Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 15 Aug 2004 13:59:46 -0700
From:      Kris Kennaway <kris@obsecurity.org>
To:        Tim Kientzle <kientzle@freebsd.org>
Cc:        Kris Kennaway <kris@obsecurity.org>
Subject:   Re: bsdtar's security restrictions (was Re: Spurious EACCES errors from apache)
Message-ID:  <20040815205946.GA18580@xor.obsecurity.org>
In-Reply-To: <411FCCCC.8040508@freebsd.org>
References:  <20040813235434.GA75875@xor.obsecurity.org> <20040814063541.GA43063@xor.obsecurity.org> <411FCCCC.8040508@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--VS++wcV0S1rZb1Fb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Aug 15, 2004 at 01:51:24PM -0700, Tim Kientzle wrote:

> >With help from rwatson we tracked it down to bsdtar, which seems to be
> >setting and resetting permissions on every path component when
> >extracting a tarball.=20
>=20
> Yes, bsdtar does protect dirs that it is currently
> extracting to in an attempt to close certain security
> races.  (Otherwise, there are windows during
> the process of setting permissions, ownership,
> ACLs, file flags, etc, when a file being
> extracted may be vulnerable to another process.)
>=20
> This is done for any directory explicitly mentioned
> in the archive and any implicit directory that
> is actually created.  Directories that already
> exist and are only referenced implicitly shouldn't
> have their permissions edited.
>=20
> > This is bad when some of those directories
> >already exist, because other processes trying to access files in the
> >directory hierarchy may lose the race and fail.
>=20
> <scratching head>  I don't think I understand what
> exactly you're trying to do.
>=20
> You are extracting archives over an existing directory
> that is currently being served by an Apache process in
> order to refresh some (presumably) small number of files?
>=20
> Give me some more details about your situation and I'll
> see what I can come up with.

I pull in packages from package build clients with
ssh client tar | tar.  It creates archives like this:

packages
packages/All
packages/All/uzap-1.0.tgz
packages/editors
packages/editors/uzap-1.0.tgz
packages/Latest
packages/Latest/uzap.tgz

packages/ is supposed to have these permissions:

drwxr-xr-x  93 ports-i386  portmgr  2048 Aug 14 23:12 packages/

But while the archive is being extracted it is changed to

drwx------  93 ports-i386  portmgr  2048 Aug 14 23:12 packages/

Thus, other processes that are concurrently trying to read other
packages in that directory (apache, trying to serve them out as
dependencies for other package builds) receive EACCESS.

Kris

--VS++wcV0S1rZb1Fb
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBH87CWry0BWjoQKURAlOHAJoCzaKCYPJOhXlW5baFhEAWAbcXmACfdSWn
NkpT25G56Y9MG5i3l+iLCvo=
=80Ow
-----END PGP SIGNATURE-----

--VS++wcV0S1rZb1Fb--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040815205946.GA18580>