On 08/03/2010 03:24 AM, Joerg Schilling wrote: > Paul Eggert <[email protected]> wrote: > >> On 08/02/10 12:28, Eric Blake wrote: >>> since tar does have the likelihood >>> of creating children, yes, it should play nicely and restore privileges >>> before exec()ing. >> >> Yes, that makes sense. However, the proposed patch isn't quite >> right, since it restores PRIV_SYS_LINKDIR even if the user had >> removed that privilege before invoking 'tar'. > > What is the reason for playing with privileges inside a tar implementaton?
As I said earlier: http://lists.gnu.org/archive/html/bug-tar/2010-08/msg00002.html >> I think the reason was to make sure that unlink on directories didn't >> work, avoiding a stat call to check if the target was a directory. > > Not only that, but to avoid _hosing_ your file system if it calls > unlink() on what it thought was a file but in reality was a non-empty > directory slipped into its place at the last minute by an attacker. > That is, the inherent race between stat()ing a file and unlink()ing it > can lead to some serious messes that fsck will just punt on; and the > best way to avoid it is to ensure that unlink() atomically fails on > directories, by (temporarily) giving up that extra privilege. -- Eric Blake [email protected] +1-801-349-2682 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
