Date: Sat, 14 May 2016 12:17:48 -0700 From: Tim Kientzle <tim@kientzle.com> To: Martin Matuska <mm@freebsd.org> Cc: Michael Butler <imb@protected-networks.net>, FreeBSD current <freebsd-current@freebsd.org> Subject: Re: libarchive update SVN r299529 breaks "ezjail update" Message-ID: <E9B21A7F-AD3A-4182-AACC-3B92BBEF1216@kientzle.com> In-Reply-To: <20160512175418.Horde.JvYoOSRwfU_l2TIXv697u2B@mail.vx.sk> References: <2c059cf5-2c8a-3b89-16c3-eedf02a01ec5@protected-networks.net> <20160512173440.Horde.5l1s9ijXRgAeMNgmT0MmCPa@mail.vx.sk> <20160512175418.Horde.JvYoOSRwfU_l2TIXv697u2B@mail.vx.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
Many people consider the traditional behavior to be a security risk, = which is why this was changed. FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm = reluctant to do that in the upstream libarchive project. Tim > On May 12, 2016, at 8:54 AM, Martin Matuska <mm@freebsd.org> wrote: >=20 > Looks like we have to remove line #174 from cpio/cpio.c: > cpio->extract_flags |=3D ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; >=20 > This breaks traditional cpio behavior. >=20 > Quoting Martin Matuska <mm@freebsd.org>: >=20 >> Hi Michael, I have looked at the source and this is an intended = change in 3.2.0. >>=20 >> An absolute path security check was added, cpio refuses to extract or = copy over absolute paths. To do this anyway the "--insecure" flag must = be used. >>=20 >> Here is the commit: >> = https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739= e17daba3607526 >>=20 >> Quoting Michael Butler <imb@protected-networks.net>: >>=20 >>> It seems that today's libarchive update breaks cpio's behaviour: >>>=20 >>> sudo ezjail-admin update -i -s /usr/src >>>=20 >>> [ .. ] >>>=20 >>> cd /usr/src/etc/..; install -o root -g wheel -m 444 COPYRIGHT >>> /usr/local/jails/fulljail/ >>> install -o root -g wheel -m 444 >>> /usr/src/etc/../sys/i386/conf/GENERIC.hints >>> /usr/local/jails/fulljail/boot/device.hints >>> /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown = error: -1 >>>=20 >>> /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute: >>> Unknown error: -1 >>>=20 >>> /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is >>> absolute: Unknown error: -1 >>>=20 >>> /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute: >>> Unknown error: -1 >>>=20 >>> /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is = absolute: >>> Unknown error: -1 >>>=20 >>> /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: = Unknown >>> error: -1 >>>=20 >>> /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute: >>> Unknown error: -1 >>>=20 >>> /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: = Unknown >>> error: -1 >>>=20 >>> /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: = Unknown >>> error: -1 >>>=20 >>> /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path = is >>> absolute: Unknown error: -1 >>> [ .. etc. .. ] >>=20 >>=20 >>=20 >> Martin Matuska >> FreeBSD committer >> http://blog.vx.sk >=20 >=20 >=20 > Martin Matuska > FreeBSD committer > http://blog.vx.sk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E9B21A7F-AD3A-4182-AACC-3B92BBEF1216>