bsdtar's security restrictions (was Re: Spurious EACCES errors
from apache)
Kris Kennaway
kris at obsecurity.org
Sun Aug 15 13:59:48 PDT 2004
On Sun, Aug 15, 2004 at 01:51:24PM -0700, Tim Kientzle wrote:
> >With help from rwatson we tracked it down to bsdtar, which seems to be
> >setting and resetting permissions on every path component when
> >extracting a tarball.
>
> Yes, bsdtar does protect dirs that it is currently
> extracting to in an attempt to close certain security
> races. (Otherwise, there are windows during
> the process of setting permissions, ownership,
> ACLs, file flags, etc, when a file being
> extracted may be vulnerable to another process.)
>
> This is done for any directory explicitly mentioned
> in the archive and any implicit directory that
> is actually created. Directories that already
> exist and are only referenced implicitly shouldn't
> have their permissions edited.
>
> > This is bad when some of those directories
> >already exist, because other processes trying to access files in the
> >directory hierarchy may lose the race and fail.
>
> <scratching head> I don't think I understand what
> exactly you're trying to do.
>
> You are extracting archives over an existing directory
> that is currently being served by an Apache process in
> order to refresh some (presumably) small number of files?
>
> Give me some more details about your situation and I'll
> see what I can come up with.
I pull in packages from package build clients with
ssh client tar | tar. It creates archives like this:
packages
packages/All
packages/All/uzap-1.0.tgz
packages/editors
packages/editors/uzap-1.0.tgz
packages/Latest
packages/Latest/uzap.tgz
packages/ is supposed to have these permissions:
drwxr-xr-x 93 ports-i386 portmgr 2048 Aug 14 23:12 packages/
But while the archive is being extracted it is changed to
drwx------ 93 ports-i386 portmgr 2048 Aug 14 23:12 packages/
Thus, other processes that are concurrently trying to read other
packages in that directory (apache, trying to serve them out as
dependencies for other package builds) receive EACCESS.
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20040815/1bfe146b/attachment.bin
More information about the freebsd-current
mailing list