bsdtar's security restrictions (was Re: Spurious EACCES errors
from apache)
Kris Kennaway
kris at obsecurity.org
Sun Aug 15 15:48:47 PDT 2004
On Sun, Aug 15, 2004 at 03:21:46PM -0700, Tim Kientzle wrote:
> >packages
> >packages/All
> >packages/All/uzap-1.0.tgz
> >packages/editors
> >packages/editors/uzap-1.0.tgz
> >packages/Latest
> >packages/Latest/uzap.tgz
> >
> >packages/ is supposed to have these permissions:
> >
> >drwxr-xr-x 93 ports-i386 portmgr 2048 Aug 14 23:12 packages/
> >
> >But while the archive is being extracted it is changed to
> >
> >drwx------ 93 ports-i386 portmgr 2048 Aug 14 23:12 packages/
>
> If you can change it to contain only the files
> (and not the directories), then this should no
> longer be a problem. As I mentioned earlier, the
> editing of dir permissions is done for "packages/"
> here because it's explicitly listed as an archive
> entry.
That would be a bit cumbersome..can't you make it just not clear
permissions on files and directories that already exist? If they have
relaxed or insecure permissions, they had insecure permissions to
begin with and one may assume this is by intention.
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20040815/71e3dbf5/attachment.bin
More information about the freebsd-current
mailing list