Re: tar preserves setuid bit

[Imran Ghory <imranghory () gmail com>]

On 8/5/05, Neil McKellar <mckellar () telusplanet net> wrote:
> Imran Ghory <imranghory () gmail com> wrote:
> > If running as the root user tar restores the original permissions to
> > extracted files, this includes the setuid bit. No warning is given to
> > the user that this has happened.
>
> From the default man page for tar:
>
>     The owner, modification time, and mode are restored (if possible);
>
> This isn't specific to GNU, it's *expected behaviour* for every version of tar.
>  In fact, a failure to conform to this behaviour breaks essential functionality
> of tar. 

I'm not saying that it shouldn't have the behaviour, rather that it
should warn the user.

Howeber the only reason I posted this "bug" was because a number of
unix/linux vendors have decided that the same issue in unzip (which I
cited earlier : CAN-2005-0602) should be considered a vulnerability
and have issued patches to change the behaviour. Hence they may (or
may not) decide to take similar action with tar,

> What part of 'Tape ARchive' wasn't clear?  Would you be happy if your backup and
> restore procedures failed to actually restore files in their original condition?

The number of people who use tar for archival purposes is minimal
compared to those who use it for distribution purposes. Of course you
could argue that misusing an archival tool as a distribution tool is
the source of this potential problem, but the fact is that it is used
for distribution purposes and thus is a potentinal attack vector.

Imran Ghory