From owner-freebsd-current@FreeBSD.ORG Sun Aug 15 20:51:26 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B42D416A4CE for ; Sun, 15 Aug 2004 20:51:26 +0000 (GMT) Received: from kientzle.com (h-66-166-149-50.snvacaid.covad.net [66.166.149.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C3BC43D1F for ; Sun, 15 Aug 2004 20:51:26 +0000 (GMT) (envelope-from kientzle@freebsd.org) Received: from freebsd.org (p54.kientzle.com [66.166.149.54]) by kientzle.com (8.12.9/8.12.9) with ESMTP id i7FKpP90069347; Sun, 15 Aug 2004 13:51:25 -0700 (PDT) (envelope-from kientzle@freebsd.org) Message-ID: <411FCCCC.8040508@freebsd.org> Date: Sun, 15 Aug 2004 13:51:24 -0700 From: Tim Kientzle User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20031006 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Kris Kennaway References: <20040813235434.GA75875@xor.obsecurity.org> <20040814063541.GA43063@xor.obsecurity.org> In-Reply-To: <20040814063541.GA43063@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: current@freebsd.org Subject: bsdtar's security restrictions (was Re: Spurious EACCES errors from apache) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Aug 2004 20:51:26 -0000 Kris Kennaway wrote: > On Fri, Aug 13, 2004 at 04:54:34PM -0700, Kris Kennaway wrote: > >>Since a recent world+kernel update, apache is frequently reporting >>errors like: >> >> ... (13)Permission denied: access to /errorlogs/i386-4-packages-latest/All/pkgconfig-0.15.0_1.tgz failed because search permissions are missing on a component of the path > > With help from rwatson we tracked it down to bsdtar, which seems to be > setting and resetting permissions on every path component when > extracting a tarball. Yes, bsdtar does protect dirs that it is currently extracting to in an attempt to close certain security races. (Otherwise, there are windows during the process of setting permissions, ownership, ACLs, file flags, etc, when a file being extracted may be vulnerable to another process.) This is done for any directory explicitly mentioned in the archive and any implicit directory that is actually created. Directories that already exist and are only referenced implicitly shouldn't have their permissions edited. > This is bad when some of those directories > already exist, because other processes trying to access files in the > directory hierarchy may lose the race and fail. I don't think I understand what exactly you're trying to do. You are extracting archives over an existing directory that is currently being served by an Apache process in order to refresh some (presumably) small number of files? Give me some more details about your situation and I'll see what I can come up with. Tim