[Ilugc] TAR security

• From: kapil@xxxxxxxxxxx (Kapil Hari Paranjape)
• Date: Fri Jul 4 09:18:24 2008

Hello,

On Thu, 03 Jul 2008, Masatran, R. Deepak wrote:

I am worried about extracting TAR files...(1) What if it contains files with
absolute paths? (2) What if it contains files with ".." in the path? (3)
What if it violates the Unix convention of extracting the contents in a
sub-directory?

I you mean that an archive could contain files like
        ../.ssh/authorized_keys
which if extracted in /home/luser/testarea/
could over-write the authorized_keys file of the user?

GNU (and most other modern tar versions) do not allow such
over-writing by default. Specifically, leading '/' and '..' are
recursively stripped and symbolic links pointing outside the current
directory are not followed. (Don't believe me! Just test it out!)

However, there are situations where a user may want to do this. So
there is the "-P" option to tar which disables this safety feature.

Regards,

Kapil.
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : 
http://www.ae.iitm.ac.in/pipermail/ilugc/attachments/20080704/1baabc88/attachment.bin

• Follow-Ups:
  • [Ilugc] TAR security
    • From: Kapil Hari Paranjape

• References:
  • [Ilugc] TAR security
    • From: Masatran, R. Deepak

Other related posts:

• » [Ilugc] TAR security- Masatran, R. Deepak
• » [Ilugc] TAR security- Arun Khan
• » [Ilugc] TAR security - Kapil Hari Paranjape
• » [Ilugc] TAR security- Masatran, R. Deepak
• » [Ilugc] TAR security- Kapil Hari Paranjape

1. Home
2. ilugc
3. Archive
4. 07-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---