On Sat, Mar 8, 2008 at 3:33 PM, Robert Connolly <[EMAIL PROTECTED]> wrote: > Hi. I just sent this to gnutar's mailing list: > > http://www.linuxfromscratch.org/~robert/new/patches/tar-1.19-no_preserve.patch2 > > This patch adds --disable-default-root-preserve to Tar, so root will not > preserve file modes or ownership by default. The --same-owner and --preserve > options still work. Root's umask is used by default. > > This resolves a vulnerability in hlfs. Many packages extract with world > writable directories and files, which are vulnerable to modification by any > user on the host. Many packages extract with uid's which may exist on the > host, making an unintended user the file's owner. > > An alternative way of dealing with this would be > using '--no-same-owner --no-same-permissions' whenever root run's tar. This > is how almost everyone else deals with this. The patch is more straight > forward. > > Comments? > > robert
Are there --same-owner and --same-permissions flags? For purposes of having root user archive a system where the permission do in fact need to be preserved. Other than that, I cannot think of anything else. -- Kevin Day -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
