Dangerous permissions in source tarball

65 views
Skip to first unread message

Jeroen Demeyer

unread,
Jan 8, 2014, 8:15:56 AM1/8/14
to sage-r...@googlegroups.com
Most files in the source tarball

http://boxen.math.washington.edu/home/release/sage-6.1.beta4/sage-6.1.beta4.tar.gz

are group-writable. This can be dangerous, since tar extracts permissions.

Volker Braun

unread,
Jan 15, 2014, 1:15:29 AM1/15/14
to sage-r...@googlegroups.com
Is this really an issue? Its true that tar will extract the files as group-writeable if your umask allows it. But the gid is going to be your primary group. It would be decidedly weird if there are untrusted users in your own primary group.

Volker Braun

unread,
Jan 15, 2014, 1:17:21 AM1/15/14
to sage-r...@googlegroups.com
In any case, I made a ticket at

Jeroen Demeyer

unread,
Jan 15, 2014, 2:36:48 AM1/15/14
to sage-r...@googlegroups.com
On 2014-01-15 07:15, Volker Braun wrote:
> Its true that tar will extract the files as group-writeable if your umask allows it.
Even if umask *does not* allow it (my umask is always 0022 and the files
ended up being group-writable).

> It would be decidedly weird if there are untrusted users
> in your own primary group.
[citation needed]

Many older Linux/Unix distributions had the habit of having one group,
say "users" for all users.

Jeroen.

Volker Braun

unread,
Jan 15, 2014, 9:22:28 AM1/15/14
to sage-r...@googlegroups.com
On Wednesday, January 15, 2014 2:36:48 AM UTC-5, Jeroen Demeyer wrote:
> Its true that tar will extract the files as group-writeable if your umask allows it.
Even if umask *does not* allow it (my umask is always 0022 and the files
ended up being group-writable).

Are you sure? Maybe you have alias'ed tar to tar -p or something like that? GNU tar does respect the umask by default:

$ tar xf foobar.tar.gz 
$ ls -ald foo bar
drwxrwxr-x. 2 vbraun vbraun 40 Jan 15 09:17 bar
-rw-rw-r--. 1 vbraun vbraun  0 Jan 15 09:17 foo
$ umask 022
$ tar xf foobar.tar.gz 
$ ls -ald foo bar
drwxr-xr-x. 2 vbraun vbraun 40 Jan 15 09:17 bar
-rw-r--r--. 1 vbraun vbraun  0 Jan 15 09:17 foo


Jeroen Demeyer

unread,
Jan 15, 2014, 9:35:36 AM1/15/14
to sage-r...@googlegroups.com
On 2014-01-15 15:22, Volker Braun wrote:
> On Wednesday, January 15, 2014 2:36:48 AM UTC-5, Jeroen Demeyer wrote:
>
> > Its true that tar will extract the files as group-writeable if
> your umask allows it.
> Even if umask *does not* allow it (my umask is always 0022 and the
> files
> ended up being group-writable).
>
>
> Are you sure?
Perhaps it only happens when running tar as root, although the
documentation doesn't mention this.

And I don't know what other versions of tar do, the safest option is to
have safe permissions in the tarball (it should be fairly easy to change
sage-sdist to do that).

Jeroen.

Volker Braun

unread,
Jan 15, 2014, 9:39:52 AM1/15/14
to sage-r...@googlegroups.com
On Wednesday, January 15, 2014 9:35:36 AM UTC-5, Jeroen Demeyer wrote:
Perhaps it only happens when running tar as root, although the
documentation doesn't mention this.

Yes, it does:

       --no-same-permissions
              apply  the  user's umask when extracting permissions from the archive (default for ordi‐
              nary users)

Jeroen Demeyer

unread,
Jan 15, 2014, 9:42:44 AM1/15/14
to sage-r...@googlegroups.com
Good, my version (tar (GNU tar) 1.26) doesn't say that.

Volker Braun

unread,
Jan 15, 2014, 9:48:04 AM1/15/14
to sage-r...@googlegroups.com
Its in the man page.

Jeroen Demeyer

unread,
Jan 15, 2014, 9:53:47 AM1/15/14
to sage-r...@googlegroups.com
On 2014-01-15 15:48, Volker Braun wrote:
> Its in the man page.
I got that, I'm just saying that my version doesn't state that in the
man page. It simply has

--no-same-permissions
apply user's umask when extracting files instead of
recorded permissions

(and nothing about what is the default)

Volker Braun

unread,
Jan 15, 2014, 10:06:21 AM1/15/14
to sage-r...@googlegroups.com
Interesting, I also have gnu tar 1.26 for the record.

P Purkayastha

unread,
Jan 15, 2014, 12:03:06 PM1/15/14
to sage-r...@googlegroups.com
Are you on Gentoo? It looks like a bug in Gentoo. The man page for
tar-1.26 is ${FILESDIR}/tar.1 (that is, not from upstream tar) and it
does not contain that string. The man page for tar-1.27 is
${FILESDIR}/tar.1-1.27 and it contains the string. I looked at the info
page of tar and it has the sentence about default users in it (also, the
info page comes from the upstream tar package).

Reply all
Reply to author
Forward
0 new messages