GNU tar vulnerability

[bje () air net au (Ben Elliston)]

I reported the following vulnerability to AUSCERT, but they weren't
interested.  People on this list might be, though!

GNU tar is lazy about file creation modes and file owners when unpacking
a tar file.  Because GNU tar defaults to creating files owned by the
userid running tar when the username is not found on your system, it can
be possible to inadvertantly create setuid root programs.

Let me give you an example:

        On machine A, as user "fred" (uid doesn't matter), use gtar
        to create a tar file of the directory ~/files.  Inside the
        subdirectory, place a copy of /bin/bash and, as fred, make
        the program setuid fred (the mode 4755 works well).

        Set the tar file to someone on machine B where the user "fred"
        does not exist and have them unpack the directory somewhere.
        Since "fred" does not exist on machine B and gtar is being
        run as root, you have created a world-executable setuid-root
        shell.

I stumbled on this when using a `tar | rsh tar' pipeline to transfer a
bunch of home directories from one machine to another.  I thought all
users on the source machine existed on the destination, but this was not
the case.

Furthermore, for all files owned by the users not on both machines, they
were created with ownership to root . . including some setuid programs
which were now setuid root!

It's very, very easy to get caught out by this.  I'd like to see GNU tar
strip the setuid bit off files it has to revert the ownership for due to
an unknown original owner.

Ben.

--
Ben Elliston
<bje () air net au>