Hi. I just sent this to gnutar's mailing list: http://www.linuxfromscratch.org/~robert/new/patches/tar-1.19-no_preserve.patch2
This patch adds --disable-default-root-preserve to Tar, so root will not preserve file modes or ownership by default. The --same-owner and --preserve options still work. Root's umask is used by default. This resolves a vulnerability in hlfs. Many packages extract with world writable directories and files, which are vulnerable to modification by any user on the host. Many packages extract with uid's which may exist on the host, making an unintended user the file's owner. An alternative way of dealing with this would be using '--no-same-owner --no-same-permissions' whenever root run's tar. This is how almost everyone else deals with this. The patch is more straight forward. Comments? robert
pgplueABEhI8T.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
