting a tarball.=20 >=20 > Yes, bsdtar does protect dirs that it is currently > extracting to in an attempt to close certain security > races. (Otherwise, there are windows during > the process of setting permissions, ownership, > ACLs, file flags, etc, when a file being > extracted may be vulnerable to another process.) >=20 > This is done for any directory explicitly mentioned > in the archive and any implicit directory that > is actually created. Directories that already > exist and are only referenced implicitly shouldn't > have their permissions edited. >=20 > > This is bad when some of those directories > >already exist, because other processes trying to access files in the > >directory hierarchy may lose the race and fail. >=20 > <scratching head> I don't think I understand what > exactly you're trying to do. >=20 > You are extracting archives over an existing directory > that is currently being served by an Apache process in > order to refresh some (presumably) small number of files? >=20 > Give me some more details about your situation and I'll > see what I can come up with. I pull in packages from package build clients with ssh client tar | tar. It creates archives like this: packages packages/All packages/All/uzap-1.0.tgz packages/editors packages/editors/uzap-1.0.tgz packages/Latest packages/Latest/uzap.tgz packages/ is supposed to have these permissions: drwxr-xr-x 93 ports-i386 portmgr 2048 Aug 14 23:12 packages/ But while the archive is being extracted it is changed to drwx------ 93 ports-i386 portmgr 2048 Aug 14 23:12 packages/ Thus, other processes that are concurrently trying to read other packages in that directory (apache, trying to serve them out as dependencies for other package builds) receive EACCESS. Kris --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBH87CWry0BWjoQKURAlOHAJoCzaKCYPJOhXlW5baFhEAWAbcXmACfdSWn NkpT25G56Y9MG5i3l+iLCvo= =80Ow -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040815205946.GA18580>