Al Hopper <al at logical-approach.com> wrote:
> > Let me try to argue different...
> >
> > do the following:
> >
> > wget ftp://ftp.berlios.de/pub/star/testscripts/remove.tar
> > echo > f1
> > tar xf remove.tar
> > ls -l f1
> >
> > If you do this with Sun tar, you get this:
> >
> > ls -l
> > f1: Datei oder Verzeichnis nicht gefunden
> >
> > star tvf remove.tar
> > 0 Hrw-r--r-- root/berlios Jul 25 20:06 2003 f1 link to f1
> >
> >
> > Would you request this dangerous behavior to be mandatory just because it
> > is undocumented by POSIX but "implemented" by traditional UNIX archivers?
>
> Yes.
A shortsighted response that gives the impression that you did not try to think
about the problem first.
The TAR archive, I was using as an example, cannot be created by accident on
any known platform. You need to handcraft such an archive. If it exists, it
only exists in order to demonstrate a vulnerability (the good guy case) or to
attack a system based on this vulnerability (the bad guy case).
Maybe you now understand why I did use this example... it was choosen in order
to find out whether responses in this thread have a technical background or
whether the replies seem to rather have a personal background.
Today, there are numerous attacks and numerous ways for attacking systems.
An OS platform is only safe against such attacks if it's creators are
constantly looking for possible vulnerabilities and fix them before bad guys
discover them. Not fixing a vulnerability in a userland utility may be a hint
that the maintenance for the userland is neglected, or a hint for missing skills
about how to use a combination of social engineering and technical problems for
attacking systems. It is obvious that the development for userland tools in
general, and development for archivers in special has been neglected for a while
on Solaris.
If it is not possible to discuss cases that are obviously _only_ a security
problem, it would be hard to discuss corner cases like the ones that result from
archives that include files with absolute path names.
As I mentioned before, the POSIX standard does not forbid to by default
disallowing the extraction of files that come with an absolute path name in the
archive. Ignoring the resulting problems creates a serious vulnerability in the
OS. For this reason, there is no way to discuss _whether_ to forbid such files
by default. There is however room to discuss _how_ an archiver should handle
the problem by default. If this was a technical based discussion, we did now
discuss _how_ to handle the problem...
J?rg
--
EMail:joerg at schily.isdn.cs.tu-berlin.de (home) J?rg Schilling D-13353 Berlin
js at cs.tu-berlin.de (uni)
schilling at fokus.fraunhofer.de (work) Blog:
http://schily.blogspot.com/
URL: http://cdrecord.berlios.de/old/private/ ftp://ftp.berlios.de/pub/schily
