bsdtar's security restrictions (was Re: Spurious EACCES errors from apache)

Kris Kennaway kris at obsecurity.org
Sun Aug 15 13:59:48 PDT 2004 

On Sun, Aug 15, 2004 at 01:51:24PM -0700, Tim Kientzle wrote:

> >With help from rwatson we tracked it down to bsdtar, which seems to be
> >setting and resetting permissions on every path component when
> >extracting a tarball. 
> 
> Yes, bsdtar does protect dirs that it is currently
> extracting to in an attempt to close certain security
> races.  (Otherwise, there are windows during
> the process of setting permissions, ownership,
> ACLs, file flags, etc, when a file being
> extracted may be vulnerable to another process.)
> 
> This is done for any directory explicitly mentioned
> in the archive and any implicit directory that
> is actually created.  Directories that already
> exist and are only referenced implicitly shouldn't
> have their permissions edited.
> 
> > This is bad when some of those directories
> >already exist, because other processes trying to access files in the
> >directory hierarchy may lose the race and fail.
> 
> <scratching head>  I don't think I understand what
> exactly you're trying to do.
> 
> You are extracting archives over an existing directory
> that is currently being served by an Apache process in
> order to refresh some (presumably) small number of files?
> 
> Give me some more details about your situation and I'll
> see what I can come up with.

I pull in packages from package build clients with
ssh client tar | tar.  It creates archives like this:

packages
packages/All
packages/All/uzap-1.0.tgz
packages/editors
packages/editors/uzap-1.0.tgz
packages/Latest
packages/Latest/uzap.tgz

packages/ is supposed to have these permissions:

drwxr-xr-x  93 ports-i386  portmgr  2048 Aug 14 23:12 packages/

But while the archive is being extracted it is changed to

drwx------  93 ports-i386  portmgr  2048 Aug 14 23:12 packages/

Thus, other processes that are concurrently trying to read other
packages in that directory (apache, trying to serve them out as
dependencies for other package builds) receive EACCESS.

Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20040815/1bfe146b/attachment.bin

More information about the freebsd-current mailing list