Full Disclosure mailing list archives

Re: Re: tar alternative

From: darren kirby <bulliver () badcomputer org>
Date: Sat, 9 Sep 2006 07:57:53 -0700

quoth the Tim:

What problems ?


1. tar archives contain information about the user and group of a file.
   This is critical for backups, but quite unnecessary for software
   distribution in the vast majority of cases.  It is a common pitfall
   for software authors to leak information about their systems this
   way.


What tar are you using? With every tarball I download the files within are 
given the owner:group of the user I extract them as.

I have never seen a developer's username or group disclosed...

2. As discussed in this thread, tar archives contain permissions for
   files.  Also important for backups, not important for software
   distribution IMHO.


Sure they are important. Would you want to manually chmod +x all executables 
and scripts? Manually chmod +r all documentation? Even stipulating that we 
could use the umask value to decide permissions it is still a PITA.

3. tar traditionally allows files to be extracted to any directory,
   which can be dangerous.


This can be mitigated if you don't blindly extract tarballs as root, and you 
only extract in safe locations. If you unpack stuff to '/' you deserve to 
hose your system. 

True, some boneheads don't package their stuff in a top-level directory 
potentially overwriting existing files in the pwd. Perhaps the GNU folks 
should add a 'noclobber' option....


True, these behaviors can be overridden, or a tool developed that has
safe defaults, but then the tool would be less useful for backups.  The
point is, the Unix community has been using a backup tool for software
distribution for many years.  Perhaps having the right tool for the job
would be safer.

For instance, a format that only contained filenames and timestamps, and
is built to only output all files under a specific directory tree would
be nice.

I would say cpio, but you don't want any backup designed archivers.


Yeah, I had thought of that as well, but it likely has the same issues.

thanks,
tim


-d
-- 
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Linux kernel source archive vulnerable, (continued)
- - - Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
    - Re: Linux kernel source archive vulnerable Gerald (Jerry) Carter (Sep 08)
    - Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
    - Re: Re: Linux kernel source archive vulnerable Michael Gale (Sep 08)
    - Re: Re: Linux kernel source archive vulnerable Valdis . Kletnieks (Sep 09)
    - Re: Linux kernel source archive vulnerable Ron (Sep 24)
    - Re: Re: Linux kernel source archive vulnerable Jurjen Oskam (Sep 08)
    - tar alternative Tim (Sep 08)
    - Re: tar alternative Cristi Mitrana (Sep 08)
    - Re: Re: tar alternative Tim (Sep 09)
    - Re: Re: tar alternative darren kirby (Sep 09)
    - Re: Re: tar alternative Tim (Sep 09)
    - Re: tar alternative Aaron Gray (Sep 15)
    - Re: tar alternative Tim (Sep 20)
    - Re: tar alternative Jon Hart (Sep 20)
    - Re: tar alternative Tonnerre Lombard (Sep 20)
  - Re: Linux kernel source archive vulnerable coderpunk (Sep 11)
    - Re: Linux kernel source archive vulnerable Joe Feise (Sep 11)
    - Re: Linux kernel source archive vulnerable coderpunk (Sep 12)
    - Re: Re: Linux kernel source archive vulnerable Chris Umphress (Sep 12)
    - Re: Linux kernel source archive vulnerable Schanulleke (Sep 15)

(Thread continues...)